@nice-code/action 0.21.0 → 0.22.0

package/build/httpAcceptorCarrier-DL8lf0xB.mjs

@@ -0,0 +1,3906 @@
+import "./RunningAction.types-C176rqHG.mjs";
+import { nanoid } from "nanoid";
+import { NiceError, castNiceError, err, err_nice, isNiceErrorObject } from "@nice-code/error";
+import { extractMessageFromStandardSchema } from "@nice-code/common-errors";
+import { runtime } from "std-env";
+import { ClientCryptoKeyLink, createTypedStorage } from "@nice-code/util";
+import * as v from "valibot";
+import { pack, unpack } from "msgpackr";
+const UNSET_RUNTIME_ENV_ID = "_unset_";
+//#endregion
+//#region src/ActionRuntime/utils/runtimeCoordinateToStringIds.ts
+function runtimeCoordinateToStringIds(coordinate) {
+	return [
+		`envId[${coordinate.envId}]perId[${coordinate.perId ?? "_"}]:insId[${coordinate.insId ?? "_"}]`,
+		`envId[${coordinate.envId}]perId[${coordinate.perId ?? "_"}]:insId[_]`,
+		`envId[${coordinate.envId}]perId[_]:insId[_]`
+	];
+}
+//#endregion
+//#region src/ActionRuntime/RuntimeCoordinate.ts
+var RuntimeCoordinate = class RuntimeCoordinate {
+	envId;
+	perId;
+	insId;
+	static get unknown() {
+		return new RuntimeCoordinate({ envId: UNSET_RUNTIME_ENV_ID });
+	}
+	static env(envId) {
+		return new RuntimeCoordinate({ envId });
+	}
+	withPersistentId(perId) {
+		return this.specify({ perId });
+	}
+	constructor({ envId, perId, insId }) {
+		this.envId = envId;
+		this.perId = perId;
+		this.insId = insId;
+	}
+	specify(specifics) {
+		return new RuntimeCoordinate({
+			envId: this.envId,
+			perId: this.perId,
+			insId: this.insId,
+			...specifics
+		});
+	}
+	specifyIfUnset(specifics) {
+		return new RuntimeCoordinate({
+			envId: this.envId,
+			perId: this.perId ?? specifics.perId,
+			insId: this.insId ?? specifics.insId
+		});
+	}
+	toJsonObject() {
+		return {
+			envId: this.envId,
+			perId: this.perId,
+			insId: this.insId
+		};
+	}
+	isExactlySame(other) {
+		return this.envId === other.envId && this.perId === other.perId && this.insId === other.insId;
+	}
+	isSameFor(other) {
+		return {
+			id: this.envId === other.envId,
+			perId: this.envId === other.envId && this.perId === other.perId,
+			insId: this.envId === other.envId && this.perId === other.perId && this.insId === other.insId
+		};
+	}
+	similarityLevel(other) {
+		const sameFor = this.isSameFor(other);
+		if (sameFor.insId) return 3;
+		if (sameFor.perId) return 2;
+		if (sameFor.id) return 1;
+		return 0;
+	}
+	get stringId() {
+		return `envId[${this.envId}]perId[${this.perId ?? "_"}]:insId[${this.insId ?? "_"}]`;
+	}
+	/**
+	* Takes the "Runtime Coordinate" and generates a list of full coordinate IDs representing the runtime
+	* with decreasing levels of specificity.
+	*
+	* The first full coordinate ID is the most specific (including instance ID), while the last ID is
+	* the least specific (only environment ID).
+	*
+	* Example output for a RuntimeCoordinate with envId "web_app", perId "user123", and insId "instance456":
+	* [
+	*   "envId[web_app]perId[user123]:insId[instance456]",
+	*   "envId[web_app]perId[user123]:insId[_]",
+	*   "envId[web_app]perId[_]:insId[_]"
+	* ]
+	*
+	* @returns a list of "full" runtime coordinate IDs with decreasing accuracy for targeting a runtime.
+	*/
+	toStringIds() {
+		return runtimeCoordinateToStringIds(this);
+	}
+};
+//#endregion
+//#region src/ActionDefinition/Action/ActionBase.ts
+var ActionBase = class {
+	form;
+	_domain;
+	id;
+	domain;
+	allDomains;
+	schema;
+	constructor(form, _domain, id) {
+		this.form = form;
+		this._domain = _domain;
+		this.id = id;
+		this.domain = _domain.domain;
+		this.allDomains = _domain.allDomains;
+		this.schema = _domain.actionSchema[id];
+	}
+	toJsonObject() {
+		return {
+			form: this.form,
+			domain: this.domain,
+			allDomains: this.allDomains,
+			id: this.id
+		};
+	}
+	toJsonString() {
+		return JSON.stringify(this.toJsonObject());
+	}
+};
+//#endregion
+//#region src/ActionDefinition/Action/Payload/ActionPayload.ts
+var ActionPayload = class extends ActionBase {
+	form = "data";
+	type;
+	context;
+	time;
+	constructor(context, type, data) {
+		super("data", context._domain, context.id);
+		this.context = context;
+		this.type = type;
+		this.time = data.time;
+	}
+	toBaseJsonObject() {
+		return {
+			...super.toJsonObject(),
+			type: this.type,
+			context: this.context.toContextDataJsonObject(),
+			time: this.time
+		};
+	}
+};
+//#endregion
+//#region src/utils/hashPayloadData.ts
+function stableStringify(value) {
+	if (value === null || value === void 0) return String(value);
+	if (typeof value !== "object") return JSON.stringify(value) ?? "undefined";
+	if (Array.isArray(value)) return `[${value.map(stableStringify).join(",")}]`;
+	return "{" + Object.keys(value).sort().map((k) => `${JSON.stringify(k)}:${stableStringify(value[k])}`).join(",") + "}";
+}
+function fnv1a32(str) {
+	let hash = 2166136261;
+	for (let i = 0; i < str.length; i++) hash = (hash ^ str.charCodeAt(i)) * 16777619 >>> 0;
+	return hash.toString(16).padStart(8, "0");
+}
+/**
+* Produces a deterministic 8-char hex hash of any JSON-serializable value.
+* Useful for grouping/comparing action inputs, outputs, and progress payloads.
+*/
+function hashPayloadData(data) {
+	return fnv1a32(stableStringify(data));
+}
+//#endregion
+//#region src/ActionDefinition/Action/Payload/ActionPayload.types.ts
+let EActionPayloadType = /* @__PURE__ */ function(EActionPayloadType) {
+	EActionPayloadType["request"] = "request";
+	EActionPayloadType["progress"] = "progress";
+	EActionPayloadType["result"] = "result";
+	EActionPayloadType["stream"] = "stream";
+	EActionPayloadType["push"] = "push";
+	return EActionPayloadType;
+}({});
+/**
+*
+*  [ PROGRESS ]
+*
+*/
+let EActionProgressType = /* @__PURE__ */ function(EActionProgressType) {
+	EActionProgressType["none"] = "none";
+	EActionProgressType["percentage"] = "percentage";
+	EActionProgressType["custom"] = "custom";
+	return EActionProgressType;
+}({});
+//#endregion
+//#region src/ActionDefinition/Action/Payload/ActionPayload_Progress.ts
+var ActionPayload_Progress = class extends ActionPayload {
+	progress;
+	constructor(params, progress, data) {
+		super(params.context, "progress", data);
+		this.progress = progress;
+	}
+	toJsonObject() {
+		return {
+			...this.toBaseJsonObject(),
+			progress: this.progress
+		};
+	}
+	toJsonString() {
+		return JSON.stringify(this.toJsonObject());
+	}
+	toHttpResponse() {
+		return new Response(this.toJsonString(), {
+			status: 200,
+			headers: { "Content-Type": "application/json" }
+		});
+	}
+};
+//#endregion
+//#region src/ActionDefinition/Action/Payload/ActionPayload_Result.ts
+var ActionPayload_Result = class extends ActionPayload {
+	result;
+	outputHash;
+	constructor(params, result, data) {
+		super(params.context, "result", data);
+		this.result = result;
+		this.outputHash = result.ok ? hashPayloadData(this.context.schema.serializeOutput(result.output)) : hashPayloadData(result.error.message);
+	}
+	toJsonObject() {
+		const wireResult = this.result.ok ? {
+			ok: true,
+			output: this.context.schema.serializeOutput(this.result.output)
+		} : this.result;
+		return {
+			...this.toBaseJsonObject(),
+			result: wireResult,
+			outputHash: this.outputHash
+		};
+	}
+	toJsonString() {
+		return JSON.stringify(this.toJsonObject());
+	}
+	toHttpResponse({ useErrorStatus = true } = {}) {
+		return new Response(this.toJsonString(), {
+			status: this.result.ok ? 200 : useErrorStatus ? this.result.error.httpStatusCode : 500,
+			headers: { "Content-Type": "application/json" }
+		});
+	}
+};
+//#endregion
+//#region src/ActionDefinition/Action/Payload/ActionPayload_Request.ts
+var ActionPayload_Request = class extends ActionPayload {
+	input;
+	inputHash;
+	_callSite;
+	constructor(params, input, data) {
+		super(params.context, "request", data);
+		this.input = input;
+		this.inputHash = hashPayloadData(this.context.schema.serializeInput(input));
+	}
+	successResult(...args) {
+		const output = args[0];
+		const finalOutput = this.context.schema.validateOutput(output, {
+			domain: this.domain,
+			actionId: this.id
+		});
+		return new ActionPayload_Result(this, {
+			ok: true,
+			output: finalOutput
+		}, { time: Date.now() });
+	}
+	errorResult(err) {
+		return new ActionPayload_Result(this, {
+			ok: false,
+			error: err
+		}, { time: Date.now() });
+	}
+	progress(progress) {
+		return new ActionPayload_Progress(this, progress, { time: Date.now() });
+	}
+	toJsonObject() {
+		return {
+			...super.toBaseJsonObject(),
+			input: this.context.schema.serializeInput(this.input),
+			inputHash: this.inputHash
+		};
+	}
+	toJsonString() {
+		return JSON.stringify(this.toJsonObject());
+	}
+	async runToOutput(options) {
+		const result = await (await this.run(options)).waitForResultPayload();
+		if (result.result.ok) return result.result.output;
+		throw result.result.error;
+	}
+	async runToResultPayload(options) {
+		return (await this.run(options)).waitForResultPayload();
+	}
+	async run(options) {
+		if (this._callSite == null) this._callSite = (/* @__PURE__ */ new Error()).stack;
+		return this._domain.runAction(this, options);
+	}
+};
+//#endregion
+//#region src/ActionDefinition/Action/RunningAction.ts
+var RunningAction = class {
+	_state;
+	context;
+	cuid;
+	id;
+	_domain;
+	domain;
+	allDomains;
+	parentCuid;
+	callSite;
+	_resultPayloadPromise;
+	_resolveResult;
+	_rejectResult;
+	_isAborted = false;
+	_updates = [];
+	_updateListeners = [];
+	constructor(initialState) {
+		this.context = initialState.context;
+		this.cuid = initialState.context.cuid;
+		this.id = initialState.context.id;
+		this.domain = initialState.context.domain;
+		this.allDomains = initialState.context.allDomains;
+		this._domain = initialState.context._domain;
+		this.parentCuid = initialState.parentCuid;
+		this.callSite = initialState.callSite;
+		this._resultPayloadPromise = new Promise((resolve, reject) => {
+			this._resolveResult = resolve;
+			this._rejectResult = reject;
+		});
+		this._resultPayloadPromise.catch(() => {});
+		this._state = {
+			request: initialState.request,
+			progress: initialState.progress ?? [],
+			result: initialState.result
+		};
+		this._sendUpdate({
+			type: "started",
+			runningAction: this,
+			time: Date.now()
+		});
+	}
+	get state() {
+		return this._state;
+	}
+	abort(reason) {
+		this._abort(reason);
+	}
+	addUpdateListeners(listeners) {
+		this._updateListeners.push(...listeners);
+		for (const event of this._updates) for (const listener of listeners) listener(event);
+		return () => {
+			for (const listener of listeners) {
+				const i = this._updateListeners.indexOf(listener);
+				if (i !== -1) this._updateListeners.splice(i, 1);
+			}
+		};
+	}
+	async *iterateUpdates() {
+		const queue = [];
+		let resolveWaiter = null;
+		const unsubscribe = this.addUpdateListeners([(event) => {
+			queue.push(event);
+			if (resolveWaiter) {
+				resolveWaiter();
+				resolveWaiter = null;
+			}
+		}]);
+		try {
+			while (true) {
+				if (queue.length === 0) await new Promise((resolve) => {
+					resolveWaiter = resolve;
+				});
+				const event = queue.shift();
+				yield event;
+				if (event.type === "finished") break;
+			}
+		} finally {
+			unsubscribe();
+		}
+	}
+	_sendUpdate(update) {
+		this._updates.push(update);
+		for (const listener of this._updateListeners) listener(update);
+	}
+	_completeWithResult(result) {
+		if (this._state.result != null || this._isAborted) return false;
+		this._state = {
+			request: this._state.request,
+			progress: this._state.progress,
+			result
+		};
+		this._resolveResult(result);
+		this._sendUpdate({
+			type: "finished",
+			finishType: "success",
+			runningAction: this,
+			time: Date.now(),
+			response: result
+		});
+		return true;
+	}
+	_abort(reason) {
+		if (this._state.result != null || this._isAborted) return false;
+		this._isAborted = true;
+		this._rejectResult(reason);
+		this._sendUpdate({
+			type: "finished",
+			finishType: "aborted",
+			runningAction: this,
+			time: Date.now(),
+			reason
+		});
+		return true;
+	}
+	_failWithError(error) {
+		if (this._state.result != null || this._isAborted) return false;
+		this._isAborted = true;
+		this._rejectResult(error);
+		this._sendUpdate({
+			type: "finished",
+			finishType: "failed",
+			runningAction: this,
+			time: Date.now(),
+			error
+		});
+		return true;
+	}
+	_updateProgress(progress) {
+		if (this._state.result != null || this._isAborted) return;
+		this._state.progress.push(progress);
+		this._sendUpdate({
+			type: "progress",
+			runningAction: this,
+			time: Date.now(),
+			progress: progress.progress
+		});
+	}
+	waitForResultPayload() {
+		return this._resultPayloadPromise;
+	}
+	_resolveFromJson(resultJson) {
+		if (this._state.result != null || this._isAborted) return false;
+		const result = this._domain.hydrateResultPayload(resultJson);
+		return this._completeWithResult(result);
+	}
+};
+//#endregion
+//#region src/errors/err_nice_action.ts
+let EErrId_NiceAction = /* @__PURE__ */ function(EErrId_NiceAction) {
+	EErrId_NiceAction["not_implemented"] = "not_implemented";
+	EErrId_NiceAction["action_id_not_in_domain"] = "action_id_not_in_domain";
+	EErrId_NiceAction["domain_already_exists_in_hierarchy"] = "domain_already_exists_in_hierarchy";
+	EErrId_NiceAction["domain_no_handler"] = "domain_no_handler";
+	EErrId_NiceAction["hydration_domain_mismatch"] = "hydration_domain_mismatch";
+	EErrId_NiceAction["hydration_action_state_mismatch"] = "hydration_action_state_mismatch";
+	EErrId_NiceAction["hydration_action_id_not_found"] = "hydration_action_id_not_found";
+	EErrId_NiceAction["no_action_execution_handler"] = "no_action_execution_handler";
+	EErrId_NiceAction["wire_action_not_payload"] = "wire_action_not_payload";
+	EErrId_NiceAction["wire_not_action_data"] = "wire_not_action_data";
+	EErrId_NiceAction["client_runtime_already_registered"] = "client_runtime_already_registered";
+	EErrId_NiceAction["client_runtime_not_registered"] = "client_runtime_not_registered";
+	EErrId_NiceAction["runtime_reset"] = "runtime_reset";
+	EErrId_NiceAction["no_client_runtimes_registered"] = "no_client_runtimes_registered";
+	EErrId_NiceAction["action_input_validation_failed"] = "action_input_validation_failed";
+	EErrId_NiceAction["action_input_validation_promise"] = "action_input_validation_promise";
+	EErrId_NiceAction["action_output_validation_failed"] = "action_output_validation_failed";
+	EErrId_NiceAction["action_output_validation_promise"] = "action_output_validation_promise";
+	return EErrId_NiceAction;
+}({});
+const err_nice_action = err_nice.createChildDomain({
+	domain: "err_nice_action",
+	defaultHttpStatusCode: 500,
+	schema: {
+		["not_implemented"]: err({ message: ({ label }) => `The "${label}" functionality is not implemented yet.` }),
+		["action_id_not_in_domain"]: err({ message: ({ actionId, domain }) => `Action with id "${actionId}" does not exist in domain "${domain}".` }),
+		["domain_already_exists_in_hierarchy"]: err({ message: ({ domain, allParentDomains, parentDomain }) => `Domain "${domain}" already exists in the hierarchy under the parent "${parentDomain}". All parent domains ["${allParentDomains.join(", ")}"]` }),
+		["domain_no_handler"]: err({ message: ({ domain }) => `Domain "${domain}" has no action handler registered.` }),
+		["hydration_domain_mismatch"]: err({ message: ({ expected, received }) => `Cannot hydrate action: domain mismatch. Expected "${expected}", got "${received}".` }),
+		["hydration_action_state_mismatch"]: err({ message: ({ expected, received }) => `Cannot hydrate action: action state type mismatch. Expected "${expected}", got "${received}".` }),
+		["hydration_action_id_not_found"]: err({ message: ({ domain, actionId }) => `Cannot hydrate action: id "${actionId}" does not exist in domain "${domain}".` }),
+		["no_action_execution_handler"]: err({ message: ({ domain, actionId, specifiedClient }) => `${specifiedClient ? ` The targeted client runtime [${specifiedClient.stringId}] has no` : "No"} action handler registered for "${actionId}" in domain "${domain}".` }),
+		["wire_action_not_payload"]: err({ message: ({ domain, actionId, actionState }) => `Cannot handle wire for action "${actionId}" in domain "${domain}": expected action form of "data" and type of "request", "progress" or "result", got "${actionState}".` }),
+		["wire_not_action_data"]: err({ message: () => `Cannot handle wire for action: expected an object with a "domain" property of type string, a "form" property of "data" and a "type" property of "request", "progress" or "result".` }),
+		["runtime_reset"]: err({ message: () => `Runtime has been reset.` }),
+		["client_runtime_already_registered"]: err({ message: ({ context, client }) => `Environment is already registered${context?.domain ? ` on domain "${context.domain}"` : ""} for client [${client.stringId}]. Each client specifier (exact match on all properties) may only be registered once.` }),
+		["client_runtime_not_registered"]: err({ message: ({ context, clientStringId }) => `No runtime registered${context?.domain ? ` on domain "${context.domain}"` : ""} for client [${clientStringId}].` }),
+		["no_client_runtimes_registered"]: err({ message: ({ context }) => `No runtimes registered${context?.domain ? ` on domain "${context.domain}"` : ""}. Add handlers to a runtime via runtime.addHandlers([handler]) before executing actions.` }),
+		["action_input_validation_failed"]: err({
+			message: ({ domain, actionId, validationMessage }) => `Input validation failed for action "${actionId}" in domain "${domain}":\n${validationMessage}`,
+			httpStatusCode: 400
+		}),
+		["action_input_validation_promise"]: err({
+			message: ({ domain, actionId }) => `Input validation for action "${actionId}" in domain "${domain}" returned a promise, which is not supported.`,
+			httpStatusCode: 400
+		}),
+		["action_output_validation_failed"]: err({
+			message: ({ domain, actionId, validationMessage }) => `Output validation failed for action "${actionId}" in domain "${domain}":\n${validationMessage}`,
+			httpStatusCode: 500
+		}),
+		["action_output_validation_promise"]: err({
+			message: ({ domain, actionId }) => `Output validation for action "${actionId}" in domain "${domain}" returned a promise, which is not supported.`,
+			httpStatusCode: 500
+		})
+	}
+});
+//#endregion
+//#region src/utils/isAction_Base_JsonObject.ts
+const isAction_Base_JsonObject = (obj) => {
+	return typeof obj === "object" && obj !== null && typeof obj.domain === "string" && typeof obj.id === "string" && typeof obj.form === "string";
+};
+//#endregion
+//#region src/utils/isActionPayload_Result_JsonObject.ts
+const isActionPayload_Result_JsonObject = (obj) => {
+	return isAction_Base_JsonObject(obj) && obj.result != null && obj.form === "data" && obj.type === "result";
+};
+//#endregion
+//#region src/ActionDefinition/Schema/ActionSchema.ts
+/**
+* What a sender should expect back from an action — declared on its schema so both ends agree without
+* any wire flag (each derives the mode from the shared `domain:id`).
+*
+* - `payload` — a typed output (the action has `.output(...)`); the sender awaits it.
+* - `ack` — an empty success confirming receipt (no output); the sender may await it to know the
+*   receiver handled it (or to surface an error). This is the default for an action with no output.
+* - `none` — fire-and-forget: the receiver sends no reply and the sender doesn't wait. The sender's
+*   running action completes as soon as the frame is on the wire (no pending reply, no timeout).
+*/
+let EActionResponseMode = /* @__PURE__ */ function(EActionResponseMode) {
+	EActionResponseMode["payload"] = "payload";
+	EActionResponseMode["ack"] = "ack";
+	EActionResponseMode["none"] = "none";
+	return EActionResponseMode;
+}({});
+var ActionSchema = class {
+	_errorDeclarations = [];
+	inputOptions;
+	outputOptions;
+	_responseMode;
+	get inputSchema() {
+		return this.inputOptions?.schema;
+	}
+	get outputSchema() {
+		return this.outputOptions?.schema;
+	}
+	/**
+	* The response contract for this action. Defaults are inferred — `payload` when an output schema is
+	* declared, otherwise `ack` — and made explicit by {@link ack} / {@link fireAndForget}.
+	*/
+	get responseMode() {
+		if (this._responseMode != null) return this._responseMode;
+		return this.outputOptions != null ? "payload" : "ack";
+	}
+	/**
+	* Mark this action as expecting only an acknowledgment (an empty success). Mostly for clarity — an
+	* output-less action already acks by default — but it documents intent and reads as the deliberate
+	* counterpart to {@link fireAndForget}.
+	*/
+	ack() {
+		this._responseMode = "ack";
+		return this;
+	}
+	/**
+	* Mark this action as fire-and-forget: the receiver sends no reply, and the sender's running action
+	* completes the moment the frame is sent (no awaited reply, no timeout). Ideal for high-frequency
+	* server→client pushes (presence, ticks) where an ack would only add wire chatter.
+	*/
+	fireAndForget() {
+		this._responseMode = "none";
+		return this;
+	}
+	/**
+	* Declare the input schema (JSON-native or with explicit SERDE type param).
+	* For non-JSON-native inputs, prefer the 3-argument form below to avoid
+	* needing explicit type parameters.
+	*/
+	input(options) {
+		this.inputOptions = options;
+		return this;
+	}
+	/**
+	* Declare the output schema (JSON-native or with explicit SERDE type param).
+	* For non-JSON-native outputs, prefer the 3-argument form below to avoid
+	* needing explicit type parameters.
+	*/
+	output(options) {
+		this.outputOptions = options;
+		return this;
+	}
+	throws(domain, ids) {
+		this._errorDeclarations.push({
+			_domain: domain,
+			_ids: ids
+		});
+		return this;
+	}
+	/**
+	* Serialize raw input to a JSON-serializable form.
+	* Uses the schema's serialization.serialize if defined; otherwise the input
+	* is already JSON-native and is returned as-is.
+	*/
+	serializeInput(rawInput) {
+		if (this.inputOptions?.serialization) return this.inputOptions.serialization.serialize(rawInput);
+		return rawInput;
+	}
+	/**
+	* Deserialize a JSON value back into the raw input type.
+	* Uses serialization.deserialize if defined; otherwise the value is cast
+	* directly (it's already in the correct shape).
+	*/
+	deserializeInput(serialized) {
+		if (this.inputOptions?.serialization) return this.inputOptions.serialization.deserialize(serialized);
+		return serialized;
+	}
+	/**
+	* Validate raw input against the schema defined via `.input({ schema })`.
+	* Throws `action_input_validation_failed` if validation fails.
+	* Returns the validated (and possibly coerced) value on success.
+	* If no input schema was declared, the value is passed through as-is.
+	*/
+	validateInput(value, meta) {
+		if (this.inputOptions?.schema == null) return value;
+		const result = this.inputOptions.schema["~standard"].validate(value);
+		if (result instanceof Promise) throw err_nice_action.fromId("action_input_validation_promise", {
+			domain: meta.domain,
+			actionId: meta.actionId
+		});
+		if (result.issues != null) throw err_nice_action.fromId("action_input_validation_failed", {
+			domain: meta.domain,
+			actionId: meta.actionId,
+			validationMessage: extractMessageFromStandardSchema(result)
+		});
+		return result.value;
+	}
+	validateOutput(value, meta) {
+		if (this.outputOptions?.schema == null) return value;
+		const result = this.outputOptions.schema["~standard"].validate(value);
+		if (result instanceof Promise) throw err_nice_action.fromId("action_output_validation_promise", {
+			domain: meta.domain,
+			actionId: meta.actionId
+		});
+		if (result.issues != null) throw err_nice_action.fromId("action_output_validation_failed", {
+			domain: meta.domain,
+			actionId: meta.actionId,
+			validationMessage: extractMessageFromStandardSchema(result)
+		});
+		return result.value;
+	}
+	/**
+	* Serialize raw output to a JSON-serializable form.
+	*/
+	serializeOutput(rawOutput) {
+		if (this.outputOptions?.serialization) return this.outputOptions.serialization.serialize(rawOutput);
+		return rawOutput;
+	}
+	/**
+	* Deserialize a JSON value back into the raw output type.
+	*/
+	deserializeOutput(serialized) {
+		if (this.outputOptions?.serialization) return this.outputOptions.serialization.deserialize(serialized);
+		return serialized;
+	}
+};
+const actionSchema = () => {
+	return new ActionSchema();
+};
+//#endregion
+//#region src/utils/getAssumedRuntimeEnvironment.ts
+const getAssumedRuntimeInfo = () => {
+	return {
+		assumed: true,
+		runtimeName: runtime
+	};
+};
+//#endregion
+//#region src/utils/isActionPayload_Progress_JsonObject.ts
+const isActionPayload_Progress_JsonObject = (obj) => {
+	return isAction_Base_JsonObject(obj) && "progress" in obj && obj.form === "data" && obj.type === "progress";
+};
+//#endregion
+//#region src/utils/isActionPayload_Request_JsonObject.ts
+const isActionPayload_Request_JsonObject = (obj) => {
+	return isAction_Base_JsonObject(obj) && "input" in obj && obj.form === "data" && obj.type === "request";
+};
+//#endregion
+//#region src/utils/isActionPayload_Any_JsonObject.ts
+function isActionPayload_Any_JsonObject(obj) {
+	return isActionPayload_Request_JsonObject(obj) || isActionPayload_Result_JsonObject(obj) || isActionPayload_Progress_JsonObject(obj);
+}
+//#endregion
+//#region src/ActionRuntime/HandlerCallStack.ts
+const _stack = [];
+function pushHandlerCuid(cuid) {
+	_stack.push(cuid);
+}
+function popHandlerCuid() {
+	_stack.pop();
+}
+function peekHandlerCuid() {
+	return _stack[_stack.length - 1];
+}
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Connector/err_nice_external_client.ts
+const err_nice_external_client = err_nice_action.createChildDomain({
+	domain: "err_nice_external_client",
+	schema: {}
+});
+//#endregion
+//#region src/ActionRuntime/Transport/err_nice_transport.ts
+let EErrId_NiceTransport = /* @__PURE__ */ function(EErrId_NiceTransport) {
+	EErrId_NiceTransport["timeout"] = "timeout";
+	EErrId_NiceTransport["not_found"] = "not_found";
+	EErrId_NiceTransport["unsupported"] = "unsupported";
+	EErrId_NiceTransport["initialization_failed"] = "initialization_failed";
+	EErrId_NiceTransport["send_failed"] = "send_failed";
+	EErrId_NiceTransport["invalid_action_response"] = "invalid_action_response";
+	return EErrId_NiceTransport;
+}({});
+const err_nice_transport = err_nice_external_client.createChildDomain({
+	domain: "err_nice_transport",
+	schema: {
+		["timeout"]: err({ message: ({ timeout }) => `ActionConnect transport timed out after ${timeout}ms.` }),
+		["not_found"]: err({ message: ({ actionId }) => `No connected transport found for action "${actionId}".` }),
+		["unsupported"]: err({ message: ({ transportShapes }) => `${transportShapes.length} Transport(s) [${transportShapes.join(", ")}] found but returned "unsupported" status.` }),
+		["initialization_failed"]: err({ message: ({ actionId }) => `Transports found for action "${actionId}", but none are ready.` }),
+		["send_failed"]: err({
+			message: ({ actionId, httpStatusCode, message }) => `Failed to send action "${actionId}" [${httpStatusCode ?? "Unknown status"}]: ${message ?? "Unknown error"}.`,
+			httpStatusCode: ({ httpStatusCode }) => httpStatusCode ?? 500
+		}),
+		["invalid_action_response"]: err({ message: ({ actionId }) => `Invalid action response JSON structure for action "${actionId}"` })
+	}
+});
+//#endregion
+//#region src/ActionRuntime/Transport/Transport.types.ts
+/**
+* Carrier-shape class identity: the one carrier-invariant trait the selection layer reasons about —
+* whether a carrier can push unsolicited frames (`duplex`: WS/WebRTC/BLE/in-memory) or only answers a
+* request with a single correlated reply (`exchange`: HTTP). The concrete carrier kind ("ws", "webrtc",
+* "http", …) is a free-form {@link ITransportRouteInfo.carrierLabel} for display, not a class tag.
+*/
+let ETransportShape = /* @__PURE__ */ function(ETransportShape) {
+	ETransportShape["duplex"] = "duplex";
+	ETransportShape["exchange"] = "exchange";
+	return ETransportShape;
+}({});
+/**
+*
+*  TRANSPORT READINESS RESPONSE
+*
+*/
+let ETransportStatus = /* @__PURE__ */ function(ETransportStatus) {
+	ETransportStatus["uninitialized"] = "uninitialized";
+	ETransportStatus["unsupported"] = "unsupported";
+	ETransportStatus["initializing"] = "initializing";
+	ETransportStatus["ready"] = "ready";
+	ETransportStatus["failed"] = "failed";
+	return ETransportStatus;
+}({});
+//#endregion
+//#region src/ActionRuntime/Transport/ConnectionTransportManager.ts
+var ConnectionTransportManager = class {
+	_cache;
+	_transports = [];
+	constructor(_cache) {
+		this._cache = _cache;
+	}
+	addTransport(transport) {
+		this._transports.push(transport);
+	}
+	/**
+	* The highest-priority transport (first declared). Used to label an action's route *before* the
+	* transport has finished connecting — so a still-connecting action shows its (expected) destination
+	* instead of an "unknown" hop. {@link getReadyTransport} still decides the real winner, and the
+	* caller corrects the hop if a lower-priority transport ends up serving the action.
+	*/
+	getPreferredTransport() {
+		return this._transports[0];
+	}
+	async getReadyTransport(routeActionParams) {
+		const action = routeActionParams.action;
+		const candidates = [];
+		const unavailableTransports = [];
+		for (const transport of this._transports) {
+			if (!transport.isAvailable(routeActionParams)) {
+				unavailableTransports.push(transport);
+				continue;
+			}
+			const cacheKey = transport.getCacheKey(routeActionParams);
+			if (cacheKey != null) {
+				const cached = this._cache.get(cacheKey);
+				if (cached != null) {
+					if (cached instanceof Promise) {
+						candidates.push(cached);
+						continue;
+					}
+					candidates.push(Promise.resolve({
+						...cached,
+						transport
+					}));
+					break;
+				}
+			}
+			const statusInfo = transport.getTransport(routeActionParams);
+			if (statusInfo.status === "ready") {
+				const readyData = statusInfo.readyData;
+				if (cacheKey != null) {
+					const entry = {
+						methods: readyData,
+						transport
+					};
+					this._cache.set(cacheKey, entry);
+					readyData.addOnDisconnectListener?.(() => {
+						if (this._cache.get(cacheKey) === entry) this._cache.delete(cacheKey);
+					});
+				}
+				candidates.push(Promise.resolve({
+					methods: readyData,
+					transport
+				}));
+				break;
+			}
+			if (statusInfo.status === "unsupported") {
+				unavailableTransports.push(transport);
+				continue;
+			}
+			if (statusInfo.status === "initializing") {
+				const promise = statusInfo.initializationPromise.then((info) => {
+					if (info.status === "failed") throw info.error;
+					if (info.status === "unsupported") throw err_nice_transport.fromId("unsupported", { transportShapes: [transport.type] });
+					const readyData = info.readyData;
+					const entry = {
+						methods: readyData,
+						transport
+					};
+					if (cacheKey != null) if (this._cache.get(cacheKey) === promise) {
+						this._cache.set(cacheKey, entry);
+						readyData.addOnDisconnectListener?.(() => {
+							if (this._cache.get(cacheKey) === entry) this._cache.delete(cacheKey);
+						});
+					} else readyData.disconnect?.();
+					return entry;
+				}).catch((e) => {
+					if (cacheKey != null && this._cache.get(cacheKey) === promise) this._cache.delete(cacheKey);
+					throw e;
+				});
+				if (cacheKey != null) this._cache.set(cacheKey, promise);
+				candidates.push(promise);
+			}
+		}
+		if (candidates.length === 0) {
+			if (unavailableTransports.length > 0) throw err_nice_transport.fromId("unsupported", { transportShapes: unavailableTransports.map((t) => t.type) });
+			throw err_nice_transport.fromId("not_found", { actionId: action.id });
+		}
+		let lastError;
+		for (const candidate of candidates) try {
+			return await candidate;
+		} catch (e) {
+			lastError = e;
+		}
+		throw err_nice_transport.fromId("initialization_failed", { actionId: action.id }).withOriginError(lastError);
+	}
+};
+//#endregion
+//#region src/ActionRuntime/ActionDomainManager.ts
+var ActionDomainManager = class {
+	_domains = /* @__PURE__ */ new Map();
+	addDomain(domain) {
+		this._domains.set(domain.domain, domain);
+	}
+	getDomains() {
+		return [...this._domains.values()];
+	}
+	verifyIsActionJson(action) {
+		if (typeof action.domain !== "string" || typeof action.id !== "string") throw err_nice_action.fromId("wire_not_action_data");
+	}
+	getActionDomain(action) {
+		this.verifyIsActionJson(action);
+		const domain = this._domains.get(action.domain);
+		if (!domain) return;
+		return domain;
+	}
+	getActionDomainOrThrow(action) {
+		this.verifyIsActionJson(action);
+		const domain = this._domains.get(action.domain);
+		if (!domain) throw err_nice_action.fromId("domain_no_handler", { domain: action.domain });
+		return domain;
+	}
+	hydrateActionPayload(actionJson) {
+		return this.getActionDomainOrThrow(actionJson).hydrateAnyAction(actionJson);
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Routing/ActionRouter.ts
+var ActionRouter = class {
+	domainManager = new ActionDomainManager();
+	actionRouteData = /* @__PURE__ */ new Map();
+	_context;
+	constructor(context) {
+		this._context = context;
+	}
+	/** Copy all routes from another router into this one, replacing any overlapping keys. */
+	mergeRouter(actionRouter) {
+		for (const domain of actionRouter.getDomains()) this.domainManager.addDomain(domain);
+		for (const [matchKey, routeDataEntries] of actionRouter.actionRouteData.entries()) this.actionRouteData.set(matchKey, [...routeDataEntries]);
+	}
+	addDomainsFromOther(actionRouter) {
+		for (const domain of actionRouter.getDomains()) this.domainManager.addDomain(domain);
+	}
+	/** All FNs registered for an action, ID-specific entries first then domain wildcard. */
+	getRouteDataEntriesForAction(action) {
+		const idKey = `dom[${action.domain}]id[${action.id}]`;
+		const domKey = `dom[${action.domain}]id[_]`;
+		return [...this.actionRouteData.get(idKey) ?? [], ...this.actionRouteData.get(domKey) ?? []];
+	}
+	/** First FN registered for an action (ID-specific beats domain wildcard). */
+	getRouteDataForAction(action) {
+		return this.getRouteDataEntriesForAction(action)[0];
+	}
+	throwNoHandlerForAction(action, context) {
+		if (this._context.contextType === "handler_route") throw err_nice_action.fromId("no_action_execution_handler", {
+			domain: action.domain,
+			actionId: action.id,
+			specifiedClient: context.targetLocalRuntime?.coordinate
+		});
+		if (this._context.contextType === "runtime_to_handler") throw err_nice_action.fromId("no_action_execution_handler", {
+			domain: action.domain,
+			actionId: action.id,
+			specifiedClient: this._context.runtime.coordinate
+		});
+		throw err_nice_action.fromId("no_action_execution_handler", {
+			domain: action.domain,
+			actionId: action.id
+		});
+	}
+	getRouteDataEntriesForActionOrThrow(action, context) {
+		const entries = this.getRouteDataEntriesForAction(action);
+		if (entries.length === 0) this.throwNoHandlerForAction(action, context);
+		return entries;
+	}
+	getRouteDataForActionOrThrow(action, context) {
+		const routeData = this.getRouteDataForAction(action);
+		if (!routeData) this.throwNoHandlerForAction(action, context);
+		return routeData;
+	}
+	/** All FNs stored under an exact match key. */
+	getForKey(key) {
+		return this.actionRouteData.get(key) ?? [];
+	}
+	/** Every match key that has at least one registered FN. */
+	getRegisteredKeys() {
+		return [...this.actionRouteData.keys()];
+	}
+	getDomains() {
+		return this.domainManager.getDomains();
+	}
+	/** Register a handler for all actions in a domain, replacing any existing one. */
+	forDomain(domain, routeData) {
+		this.domainManager.addDomain(domain);
+		this.actionRouteData.set(`dom[${domain.domain}]id[_]`, [routeData]);
+		return this;
+	}
+	forAction(action, routeData) {
+		return this.forActionId(action._domain, action.id, routeData);
+	}
+	/** Register a handler for a specific action, replacing any existing one. */
+	forActionId(domain, id, routeData) {
+		this.domainManager.addDomain(domain);
+		this.actionRouteData.set(`dom[${domain.domain}]id[${id}]`, [routeData]);
+		return this;
+	}
+	/** Register one handler for several action IDs, replacing any existing ones. */
+	forActionIds(domain, ids, routeData) {
+		this.domainManager.addDomain(domain);
+		for (const id of ids) this.forActionId(domain, id, routeData);
+		return this;
+	}
+	/** Register per-action handlers from a cases map, replacing any existing ones. */
+	forDomainActionCases(domain, cases) {
+		this.domainManager.addDomain(domain);
+		for (const id of Object.keys(cases)) {
+			const routeData = cases[id];
+			if (routeData != null) this.actionRouteData.set(`dom[${domain.domain}]id[${id}]`, [routeData]);
+		}
+		return this;
+	}
+	/** Append a handler for all actions in a domain (accumulates alongside existing). */
+	addForDomain(domain, routeData) {
+		this.domainManager.addDomain(domain);
+		this._push(`dom[${domain.domain}]id[_]`, routeData);
+		return this;
+	}
+	/** Append a handler for a specific action (accumulates alongside existing). */
+	addForAction(domain, id, routeData) {
+		this.domainManager.addDomain(domain);
+		this._push(`dom[${domain.domain}]id[${id}]`, routeData);
+		return this;
+	}
+	/** Append one handler for several action IDs (accumulates alongside existing). */
+	addForActionIds(domain, ids, routeData) {
+		this.domainManager.addDomain(domain);
+		for (const id of ids) this.addForAction(domain, id, routeData);
+		return this;
+	}
+	/** Append per-action handlers from a cases map (accumulates alongside existing). */
+	addForDomainActionCases(domain, cases) {
+		this.domainManager.addDomain(domain);
+		for (const id of Object.keys(cases)) {
+			const routeData = cases[id];
+			if (routeData != null) this._push(`dom[${domain.domain}]id[${id}]`, routeData);
+		}
+		return this;
+	}
+	/** Append a handler directly by its raw match key (used when the key is known ahead of time). */
+	addForKey(key, routeData) {
+		this._push(key, routeData);
+		return this;
+	}
+	_push(key, routeData) {
+		const existing = this.actionRouteData.get(key);
+		if (existing != null) existing.push(routeData);
+		else this.actionRouteData.set(key, [routeData]);
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Handler/ActionHandler.ts
+var ActionHandler = class {
+	cuid;
+	constructor() {
+		this.cuid = nanoid();
+	}
+	getActionRouter() {
+		return this.actionRouter;
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/PeerLinkHandler.ts
+/**
+* Shared base for every handler that routes a domain set to/from *another runtime* (a "peer") — the
+* unified peer-link concept. Both specializations extend this as siblings, differing only in *who
+* establishes the connection*, which is a transport trait, not a routing one:
+*
+* - {@link ConnectorHandler} — **dial-out**: this runtime opens connection(s) to one peer
+*   over a transport stack (with caching + fallback). The classic "client → backend" link.
+* - {@link AcceptorHandler} — **accept-in**: connections are accepted from many peers and fed in
+*   via `receive()`; it keeps a per-connection registry and can push to any of them.
+*
+* To the runtime there is no "client" vs "server" — both are peer-link handlers (`handlerType =
+* external`) keyed to a peer coordinate, chosen by the return-path dispatch via {@link sendReturnPayload}.
+*/
+var PeerLinkHandler = class extends ActionHandler {
+	/** The peer runtime this handler links to (an env-only coordinate for an accept-in handler). */
+	peerClient;
+	handlerType = "peer";
+	actionRouter = new ActionRouter({
+		contextType: "handler_route",
+		handler: this
+	});
+	/** Listeners installed by the runtime (`resolveIncomingActionPayload`) for inbound peer frames. */
+	_incomingActionDataListeners = [];
+	constructor(peerCoordinate) {
+		super();
+		this.peerClient = peerCoordinate;
+	}
+	forDomain(domain) {
+		this.actionRouter.forDomain(domain, true);
+		return this;
+	}
+	forAction(action) {
+		this.actionRouter.forAction(action, true);
+		return this;
+	}
+	forActionIds(domain, ids) {
+		this.actionRouter.forActionIds(domain, ids, true);
+		return this;
+	}
+	_setIncomingActionDataListener(listener) {
+		this._incomingActionDataListeners.push(listener);
+	}
+	/** Hand a decoded inbound frame to the runtime (called by each specialization's receive path). */
+	_emitIncoming(json) {
+		for (const listener of this._incomingActionDataListeners) listener(json);
+	}
+	/**
+	* Whether this handler currently holds a *live* connection bound to `origin`. The runtime's return-path
+	* dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) prefers a handler that owns the origin's
+	* connection over a mere coordinate match, so with several duplex acceptors a result/push routes back
+	* over the carrier the client connected on. Defaults to `false`; an acceptor overrides it from its
+	* connection registry.
+	*/
+	ownsLiveConnectionFor(_origin) {
+		return false;
+	}
+	/** Release any long-lived connections this handler owns (a teardown). No-op by default. */
+	clearTransportCache() {}
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Connector/ConnectorHandler.ts
+/**
+* Dial-out peer link: this runtime opens connection(s) to one peer over a transport stack (cached, with
+* preference-ordered fallback). The classic "client → backend" handler — but to the runtime it's just a
+* {@link PeerLinkHandler} like the accept-in server one.
+*/
+var ConnectorHandler = class extends PeerLinkHandler {
+	/**
+	* Dial-out can receive (and so return) an unsolicited push only over a duplex transport. With every
+	* transport exchange-only (HTTP), the peer can never push to us — so this link can't deliver one back.
+	*/
+	canPush;
+	_defaultTimeout;
+	_transportCache = /* @__PURE__ */ new Map();
+	transportManager = new ConnectionTransportManager(this._transportCache);
+	constructor({ runtimeCoordinate: peerSpecifier, transports, defaultTimeout }) {
+		super(peerSpecifier);
+		this._defaultTimeout = defaultTimeout ?? 1e4;
+		this.canPush = transports.some((transport) => transport.type === "duplex");
+		for (const transport of transports) {
+			const connection = transport._createConnection({ resolvers: { onIncomingActionDataJson: (json) => this._emitIncoming(json) } });
+			connection.definition = transport;
+			this.transportManager.addTransport(connection);
+		}
+	}
+	async handleActionRequest(action, config) {
+		const localRuntime = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
+		const localClient = localRuntime.coordinate;
+		const incomingTimeout = config?.timeout ?? this._defaultTimeout;
+		const parentCuid = peekHandlerCuid();
+		const callSite = action._callSite ?? (/* @__PURE__ */ new Error()).stack;
+		const routeParams = {
+			action,
+			localClient,
+			externalClient: this.peerClient
+		};
+		const preferredTransport = this.transportManager.getPreferredTransport();
+		const routeItem = preferredTransport != null ? {
+			runtime: localClient,
+			handler: this.toHandlerRouteItem(preferredTransport, routeParams),
+			time: Date.now()
+		} : void 0;
+		if (routeItem != null) action.context.addRouteItem(routeItem);
+		const runningAction = new RunningAction({
+			context: action.context,
+			request: action,
+			parentCuid,
+			callSite
+		});
+		localRuntime.registerRunningAction(runningAction);
+		this._dispatchWhenTransportReady(runningAction, routeParams, routeItem, incomingTimeout);
+		return runningAction;
+	}
+	async _dispatchWhenTransportReady(runningAction, routeParams, routeItem, incomingTimeout) {
+		const action = routeParams.action;
+		try {
+			const { methods, transport } = await this.transportManager.getReadyTransport(routeParams);
+			const handlerRouteItem = this.toHandlerRouteItem(transport, routeParams);
+			if (routeItem != null) {
+				routeItem.handler = handlerRouteItem;
+				routeItem.time = Date.now();
+			} else action.context.addRouteItem({
+				runtime: routeParams.localClient,
+				handler: handlerRouteItem,
+				time: Date.now()
+			});
+			const sendInput = {
+				...routeParams,
+				runningAction,
+				timeout: incomingTimeout
+			};
+			if (action.type === "request" && methods.updateRunConfig != null) sendInput.timeout = methods.updateRunConfig(sendInput)?.timeout ?? incomingTimeout;
+			methods.sendActionData(sendInput);
+			if (action.type === "request" && action.schema.responseMode === "none") runningAction._completeWithResult(action.successResult(void 0));
+		} catch (err) {
+			runningAction._abort(err);
+		}
+	}
+	/**
+	* Dispatch a result or progress payload directly back to the external client via the best
+	* available bidirectional transport (WebSocket / Custom). Used for return-path routing when the
+	* local runtime recognises that it has a direct channel to the action's originClient.
+	*
+	* Returns `true` if the payload was sent, `false` if no suitable transport was available.
+	*/
+	async sendReturnPayload(payload, config) {
+		const localClient = config.targetLocalRuntime.coordinate;
+		try {
+			const { methods } = await this.transportManager.getReadyTransport({
+				action: payload,
+				localClient,
+				externalClient: this.peerClient
+			});
+			if (methods.sendReturnData == null) return false;
+			methods.sendReturnData(payload, {
+				localClient,
+				externalClient: this.peerClient
+			});
+			return true;
+		} catch {
+			return false;
+		}
+	}
+	toJsonObject() {
+		return {
+			type: this.handlerType,
+			client: this.peerClient
+		};
+	}
+	toHandlerRouteItem(transport, input) {
+		return {
+			type: this.handlerType,
+			client: this.peerClient,
+			transOrd: transport.transOrd,
+			transShape: transport.type,
+			transInfo: transport.getRouteInfo(input)
+		};
+	}
+	clearTransportCache() {
+		for (const entry of this._transportCache.values()) if (entry instanceof Promise) entry.then((ready) => ready.methods.disconnect?.()).catch(() => {});
+		else entry.methods.disconnect?.();
+		this._transportCache.clear();
+	}
+};
+const createConnectorHandler = (config) => {
+	return new ConnectorHandler(config);
+};
+//#endregion
+//#region src/ActionRuntime/ActionRuntime.ts
+var ActionRuntime = class {
+	_coordinate;
+	timeCreated;
+	runtimeInfo = getAssumedRuntimeInfo();
+	actionRouter;
+	_pendingRunningActions = /* @__PURE__ */ new Map();
+	_registeredPeerHandlers = [];
+	_applied = false;
+	static getDefault() {
+		return getDefaultActionRuntime();
+	}
+	constructor(coordinate) {
+		this._coordinate = coordinate.specifyIfUnset({ insId: nanoid(14) });
+		this.timeCreated = Date.now();
+		this.actionRouter = new ActionRouter({
+			contextType: "runtime_to_handler",
+			runtime: this
+		});
+	}
+	get coordinate() {
+		return this._coordinate;
+	}
+	specifyRuntimeCoordinate(specifics) {
+		if (specifics.envId != null && this._coordinate.envId !== specifics.envId) throw err_nice_action.fromId("not_implemented", { label: `updating RuntimeCoordinate with a different "envId" ("${this._coordinate.envId}" → "${specifics.envId}")` });
+		this._coordinate = this._coordinate.specify(specifics);
+		this.apply();
+	}
+	registerRunningAction(ra) {
+		this._pendingRunningActions.set(ra.cuid, ra);
+		ra.addUpdateListeners([(update) => {
+			if (update.type === "finished") this._pendingRunningActions.delete(ra.cuid);
+		}]);
+	}
+	resolveIncomingActionPayload(json) {
+		if (json.type === "request") {
+			this.handleActionPayloadWire(json).catch((err) => {
+				console.error(`[ActionRuntime] Incoming action [${json.domain}:${json.id}:${json.form}:${json.type}] unhandled:`, err);
+			});
+			return;
+		}
+		this._pendingRunningActions.get(json.context.cuid)?._resolveFromJson(json);
+	}
+	async handleActionPayloadWire(wire) {
+		let action;
+		if (isActionPayload_Any_JsonObject(wire)) action = this.actionRouter.domainManager.getActionDomainOrThrow(wire).hydrateAnyAction(wire);
+		if (action == null) throw err_nice_action.fromId("wire_not_action_data");
+		return this.handleActionPayload(action);
+	}
+	async handleActionPayload(action, options) {
+		if (action.type === "request") {
+			const observers = action.context._domain._collectActionObservers();
+			let handlerForAction;
+			try {
+				handlerForAction = this.getHandlerForActionOrThrow(action, options);
+			} catch (err) {
+				const runningAction = new RunningAction({
+					context: action.context,
+					request: action
+				});
+				runningAction.addUpdateListeners(observers);
+				runningAction._completeWithResult(action.errorResult(castNiceError(err)));
+				return runningAction;
+			}
+			const runningAction = await handlerForAction.handleActionRequest(action, {
+				...options,
+				targetLocalRuntime: this
+			});
+			runningAction.addUpdateListeners(observers);
+			this._trySetupReturnDispatch(runningAction);
+			return runningAction;
+		}
+		throw err_nice_action.fromId("not_implemented", { label: `Handling incoming action payloads of type "${action.type}"` });
+	}
+	/**
+	* @internal
+	*
+	* Return the first handler registered for the given action, or `undefined`
+	* if none has been registered (action-ID-specific beats domain-wildcard).
+	*/
+	_getHandlerForAction(action, options) {
+		const handlers = this.actionRouter.getRouteDataEntriesForAction(action);
+		const targetPeer = options?.targetPeer;
+		const possibleHandlers = handlers.filter((handler) => {
+			if (handler.handlerType === "peer") {
+				if (targetPeer && !targetPeer.isSameFor(handler.peerClient).id) return false;
+				return true;
+			}
+			if (targetPeer != null) return false;
+			if (action.type === "request") return true;
+			return false;
+		});
+		if (possibleHandlers.length === 0) return;
+		const scoringPeer = targetPeer ?? RuntimeCoordinate.unknown;
+		let handlerScore = -1;
+		let handler;
+		for (const possibleHandler of possibleHandlers) {
+			if (possibleHandler.handlerType === "local") return possibleHandler;
+			if (possibleHandler.handlerType === "peer") {
+				const score = scoringPeer.similarityLevel(possibleHandler.peerClient);
+				if (score > handlerScore) {
+					handlerScore = score;
+					handler = possibleHandler;
+				}
+			}
+		}
+		return handler;
+	}
+	getHandlerForActionOrThrow(action, options) {
+		const handler = this._getHandlerForAction(action, options);
+		if (handler == null) throw err_nice_action.fromId("no_action_execution_handler", {
+			actionId: action.id,
+			domain: action.domain,
+			specifiedClient: options?.targetPeer
+		});
+		return handler;
+	}
+	/**
+	* Register one or more handlers. Each handler's own `actionRouter` defines
+	* which domains/actions it handles — those routing keys are mirrored into
+	* this runtime's router so the same action can be served by multiple handlers.
+	* Duplicate registrations (same handler cuid for the same key) are skipped.
+	*/
+	addHandlers(handlers) {
+		for (const handler of handlers) {
+			if (handler.handlerType === "peer") {
+				handler._setIncomingActionDataListener((json) => this.resolveIncomingActionPayload(json));
+				this._registeredPeerHandlers.push(handler);
+			}
+			const handlerRouter = handler.getActionRouter();
+			this.actionRouter.addDomainsFromOther(handlerRouter);
+			if (this._applied) this.apply();
+			for (const key of handlerRouter.getRegisteredKeys()) if (!this.actionRouter.getForKey(key).some((h) => h.cuid === handler.cuid)) this.actionRouter.addForKey(key, handler);
+		}
+		return this;
+	}
+	/**
+	* @internal Low-level primitive — the public way to open a connection is `connectChannel`, which
+	* derives routing from a channel and binds the crypto identity for you. This stays as the raw building
+	* block it sits on (it restates domain lists by hand) and is not part of the supported surface.
+	*
+	* Declare an external "backend client" in one call: build an
+	* {@link ConnectorHandler} for `externalCoordinate` carrying the given
+	* `transports`, route the listed `domains`/`actions` to it, register it (plus any
+	* `localHandlers` — e.g. server→client push handlers that share the same channel)
+	* on this runtime, and `apply()`. Returns the external handler so the caller can
+	* later `clearTransportCache()` it.
+	*/
+	connectTo(externalCoordinate, options) {
+		const handler = new ConnectorHandler({
+			runtimeCoordinate: externalCoordinate,
+			transports: options.transports,
+			defaultTimeout: options.defaultTimeout
+		});
+		for (const domain of options.domains ?? []) handler.forDomain(domain);
+		for (const action of options.actions ?? []) handler.forAction(action);
+		this.addHandlers([handler, ...options.localHandlers ?? []]);
+		this.apply();
+		return handler;
+	}
+	applyRuntimeForDomain(domain) {
+		const rootDomain = domain.rootDomain;
+		if (!rootDomain._hasRuntime(this)) rootDomain._registerRuntime(this);
+	}
+	/**
+	* Register this runtime with all root domains covered by its currently-added handlers,
+	* making it eligible to execute actions dispatched from those domains.
+	* After apply() is called, any subsequent addHandlers() calls also auto-register.
+	*/
+	apply() {
+		this._applied = true;
+		for (const domain of this.actionRouter.getDomains()) this.applyRuntimeForDomain(domain);
+		return this;
+	}
+	/**
+	* Find the best registered external handler that can reach `originClient` directly.
+	* Used to locate the return-path channel for dispatching results back to the action origin.
+	* Returns `undefined` if no handler matches (score > 0 required, i.e. at least id must match).
+	*
+	* A handler that currently holds the origin's *live* connection always wins over a mere coordinate
+	* match — so with several duplex acceptors (e.g. WS + WebRTC) a result/push routes back over the carrier
+	* the client actually connected on, never a same-coordinate sibling that lacks the socket. Only when no
+	* handler owns a live connection do we fall back to the plain best-coordinate-score pick (the
+	* single-acceptor and connector-only cases, unchanged).
+	*/
+	getReturnHandlerForOrigin(originClient) {
+		if (originClient.envId === "_unset_") return void 0;
+		let bestScore = -1;
+		let bestHandler;
+		let bestOwnedScore = -1;
+		let bestOwnedHandler;
+		for (const handler of this._registeredPeerHandlers) {
+			if (!handler.canPush) continue;
+			const score = originClient.similarityLevel(handler.peerClient);
+			if (score > bestScore) {
+				bestScore = score;
+				bestHandler = handler;
+			}
+			if (score > bestOwnedScore && handler.ownsLiveConnectionFor(originClient)) {
+				bestOwnedScore = score;
+				bestOwnedHandler = handler;
+			}
+		}
+		if (bestOwnedHandler != null && bestOwnedScore > 0) return bestOwnedHandler;
+		return bestScore > 0 ? bestHandler : void 0;
+	}
+	resetRuntime() {
+		for (const ra of this._pendingRunningActions.values()) ra._abort(err_nice_action.fromId("runtime_reset"));
+		for (const handler of this._registeredPeerHandlers) handler.clearTransportCache();
+	}
+	_trySetupReturnDispatch(runningAction) {
+		if (runningAction.context.schema.responseMode === "none") return;
+		const originClient = runningAction.context.originClient;
+		if (originClient.envId === "_unset_" || originClient.isSameFor(this._coordinate).id) return;
+		runningAction.addUpdateListeners([(update) => {
+			if (update.type === "finished" && update.finishType === "success") this.getReturnHandlerForOrigin(originClient)?.sendReturnPayload(update.response, { targetLocalRuntime: this }).catch(() => {});
+		}]);
+	}
+};
+const runtimeState = {
+	defaultLocalRuntime: void 0,
+	assumedRuntimeInfo: void 0
+};
+function getDefaultActionRuntime() {
+	if (runtimeState.assumedRuntimeInfo == null) runtimeState.assumedRuntimeInfo = getAssumedRuntimeInfo();
+	if (runtimeState.defaultLocalRuntime == null) runtimeState.defaultLocalRuntime = new ActionRuntime(RuntimeCoordinate.unknown.specify({ perId: `${runtimeState.assumedRuntimeInfo?.runtimeName ?? "unknown"}-runtime` }));
+	return runtimeState.defaultLocalRuntime;
+}
+//#endregion
+//#region src/ActionRuntime/Handler/Local/ActionLocalHandler.ts
+var ActionLocalHandler = class extends ActionHandler {
+	handlerType = "local";
+	actionRouter = new ActionRouter({
+		contextType: "handler_route",
+		handler: this
+	});
+	constructor() {
+		super();
+	}
+	/**
+	* Register a handler for all actions in a domain.
+	* Receives the full primed action — use `matchAction()` to narrow to a specific action id.
+	* Useful for forwarding all domain actions to a remote endpoint.
+	* Lower priority than `forAction`.
+	*/
+	forDomain(domain, handler) {
+		this.actionRouter.forDomain(domain, handler);
+		return this;
+	}
+	/**
+	* Register a handler for a base action instance. Takes priority over domain-wide handlers.
+	* Receives the full primed action with narrowed input type.
+	* Useful for handling specific actions locally while forwarding the rest of the domain. For example, a local "ping" action that checks connectivity without needing a round trip.
+	*/
+	forAction(action, handler) {
+		this.actionRouter.forAction(action, handler);
+		return this;
+	}
+	/**
+	* Register a handler for multiple action IDs (first-match-wins among cases).
+	* Receives the full primed action narrowed to the union of those IDs.
+	* Use `act.coreAction.id` to branch on which action was dispatched.
+	*/
+	forActionIds(domain, ids, handler) {
+		this.actionRouter.forActionIds(domain, ids, handler);
+		return this;
+	}
+	/**
+	* Register per-action handlers for a domain using a single map, without needing
+	* separate `forAction` calls. Unregistered action IDs are unaffected.
+	*
+	* @example
+	* ```ts
+	* handler.forDomainActionCases(userDomain, {
+	*   getUser:    (primed) => db.getUser(primed.input.userId),
+	*   deleteUser: (primed) => db.deleteUser(primed.input.userId),
+	* });
+	* ```
+	*/
+	forDomainActionCases(domain, cases) {
+		this.actionRouter.forDomainActionCases(domain, cases);
+		return this;
+	}
+	async handleActionRequest(action, config) {
+		const targetLocalRuntime = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
+		const handler = this.actionRouter.getRouteDataForActionOrThrow(action, { targetLocalRuntime });
+		action.context.addRouteItem({
+			runtime: targetLocalRuntime.coordinate,
+			handler: this.toHandlerRouteItem(),
+			time: Date.now()
+		});
+		const runningAction = new RunningAction({
+			context: action.context,
+			request: action,
+			parentCuid: peekHandlerCuid(),
+			callSite: action._callSite ?? (/* @__PURE__ */ new Error()).stack
+		});
+		this._handleRunningAction(handler, runningAction).catch((err) => {
+			if (err instanceof NiceError) runningAction._completeWithResult(action.errorResult(err));
+			else if (isNiceErrorObject(err)) runningAction._completeWithResult(action.errorResult(castNiceError(err)));
+			else runningAction._abort(err);
+		});
+		return runningAction;
+	}
+	async _handleRunningAction(handler, runningAction) {
+		const state = runningAction.state;
+		if (state.result != null) return;
+		await Promise.resolve();
+		pushHandlerCuid(runningAction.cuid);
+		try {
+			const rawResult = await handler(state.request);
+			let result;
+			if (rawResult instanceof ActionPayload_Result) result = rawResult;
+			else if (rawResult != null && isActionPayload_Result_JsonObject(rawResult)) result = this.actionRouter.domainManager.getActionDomainOrThrow(state.request).hydrateResultPayload(rawResult);
+			else result = state.request.successResult(rawResult);
+			runningAction._completeWithResult(result);
+		} finally {
+			popHandlerCuid();
+		}
+	}
+	async handlePayloadWireOrThrow(wire, config) {
+		const hydratedAction = this.actionRouter.domainManager.hydrateActionPayload(wire);
+		if (!(hydratedAction instanceof ActionPayload_Request)) throw err_nice_action.fromId("wire_action_not_payload", {
+			domain: hydratedAction.domain,
+			actionId: hydratedAction.id,
+			actionState: hydratedAction.type ?? hydratedAction.form
+		});
+		return await this.handleActionRequest(hydratedAction, config);
+	}
+	toJsonObject() {
+		return { type: this.handlerType };
+	}
+	toHandlerRouteItem() {
+		return { type: this.handlerType };
+	}
+};
+const createLocalHandler = () => {
+	return new ActionLocalHandler();
+};
+//#endregion
+//#region src/ActionRuntime/Transport/crypto/actionHandshake.ts
+/**
+* Authenticated handshake for the WebSocket channel. Run once per connection, before any action
+* frames flow, it:
+* - exchanges each side's {@link RuntimeCoordinate} + public keys,
+* - checks both ends share the same wire dictionary version (closes the positional-dictionary footgun),
+* - has the client prove control of its verify (Ed25519) key by signing a fresh challenge that binds
+*   both nonces, both identities, the dictionary version, the level, and every exchanged public key,
+* - establishes a `ClientCryptoKeyLink` link on both sides (so the server can verify the signature and,
+*   for the `encrypted` level, both can derive a shared AES-GCM key with the verify keys folded in).
+*
+* This module is transport-agnostic: it produces/consumes message objects. The transport + server
+* handler drive the I/O and the connection phase (Step 4). Keep `none`-level connections from ever
+* reaching here — they skip the handshake entirely.
+*/
+const HANDSHAKE_PROTOCOL = "nice-ws-hs/1";
+/** How much the channel protects after the handshake — chosen by the consumer (perf vs security). */
+let ESecurityLevel = /* @__PURE__ */ function(ESecurityLevel) {
+	/** No handshake; identity is self-asserted (fastest, dev / trusted networks). */
+	ESecurityLevel["none"] = "none";
+	/** Handshake authenticates identity (sign/verify + key pin); frames stay plaintext over TLS. */
+	ESecurityLevel["authenticated"] = "authenticated";
+	/** Authenticated handshake + every frame AES-GCM encrypted with the derived shared key. */
+	ESecurityLevel["encrypted"] = "encrypted";
+	return ESecurityLevel;
+}({});
+let EHandshakeMessageType = /* @__PURE__ */ function(EHandshakeMessageType) {
+	EHandshakeMessageType["hello"] = "hello";
+	EHandshakeMessageType["welcome"] = "welcome";
+	EHandshakeMessageType["prove"] = "prove";
+	EHandshakeMessageType["accept"] = "accept";
+	EHandshakeMessageType["reject"] = "reject";
+	return EHandshakeMessageType;
+}({});
+const vEd25519Raw = v.custom((val) => typeof val === "string" && val.startsWith("ed25519::raw_base64::"));
+const vX25519Raw = v.custom((val) => typeof val === "string" && val.startsWith("x25519::raw_base64::"));
+const vCoordinate = v.object({
+	envId: v.string(),
+	perId: v.optional(v.string()),
+	insId: v.optional(v.string())
+});
+const vSecurityLevel = v.picklist([
+	"none",
+	"authenticated",
+	"encrypted"
+]);
+const vHsHello = v.object({
+	t: v.literal("hello"),
+	protocol: v.string(),
+	securityLevel: vSecurityLevel,
+	dictionaryVersion: v.string(),
+	client: vCoordinate,
+	clientNonce: v.string(),
+	verifyPublicKey: vEd25519Raw,
+	exchangePublicKey: v.optional(vX25519Raw)
+});
+const vHsWelcome = v.object({
+	t: v.literal("welcome"),
+	securityLevel: vSecurityLevel,
+	dictionaryVersion: v.string(),
+	server: vCoordinate,
+	serverNonce: v.string(),
+	verifyPublicKey: vEd25519Raw,
+	exchangePublicKey: v.optional(vX25519Raw)
+});
+const vHsProve = v.object({
+	t: v.literal("prove"),
+	signatureBase64: v.string()
+});
+const vHsAccept = v.object({
+	t: v.literal("accept"),
+	signatureBase64: v.optional(v.string())
+});
+const vHsReject = v.object({
+	t: v.literal("reject"),
+	reason: v.string()
+});
+const vHandshakeMessage = v.variant("t", [
+	vHsHello,
+	vHsWelcome,
+	vHsProve,
+	vHsAccept,
+	vHsReject
+]);
+/** Serialize a handshake message for the wire (handshake frames are JSON — they aren't the hot path). */
+function encodeHandshakeMessage(message) {
+	return JSON.stringify(message);
+}
+/** Parse + structurally validate an incoming handshake frame; `undefined` if it isn't one. */
+function decodeHandshakeMessage(raw) {
+	let parsed;
+	try {
+		parsed = JSON.parse(raw);
+	} catch {
+		return;
+	}
+	const result = v.safeParse(vHandshakeMessage, parsed);
+	return result.success ? result.output : void 0;
+}
+/** Stable link id for a runtime coordinate — the key both the crypto link and the connection use. */
+function runtimeLinkId(coordinate) {
+	return `runtime::${new RuntimeCoordinate(coordinate).stringId}`;
+}
+function coordId(coordinate) {
+	return new RuntimeCoordinate(coordinate).stringId;
+}
+function sessionSalt(clientNonce, serverNonce) {
+	return `${clientNonce}::${serverNonce}`;
+}
+function handshakeInfo(dictionaryVersion) {
+	return `${HANDSHAKE_PROTOCOL}::${dictionaryVersion}`;
+}
+/**
+* The exact string both sides sign/verify. JSON-encoded ordered array so field boundaries are
+* unambiguous; binds identities, nonces (freshness), version, level, and all exchanged public keys
+* (authenticating the keys via the signature, complementing `bindVerifyKeysIntoDerivation`).
+*/
+function buildHandshakeChallenge(parts) {
+	return JSON.stringify([
+		HANDSHAKE_PROTOCOL,
+		parts.securityLevel,
+		parts.dictionaryVersion,
+		parts.clientCoordId,
+		parts.serverCoordId,
+		parts.clientNonce,
+		parts.serverNonce,
+		parts.clientVerifyKey,
+		parts.serverVerifyKey,
+		parts.clientExchangeKey ?? "_",
+		parts.serverExchangeKey ?? "_"
+	]);
+}
+function reject(reason) {
+	return {
+		t: "reject",
+		reason
+	};
+}
+function tofuPinKey(client) {
+	return `${client.envId}::${client.perId ?? client.insId ?? "_"}`;
+}
+/**
+* In-memory trust-on-first-use resolver: trusts (and pins) the first verify key seen for a client
+* identity, then rejects a different key for that identity. The default; replace with a storage-backed
+* resolver for cross-restart pinning (see Step 5).
+*/
+function createInMemoryTofuVerifyKeyResolver() {
+	const pinned = /* @__PURE__ */ new Map();
+	return { async resolve({ client, verifyPublicKey }) {
+		const key = tofuPinKey(client);
+		const existing = pinned.get(key);
+		if (existing == null) {
+			pinned.set(key, verifyPublicKey);
+			return { trusted: true };
+		}
+		if (existing === verifyPublicKey) return { trusted: true };
+		return {
+			trusted: false,
+			reason: "verify key changed for client identity (pin mismatch)"
+		};
+	} };
+}
+/**
+* Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
+* (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
+* + pin the first verify key per client identity, reject a different one thereafter.
+*/
+function createStorageTofuVerifyKeyResolver(storageAdapter) {
+	const storage = createTypedStorage({ storageAdapter });
+	return { async resolve({ client, verifyPublicKey }) {
+		const key = tofuPinKey(client);
+		const existing = (await storage.getJson("pins"))?.[key];
+		if (existing == null) {
+			await storage.updateJsonWithDef("pins", {}, (current) => ({
+				...current,
+				[key]: verifyPublicKey
+			}));
+			return { trusted: true };
+		}
+		if (existing === verifyPublicKey) return { trusted: true };
+		return {
+			trusted: false,
+			reason: "verify key changed for client identity (pin mismatch)"
+		};
+	} };
+}
+function createClientHandshake(config) {
+	const { link, localCoordinate, dictionaryVersion, securityLevel } = config;
+	const wantsEncryption = securityLevel === "encrypted";
+	const clientNonce = nanoid();
+	let pending;
+	return {
+		async createHello() {
+			return {
+				t: "hello",
+				protocol: HANDSHAKE_PROTOCOL,
+				securityLevel,
+				dictionaryVersion,
+				client: localCoordinate,
+				clientNonce,
+				verifyPublicKey: await link.getLocalVerifyPublicKey(),
+				exchangePublicKey: wantsEncryption ? await link.getLocalExchangePublicKey() : void 0
+			};
+		},
+		async onWelcome(welcome) {
+			if (welcome.dictionaryVersion !== dictionaryVersion) throw new Error("[ws-handshake] server dictionary version mismatch");
+			if (welcome.securityLevel !== securityLevel) throw new Error("[ws-handshake] server security level mismatch");
+			if (wantsEncryption && welcome.exchangePublicKey == null) throw new Error("[ws-handshake] server did not provide an exchange key for encryption");
+			const linkedServerId = runtimeLinkId(welcome.server);
+			await link.linkClient({
+				linkedClientId: linkedServerId,
+				verifyPublicKey: welcome.verifyPublicKey,
+				...wantsEncryption ? {
+					exchangePublicKey: welcome.exchangePublicKey,
+					saltString: sessionSalt(clientNonce, welcome.serverNonce),
+					infoString: handshakeInfo(dictionaryVersion),
+					bindVerifyKeysIntoDerivation: true
+				} : {}
+			});
+			const challenge = buildHandshakeChallenge({
+				securityLevel,
+				dictionaryVersion,
+				clientCoordId: coordId(localCoordinate),
+				serverCoordId: coordId(welcome.server),
+				clientNonce,
+				serverNonce: welcome.serverNonce,
+				clientVerifyKey: await link.getLocalVerifyPublicKey(),
+				serverVerifyKey: welcome.verifyPublicKey,
+				clientExchangeKey: wantsEncryption ? await link.getLocalExchangePublicKey() : void 0,
+				serverExchangeKey: welcome.exchangePublicKey
+			});
+			pending = {
+				linkedServerId,
+				server: welcome.server,
+				challenge
+			};
+			return {
+				t: "prove",
+				signatureBase64: (await link.signChallenge([challenge])).signatureBase64
+			};
+		},
+		async onAccept(accept) {
+			if (pending == null) throw new Error("[ws-handshake] accept before welcome");
+			if (accept.signatureBase64 != null) {
+				if (!await link.verifyChallengeFromLinkedClient({
+					linkedClientId: pending.linkedServerId,
+					challenge: pending.challenge,
+					signatureBase64: accept.signatureBase64
+				})) throw new Error("[ws-handshake] server signature invalid");
+			}
+			return {
+				linkedClientId: pending.linkedServerId,
+				remote: pending.server,
+				securityLevel
+			};
+		}
+	};
+}
+function createServerHandshake(config) {
+	const { link, localCoordinate, dictionaryVersion } = config;
+	const allowedLevels = Array.isArray(config.securityLevel) ? config.securityLevel : [config.securityLevel];
+	const verifyKeyResolver = config.verifyKeyResolver ?? createInMemoryTofuVerifyKeyResolver();
+	const serverNonce = nanoid();
+	let pending;
+	let result;
+	return {
+		async onHello(hello) {
+			if (hello.protocol !== HANDSHAKE_PROTOCOL) return reject("unsupported handshake protocol");
+			if (hello.dictionaryVersion !== dictionaryVersion) return reject("dictionary version mismatch");
+			const negotiatedLevel = hello.securityLevel;
+			if (negotiatedLevel === "none" || !allowedLevels.includes(negotiatedLevel)) return reject("security level not allowed");
+			const wantsEncryption = negotiatedLevel === "encrypted";
+			if (wantsEncryption && hello.exchangePublicKey == null) return reject("missing exchange key for encryption");
+			const linkedClientId = runtimeLinkId(hello.client);
+			await link.linkClient({
+				linkedClientId,
+				verifyPublicKey: hello.verifyPublicKey,
+				...wantsEncryption ? {
+					exchangePublicKey: hello.exchangePublicKey,
+					saltString: sessionSalt(hello.clientNonce, serverNonce),
+					infoString: handshakeInfo(dictionaryVersion),
+					bindVerifyKeysIntoDerivation: true
+				} : {}
+			});
+			const serverVerifyKey = await link.getLocalVerifyPublicKey();
+			const serverExchangeKey = wantsEncryption ? await link.getLocalExchangePublicKey() : void 0;
+			const keyMaterial = wantsEncryption && hello.exchangePublicKey != null ? {
+				verifyPublicKey: hello.verifyPublicKey,
+				exchangePublicKey: hello.exchangePublicKey,
+				saltString: sessionSalt(hello.clientNonce, serverNonce),
+				infoString: handshakeInfo(dictionaryVersion),
+				bindVerifyKeysIntoDerivation: true
+			} : void 0;
+			pending = {
+				client: hello.client,
+				linkedClientId,
+				clientVerifyKey: hello.verifyPublicKey,
+				negotiatedLevel,
+				keyMaterial,
+				challenge: buildHandshakeChallenge({
+					securityLevel: negotiatedLevel,
+					dictionaryVersion,
+					clientCoordId: coordId(hello.client),
+					serverCoordId: coordId(localCoordinate),
+					clientNonce: hello.clientNonce,
+					serverNonce,
+					clientVerifyKey: hello.verifyPublicKey,
+					serverVerifyKey,
+					clientExchangeKey: hello.exchangePublicKey,
+					serverExchangeKey
+				})
+			};
+			return {
+				t: "welcome",
+				securityLevel: negotiatedLevel,
+				dictionaryVersion,
+				server: localCoordinate,
+				serverNonce,
+				verifyPublicKey: serverVerifyKey,
+				exchangePublicKey: serverExchangeKey
+			};
+		},
+		async onProve(prove) {
+			if (pending == null) return reject("prove before hello");
+			if (!await link.verifyChallengeFromLinkedClient({
+				linkedClientId: pending.linkedClientId,
+				challenge: pending.challenge,
+				signatureBase64: prove.signatureBase64
+			})) return reject("invalid client signature");
+			const trust = await verifyKeyResolver.resolve({
+				client: pending.client,
+				verifyPublicKey: pending.clientVerifyKey
+			});
+			if (!trust.trusted) return reject(trust.reason ?? "client verify key not trusted");
+			result = {
+				linkedClientId: pending.linkedClientId,
+				remote: pending.client,
+				securityLevel: pending.negotiatedLevel,
+				encryptionKeyMaterial: pending.keyMaterial
+			};
+			return {
+				t: "accept",
+				signatureBase64: (await link.signChallenge([pending.challenge])).signatureBase64
+			};
+		},
+		/** The completed handshake result once `onProve` has accepted, else `undefined`. */
+		getResult() {
+			return result;
+		}
+	};
+}
+//#endregion
+//#region src/utils/decodeActionFrame.ts
+/**
+* Decode a single inbound channel frame (text or binary) into validated action wire JSON, or
+* `undefined` if it isn't a recognisable action payload.
+*
+* Shared by the WebSocket transport's message listener and the server-side `AcceptorHandler` so
+* both decode identically: a binary `decoder.incoming` (e.g. msgpackr) takes precedence, and plain
+* text frames fall back to JSON — keeping binary and JSON clients interoperable on one channel.
+*/
+function decodeActionFrame(frame, decoder) {
+	const decoded = decoder?.incoming?.(frame) ?? (typeof frame === "string" ? parseJsonActionFrame(frame) : void 0);
+	return decoded != null && isActionPayload_Any_JsonObject(decoded) ? decoded : void 0;
+}
+function parseJsonActionFrame(message) {
+	try {
+		const json = JSON.parse(message);
+		return isActionPayload_Any_JsonObject(json) ? json : void 0;
+	} catch {
+		return;
+	}
+}
+//#endregion
+//#region src/ActionRuntime/Transport/crypto/actionFrameCrypto.ts
+const ENCRYPTED_ENVELOPE_LENGTH = 2;
+/**
+* Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
+* level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+*/
+function createActionFrameCrypto({ link, linkedClientId }) {
+	return {
+		async encryptFrame(frame) {
+			const { nonce, ciphertext } = await link.encryptBytesForLinkedClient({
+				linkedClientId,
+				dataToEncrypt: frame
+			});
+			return pack([nonce, ciphertext]);
+		},
+		async decryptFrame(frame) {
+			if (typeof frame === "string") throw new Error("[ws-crypto] expected an encrypted binary frame, received text");
+			const envelope = unpack(frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame);
+			if (!Array.isArray(envelope) || envelope.length !== ENCRYPTED_ENVELOPE_LENGTH) throw new Error("[ws-crypto] malformed encrypted frame envelope");
+			const [nonce, ciphertext] = envelope;
+			if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) throw new Error("[ws-crypto] malformed encrypted frame fields");
+			return await link.decryptBytesFromLinkedClient({
+				linkedClientId,
+				dataToDecrypt: {
+					nonce,
+					ciphertext
+				}
+			});
+		}
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/crypto/frameBytes.ts
+/** Normalize any frame form to bytes (for the AES-GCM layer, which works on `Uint8Array`). */
+function toFrameBytes(frame) {
+	if (typeof frame === "string") return new TextEncoder().encode(frame);
+	if (frame instanceof ArrayBuffer) return new Uint8Array(frame);
+	return frame;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/frameCryptoPipe.ts
+function createFrameCryptoPipe(config) {
+	const { write, isOpen, crypto, label = "link" } = config;
+	let sendChain = Promise.resolve();
+	const send = (frame) => {
+		if (isOpen != null && !isOpen()) return;
+		if (crypto == null) {
+			write(frame);
+			return;
+		}
+		const bytes = toFrameBytes(frame);
+		sendChain = sendChain.then(() => crypto).then((c) => c.encryptFrame(bytes)).then((encrypted) => {
+			if (isOpen == null || isOpen()) write(encrypted);
+		}).catch((err) => console.error(`[${label}] failed to encrypt/send frame`, err));
+	};
+	const decryptIncoming = async (frame) => {
+		if (crypto == null) return frame;
+		try {
+			return await (await crypto).decryptFrame(frame);
+		} catch (err) {
+			console.error(`[${label}] failed to decrypt incoming frame`, err);
+			return;
+		}
+	};
+	return {
+		send,
+		decryptIncoming
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/acceptorSecureSession.ts
+/**
+* The acceptor (accept-in) counterpart to the connector's `establishLinkSession`: one connection's
+* secure session — the server-side handshake driving, the ordered frame crypto, and the per-connection
+* phase (undecided → plain | authenticated). The crypto itself (ordered encrypt-send / decrypt) lives in
+* the shared {@link createFrameCryptoPipe}, the same primitive the connector uses — so the secure logic
+* lives once for both link roles.
+*
+* The handler owns one of these per accepted connection and feeds it inbound frames via {@link receive};
+* identity binding, persistence, codec, and return routing stay in the handler (driven through the
+* config callbacks). Inbound processing is serialized per connection because the handshake and decryption
+* are async — this keeps handshake ordering and frame order intact.
+*/
+var AcceptorSecureSession = class {
+	config;
+	_handshake;
+	/** The ordered encrypt-send / decrypt pipe — present only for an `encrypted` connection. */
+	_pipe;
+	_authed = false;
+	_plain = false;
+	/** Serializes inbound processing (handshake + decryption are async). */
+	_inboundChain = Promise.resolve();
+	constructor(config) {
+		this.config = config;
+	}
+	/** Feed one inbound frame. Serialized per connection; routes back through the config callbacks. */
+	receive(frame) {
+		this._inboundChain = this._inboundChain.then(() => this._receive(frame)).catch((err) => console.error("[ws-server] failed to process inbound frame", err));
+	}
+	async _receive(frame) {
+		if (this._plain) {
+			this.config.routePlain(frame);
+			return;
+		}
+		if (!this._authed) {
+			const message = typeof frame === "string" ? decodeHandshakeMessage(frame) : void 0;
+			if (message == null) {
+				if (this.config.noneAllowed) {
+					this._plain = true;
+					this.config.routePlain(frame);
+				}
+				return;
+			}
+			await this.config.link.initialize();
+			if (this._handshake == null) this._handshake = createServerHandshake({
+				link: this.config.link,
+				localCoordinate: this.config.localCoordinate,
+				dictionaryVersion: this.config.dictionaryVersion,
+				securityLevel: this.config.securityLevel,
+				verifyKeyResolver: this.config.verifyKeyResolver
+			});
+			if (message.t === "hello") this.config.send(encodeHandshakeMessage(await this._handshake.onHello(message)));
+			else if (message.t === "prove") {
+				const reply = await this._handshake.onProve(message);
+				this.config.send(encodeHandshakeMessage(reply));
+				const result = this._handshake.getResult();
+				if (reply.t === "accept" && result != null) this._complete(result);
+			}
+			return;
+		}
+		const bytes = this._pipe != null ? await this._pipe.decryptIncoming(frame) : frame;
+		if (bytes === void 0) return;
+		this.config.routeAction(bytes);
+	}
+	_complete(result) {
+		this._authed = true;
+		this._handshake = void 0;
+		if (result.securityLevel === "encrypted") this._pipe = this._buildPipe(createActionFrameCrypto({
+			link: this.config.link,
+			linkedClientId: result.linkedClientId
+		}));
+		this.config.onAuthenticated({
+			client: new RuntimeCoordinate(result.remote),
+			securityLevel: result.securityLevel,
+			linkedClientId: result.linkedClientId,
+			keyMaterial: result.encryptionKeyMaterial
+		});
+	}
+	/**
+	* Restore an already-authenticated session after eviction — no handshake. For an `encrypted`
+	* connection the shared key is re-derived asynchronously (the acceptor re-links the client off its own
+	* persisted identity); the pipe's crypto IS that promise, so the connection's first in/out frame
+	* naturally waits for the key before encrypt/decrypt — no separate gate.
+	*/
+	rehydrate(state) {
+		this._authed = true;
+		if (state.securityLevel !== "encrypted" || state.keyMaterial == null) return;
+		const { link } = this.config;
+		const { linkedClientId, keyMaterial } = state;
+		const cryptoReady = link.initialize().then(() => link.linkClient({
+			linkedClientId,
+			verifyPublicKey: keyMaterial.verifyPublicKey,
+			exchangePublicKey: keyMaterial.exchangePublicKey,
+			saltString: keyMaterial.saltString,
+			infoString: keyMaterial.infoString,
+			bindVerifyKeysIntoDerivation: keyMaterial.bindVerifyKeysIntoDerivation
+		})).then(() => createActionFrameCrypto({
+			link,
+			linkedClientId
+		}));
+		cryptoReady.catch((err) => console.error("[ws-server] failed to restore encrypted session", err));
+		this._pipe = this._buildPipe(cryptoReady);
+	}
+	/** Send an outbound frame: through the encrypt pipe when encrypted, otherwise raw. */
+	send(frame) {
+		if (this._pipe != null) {
+			this._pipe.send(frame);
+			return;
+		}
+		this.config.send(frame);
+	}
+	_buildPipe(crypto) {
+		return createFrameCryptoPipe({
+			write: this.config.send,
+			crypto,
+			label: "ws-server"
+		});
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/AcceptorHandler.ts
+/**
+* Server-side handler for backends that accept many client connections over a single open channel
+* (WebSockets, Durable Objects, …). It is transport-agnostic: you feed it inbound frames with
+* {@link receive} and tell it how to write outbound frames via the `send` option.
+*
+* Add it alongside your local execution handler:
+* ```ts
+* const serverHandler = createAcceptorHandler({ clientEnv, formatMessage, send: (ws, f) => ws.send(f) });
+* runtime.addHandlers([localHandler, serverHandler]);
+* // per inbound message (e.g. a Durable Object's webSocketMessage):
+* serverHandler.receive(ws, message);
+* ```
+*
+* Inbound requests route to your local handler; the runtime's return dispatch then calls this
+* handler back (it is an external handler keyed to `clientEnv`) to send the result to the originating
+* connection. The handler keeps a per-connection identity registry so each result lands on the right
+* socket, and remembers each connection's encoding so binary and JSON clients can share the channel.
+*
+* It registers an empty action router, so it is never chosen to *execute* an inbound request — only
+* to ferry results/pushes back out.
+*/
+var AcceptorHandler = class extends PeerLinkHandler {
+	/** Accept-in over a live (duplex) connection registry — it pushes results/broadcasts to bound sockets. */
+	canPush = true;
+	_formatMessage;
+	_createFormatMessage;
+	_send;
+	_runtime;
+	_serverTimeout;
+	_onConnectionBound;
+	_security;
+	/** Normalized accepted levels; whether `none` (plain) is allowed; whether any level needs a handshake. */
+	_allowedLevels;
+	_noneAllowed;
+	_handshakeMode;
+	_connByClient = /* @__PURE__ */ new Map();
+	_clientByConn = /* @__PURE__ */ new Map();
+	_connEncoding = /* @__PURE__ */ new Map();
+	_codecByConn = /* @__PURE__ */ new Map();
+	_sessionByConn = /* @__PURE__ */ new Map();
+	constructor(options) {
+		super(options.clientEnv);
+		this._formatMessage = options.formatMessage;
+		this._createFormatMessage = options.createFormatMessage;
+		this._send = options.send;
+		this._runtime = options.runtime;
+		this._serverTimeout = options.defaultTimeout ?? 1e4;
+		this._onConnectionBound = options.onConnectionBound;
+		this._security = options.security;
+		this._allowedLevels = options.security == null ? [] : Array.isArray(options.security.securityLevel) ? options.security.securityLevel : [options.security.securityLevel];
+		this._noneAllowed = this._allowedLevels.includes("none");
+		this._handshakeMode = this._allowedLevels.some((level) => level !== "none");
+	}
+	/**
+	* The codec for a connection: a per-connection session (cached) when a factory was provided, else
+	* the single shared `formatMessage`.
+	*/
+	_codecFor(connection) {
+		if (this._createFormatMessage != null) {
+			let codec = this._codecByConn.get(connection);
+			if (codec == null) {
+				codec = this._createFormatMessage();
+				this._codecByConn.set(connection, codec);
+			}
+			return codec;
+		}
+		if (this._formatMessage != null) return this._formatMessage;
+		throw err_nice_transport.fromId("not_found", { actionId: "server-handler-codec (provide formatMessage or createFormatMessage)" });
+	}
+	/**
+	* Register (or replace) the connection-bound persistence callback after construction. Used by
+	* lifecycle helpers like {@link createHibernatableWsServerAdapter} so persistence and replay are
+	* owned by one place instead of being split across the constructor options.
+	*/
+	setOnConnectionBound(onConnectionBound) {
+		this._onConnectionBound = onConnectionBound;
+	}
+	/**
+	* Feed one inbound frame from a connection into the runtime. Decodes text or binary, binds the
+	* connection to the requesting client's identity, then routes it (requests execute locally;
+	* results/progress resolve pending server-initiated actions).
+	*/
+	receive(connection, frame) {
+		const security = this._security;
+		if (security == null || !this._handshakeMode) {
+			this._receivePlain(connection, frame);
+			return;
+		}
+		this._sessionFor(connection, security).receive(frame);
+	}
+	_receivePlain(connection, frame) {
+		const wire = decodeActionFrame(frame, this._codecFor(connection));
+		if (wire == null) return;
+		const encoding = typeof frame === "string" ? "json" : "binary";
+		this._connEncoding.set(connection, encoding);
+		if (wire.type === "request") this._resolveRequestIdentity(connection, wire, encoding);
+		this._emitIncoming(wire);
+	}
+	/**
+	* The secure session for a connection (built lazily on its first secure-mode frame), with the
+	* handler-owned effects — raw send, identity binding + persistence, and inbound routing — wired in as
+	* callbacks. The session owns all crypto/handshake/chain state; the handler keeps only the registry.
+	*/
+	_sessionFor(connection, security) {
+		let session = this._sessionByConn.get(connection);
+		if (session == null) {
+			session = new AcceptorSecureSession({
+				link: security.link,
+				localCoordinate: security.localCoordinate,
+				dictionaryVersion: security.dictionaryVersion,
+				securityLevel: security.securityLevel,
+				verifyKeyResolver: security.verifyKeyResolver,
+				noneAllowed: this._noneAllowed,
+				send: (frame) => this._send(connection, frame),
+				onAuthenticated: (auth) => this._onConnectionAuthenticated(connection, auth),
+				routePlain: (frame) => this._receivePlain(connection, frame),
+				routeAction: (bytes) => this._routeAuthedActionBytes(connection, bytes)
+			});
+			this._sessionByConn.set(connection, session);
+		}
+		return session;
+	}
+	/** Bind + persist a connection's authenticated identity once its handshake completes. */
+	_onConnectionAuthenticated(connection, auth) {
+		this._bindConnection(connection, auth.client);
+		this._connEncoding.set(connection, "binary");
+		this._onConnectionBound?.(connection, {
+			client: auth.client.toJsonObject(),
+			encoding: "binary",
+			secure: {
+				securityLevel: auth.securityLevel,
+				linkedClientId: auth.linkedClientId,
+				keyMaterial: auth.keyMaterial
+			}
+		});
+	}
+	/** Decode a decrypted authenticated frame, inject the *authenticated* identity, and route it. */
+	_routeAuthedActionBytes(connection, bytes) {
+		const wire = decodeActionFrame(bytes, this._codecFor(connection));
+		if (wire == null) return;
+		if (wire.type === "request") {
+			const bound = this._clientByConn.get(connection);
+			if (bound != null) wire.context.originClient = bound.toJsonObject();
+		}
+		this._emitIncoming(wire);
+	}
+	/**
+	* Ensure an inbound request carries the client's identity and that this connection is bound to it,
+	* so its result can be routed back. A session codec omits `originClient` after the first request, so
+	* when it's missing we restore it from the (possibly rehydrated) binding instead. (Plain mode only;
+	* secure mode binds the authenticated coordinate at handshake time.)
+	*/
+	_resolveRequestIdentity(connection, wire, encoding) {
+		const wireOrigin = wire.context.originClient;
+		if (wireOrigin != null && wireOrigin.envId !== "_unset_") {
+			const clientCoord = new RuntimeCoordinate(wireOrigin);
+			const isNewBinding = this._clientByConn.get(connection)?.stringId !== clientCoord.stringId;
+			this._bindConnection(connection, clientCoord);
+			if (isNewBinding) this._onConnectionBound?.(connection, {
+				client: clientCoord.toJsonObject(),
+				encoding
+			});
+			return;
+		}
+		const bound = this._clientByConn.get(connection);
+		if (bound != null) wire.context.originClient = bound.toJsonObject();
+	}
+	/**
+	* Restore a connection→client binding without an inbound frame — for transports that resume after
+	* eviction. Pair it with the {@link IAcceptorHandlerOptions.onConnectionBound} hook: persist
+	* the binding there, then replay each live connection here when the channel comes back (e.g. a
+	* Durable Object iterating `ctx.getWebSockets()` as it wakes from hibernation).
+	*/
+	rehydrateConnection(connection, binding) {
+		this._bindConnection(connection, new RuntimeCoordinate(binding.client));
+		this._connEncoding.set(connection, binding.encoding);
+		const secure = binding.secure;
+		const security = this._security;
+		if (secure == null || security == null) return;
+		this._sessionFor(connection, security).rehydrate(secure);
+	}
+	toJsonObject() {
+		return {
+			type: this.handlerType,
+			client: this.peerClient
+		};
+	}
+	toHandlerRouteItem() {
+		return {
+			type: this.handlerType,
+			client: this.peerClient,
+			transShape: "duplex",
+			transOrd: 0
+		};
+	}
+	/** Forget a connection (call on socket close) so stale entries don't misroute later results. */
+	dropConnection(connection) {
+		const coord = this._clientByConn.get(connection);
+		if (coord != null && this._connByClient.get(coord.stringId) === connection) this._connByClient.delete(coord.stringId);
+		this._clientByConn.delete(connection);
+		this._connEncoding.delete(connection);
+		this._codecByConn.delete(connection);
+		this._sessionByConn.delete(connection);
+	}
+	/** Live connection for a client coordinate, if currently registered. */
+	getConnectionForClient(client) {
+		return this._connByClient.get(client.stringId);
+	}
+	/** This acceptor owns the origin's return path when it currently holds a live connection bound to it. */
+	ownsLiveConnectionFor(origin) {
+		return this._connByClient.has(origin.stringId);
+	}
+	/** Whether this acceptor currently tracks `connection` — used to pick the owning handler among several. */
+	hasConnection(connection) {
+		return this._clientByConn.has(connection);
+	}
+	/**
+	* Send (and optionally await) a server-initiated action to a specific connected client. Pass the
+	* connection token directly (e.g. the `ws`) or a client `RuntimeCoordinate` to look one up.
+	*/
+	pushToClient(runtime, target, request, options) {
+		const connection = this._resolveConnection(target);
+		return this._dispatch(runtime, connection, request, options?.timeout);
+	}
+	/**
+	* Build a local handler whose cases are connection-aware: each case receives the primed request and
+	* the originating client's live connection (resolved from `originClient`), so handlers don't repeat
+	* the `getConnectionForClient(action.context.originClient)` lookup. Cases may return raw output or
+	* nothing, just like {@link ActionLocalHandler.forDomainActionCases}. Add the returned handler to the
+	* runtime alongside this server handler:
+	* ```ts
+	* runtime.addHandlers([serverHandler.forConnectionDomainCases(domain, { … }), serverHandler]);
+	* ```
+	*/
+	forConnectionDomainCases(domain, cases) {
+		return this.forConnectionDomainCasesMulti([domain], cases, (connection) => connection);
+	}
+	/**
+	* Like {@link forConnectionDomainCases} but spanning several domains with one merged case map — used
+	* by channel-derived wiring (`acceptChannelConnections` / `serveChannel`) where the channel's
+	* `toAcceptor` domains are served together. Each domain takes only the cases whose ids it owns, so a
+	* single map can cover several domains and unrelated ids are ignored.
+	*
+	* `mapContext` turns the resolved connection into whatever the case's second argument should be: the
+	* raw connection for the low-level helper, or an enriched `IConnectionContext` for `serveChannel`. It's
+	* called once per inbound action, after the originating connection is resolved.
+	*/
+	forConnectionDomainCasesMulti(domains, cases, mapContext) {
+		const handler = new ActionLocalHandler();
+		for (const domain of domains) {
+			const ownedIds = new Set(Object.keys(domain.actionsMap()));
+			const wrapped = {};
+			for (const id in cases) {
+				if (!ownedIds.has(id)) continue;
+				const caseFn = cases[id];
+				if (caseFn == null) continue;
+				wrapped[id] = (request) => {
+					return caseFn(request, mapContext(this.getConnectionForClient(request.context.originClient), request));
+				};
+			}
+			handler.forDomainActionCases(domain, wrapped);
+		}
+		return handler;
+	}
+	/**
+	* Fan a server-initiated request out to every currently-bound connection. A fresh request is built
+	* per connection (each push mutates its own action context) and dispatched fire-and-forget. Pass
+	* `except` to skip the originating socket and `where` to filter by connection (e.g. read its
+	* attachment for a role). Iterating bound connections (rather than every accepted socket) skips
+	* sockets that are still mid-handshake and so can't yet receive a frame.
+	*/
+	broadcast(makeRequest, options) {
+		const runtime = options?.runtime ?? this._runtime;
+		if (runtime == null) throw err_nice_transport.fromId("not_found", { actionId: "server-handler-runtime (construct with `runtime` or pass `options.runtime`)" });
+		for (const connection of this._clientByConn.keys()) {
+			if (options?.except != null && connection === options.except) continue;
+			if (options?.where != null && !options.where(connection)) continue;
+			try {
+				this.pushToClient(runtime, connection, makeRequest(), { timeout: options?.timeout });
+			} catch (error) {
+				if (options?.onError != null) options.onError(error, connection);
+				else console.error("[ws-server] broadcast push failed", error);
+			}
+		}
+	}
+	async sendReturnPayload(payload, config) {
+		const connection = this._connByClient.get(payload.context.originClient.stringId);
+		if (connection == null) return false;
+		this._sendPayload(connection, payload, config.targetLocalRuntime.coordinate);
+		return true;
+	}
+	async handleActionRequest(action, config) {
+		const runtime = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
+		const connection = this._resolveSingleConnection();
+		return this._dispatch(runtime, connection, action, config?.timeout);
+	}
+	_dispatch(runtime, connection, action, timeout) {
+		const timeoutMs = timeout ?? this._serverTimeout;
+		action.context._setOriginClient(runtime.coordinate);
+		action.context.addRouteItem({
+			runtime: runtime.coordinate,
+			handler: this.toHandlerRouteItem(),
+			time: Date.now()
+		});
+		const runningAction = new RunningAction({
+			context: action.context,
+			request: action,
+			parentCuid: peekHandlerCuid(),
+			callSite: action._callSite
+		});
+		runtime.registerRunningAction(runningAction);
+		if (action.schema.responseMode === "none") {
+			try {
+				this._sendPayload(connection, action, runtime.coordinate);
+				runningAction._completeWithResult(action.successResult(void 0));
+			} catch (err) {
+				runningAction._abort(err);
+			}
+			return runningAction;
+		}
+		const timeoutId = setTimeout(() => {
+			runningAction._abort(err_nice_transport.fromId("timeout", { timeout: timeoutMs }));
+		}, timeoutMs);
+		runningAction.addUpdateListeners([(update) => {
+			if (update.type === "finished") clearTimeout(timeoutId);
+		}]);
+		try {
+			this._sendPayload(connection, action, runtime.coordinate);
+		} catch (err) {
+			runningAction._abort(err);
+		}
+		return runningAction;
+	}
+	_sendPayload(connection, payload, localClient) {
+		const frame = (this._connEncoding.get(connection) ?? "binary") === "json" ? JSON.stringify(payload.toJsonObject()) : this._codecFor(connection).outgoing({
+			action: payload,
+			localClient,
+			externalClient: this.peerClient
+		});
+		const session = this._sessionByConn.get(connection);
+		if (session == null) {
+			this._send(connection, frame);
+			return;
+		}
+		session.send(frame);
+	}
+	_bindConnection(connection, client) {
+		this._connByClient.set(client.stringId, connection);
+		this._clientByConn.set(connection, client);
+	}
+	_resolveConnection(target) {
+		if (target instanceof RuntimeCoordinate) {
+			const connection = this._connByClient.get(target.stringId);
+			if (connection == null) throw err_nice_transport.fromId("not_found", { actionId: target.stringId });
+			return connection;
+		}
+		return target;
+	}
+	_resolveSingleConnection() {
+		if (this._clientByConn.size !== 1) throw err_nice_transport.fromId("not_found", { actionId: "server-handler-target (use pushToClient with an explicit connection or client coordinate)" });
+		return this._clientByConn.keys().next().value;
+	}
+};
+const createAcceptorHandler = (options) => {
+	return new AcceptorHandler(options);
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.ts
+/** Default accepted set: negotiate per connection to whatever the client picks. */
+const DEFAULT_SERVER_SECURITY_LEVELS$1 = [
+	"none",
+	"authenticated",
+	"encrypted"
+];
+/**
+* Build an {@link AcceptorHandler} for the secure binary channel with the boilerplate folded in:
+* it creates the {@link ClientCryptoKeyLink} and the storage-backed TOFU resolver from a single
+* `storageAdapter`, installs the channel's per-connection codec, and assembles the `security` block
+* from the runtime coordinate + channel version (accepting all three levels by default).
+*
+* For a hibernatable transport (e.g. a Durable Object), pair it with
+* {@link createHibernatableWsServerAdapter} to wire persistence + replay.
+*/
+function createSecureAcceptorHandler(options) {
+	const link = options.link ?? new ClientCryptoKeyLink({ storageAdapter: options.storageAdapter });
+	return new AcceptorHandler({
+		clientEnv: options.clientEnv,
+		createFormatMessage: options.channel.createCodec,
+		send: options.send,
+		runtime: options.runtime,
+		defaultTimeout: options.defaultTimeout,
+		security: {
+			securityLevel: options.securityLevel ?? DEFAULT_SERVER_SECURITY_LEVELS$1,
+			link,
+			localCoordinate: options.runtime.coordinate.toJsonObject(),
+			dictionaryVersion: options.channel.dictionaryVersion,
+			verifyKeyResolver: options.verifyKeyResolver ?? createStorageTofuVerifyKeyResolver(options.storageAdapter)
+		}
+	});
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/Carrier.types.ts
+/**
+* Narrow a carrier source to the exchange shape via its `shape` discriminant — the one branch the
+* transport factories ({@link secureTransport}, {@link plainTransport}) use to pick the duplex vs
+* exchange transport. A duplex source carries no `shape`, so the `else` branch is the duplex one.
+*/
+function isExchangeCarrierSource(carrier) {
+	return "shape" in carrier && carrier.shape === "exchange";
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Transport.ts
+/**
+* Reusable transport definition. Devs construct these (`secureTransport({ carrier: wsCarrier(url) })`,
+* `plainTransport({ carrier: httpCarrier(...) })`, …) and pass them to a
+* `ConnectorHandler`. A single
+* definition can be shared across multiple handlers — each handler builds its own live
+* {@link TransportConnection} via {@link TransportConnection._createConnection}.
+*/
+var Transport = class {};
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.ts
+function encodeExchange(envelope) {
+	return JSON.stringify(envelope);
+}
+function decodeExchangeRequest(raw) {
+	return parse(raw);
+}
+function decodeExchangeReply(raw) {
+	return parse(raw);
+}
+function parse(raw) {
+	try {
+		return JSON.parse(raw);
+	} catch {
+		return;
+	}
+}
+function bytesToBase64(bytes) {
+	let binary = "";
+	for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+	return btoa(binary);
+}
+function base64ToBytes(base64) {
+	const binary = atob(base64);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/establishExchangeSession.ts
+const textEncoder$1 = new TextEncoder();
+const textDecoder$1 = new TextDecoder();
+/** Plain path (no handshake/token): every action rides a bare `act` envelope, plaintext both ways. */
+function finalizePlainExchangeMethods(ctx) {
+	return buildExchangeMethods(ctx, {});
+}
+/** Secure path: run the handshake (two exchanges) once at bring-up, then reuse the token + crypto. */
+async function finalizeSecureExchangeMethods(ctx) {
+	return buildExchangeMethods(ctx, await runConnectorExchangeHandshake(ctx.carrier, ctx.secure));
+}
+function buildExchangeMethods(ctx, state) {
+	const sendActionData = (inputs) => {
+		runExchange(ctx.carrier, state, inputs).catch((err) => inputs.runningAction._abort(err));
+	};
+	return {
+		sendActionData,
+		updateRunConfig: ctx.updateRunConfig
+	};
+}
+async function runExchange(carrier, state, inputs) {
+	const { action, runningAction, timeout } = inputs;
+	const ac = new AbortController();
+	let timedOut = false;
+	const timeoutId = setTimeout(() => {
+		timedOut = true;
+		ac.abort();
+	}, timeout);
+	const unsubscribe = runningAction.addUpdateListeners([(update) => {
+		if (update.type === "finished") {
+			clearTimeout(timeoutId);
+			ac.abort();
+		}
+	}]);
+	try {
+		const request = await buildRequestEnvelope(state, action);
+		const replyRaw = await carrier.exchange(encodeExchange(request), { signal: ac.signal });
+		if (action.type !== "request") return;
+		const reply = decodeExchangeReply(asString(replyRaw));
+		if (reply == null) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
+		if (reply.k === "err") throw err_nice_transport.fromId("send_failed", {
+			actionState: action.type,
+			actionId: action.id,
+			message: reply.message
+		});
+		const wire = await extractReplyWire(state, reply);
+		if (wire == null || !isActionPayload_Result_JsonObject(wire)) throw err_nice_transport.fromId("invalid_action_response", { actionId: action.id });
+		runningAction._completeWithResult(action._domain.hydrateResultPayload(wire));
+	} catch (err) {
+		if (timedOut) throw err_nice_transport.fromId("timeout", { timeout });
+		throw err;
+	} finally {
+		clearTimeout(timeoutId);
+		unsubscribe();
+	}
+}
+async function buildRequestEnvelope(state, action) {
+	const wire = action.toJsonObject();
+	if (state.crypto != null) {
+		const ciphertext = await state.crypto.encryptFrame(textEncoder$1.encode(JSON.stringify(wire)));
+		return {
+			k: "act",
+			t: state.token,
+			c: bytesToBase64(ciphertext)
+		};
+	}
+	return {
+		k: "act",
+		t: state.token,
+		w: wire
+	};
+}
+async function extractReplyWire(state, reply) {
+	if (reply.k !== "act") return void 0;
+	if ("c" in reply) {
+		if (state.crypto == null) return void 0;
+		const plain = await state.crypto.decryptFrame(base64ToBytes(reply.c));
+		return JSON.parse(textDecoder$1.decode(plain));
+	}
+	return reply.w;
+}
+async function runConnectorExchangeHandshake(carrier, secure) {
+	await secure.link.initialize();
+	const handshake = createClientHandshake({
+		link: secure.link,
+		localCoordinate: secure.localCoordinate,
+		dictionaryVersion: secure.dictionaryVersion,
+		securityLevel: secure.securityLevel
+	});
+	const hsid = nanoid();
+	const hello = await handshake.createHello();
+	const welcomeReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
+		k: "hs",
+		hsid,
+		m: encodeHandshakeMessage(hello)
+	}))));
+	if (welcomeReply?.k !== "hs") throw new Error("[exchange-handshake] expected a welcome reply");
+	const welcome = decodeHandshakeMessage(welcomeReply.m);
+	if (welcome == null) throw new Error("[exchange-handshake] malformed welcome");
+	if (welcome.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${welcome.reason}`);
+	if (welcome.t !== "welcome") throw new Error(`[exchange-handshake] expected welcome, got ${welcome.t}`);
+	const prove = await handshake.onWelcome(welcome);
+	const acceptReply = decodeExchangeReply(asString(await carrier.exchange(encodeExchange({
+		k: "hs",
+		hsid,
+		m: encodeHandshakeMessage(prove)
+	}))));
+	if (acceptReply?.k !== "hs") throw new Error("[exchange-handshake] expected an accept reply");
+	const accept = decodeHandshakeMessage(acceptReply.m);
+	if (accept == null) throw new Error("[exchange-handshake] malformed accept");
+	if (accept.t === "reject") throw new Error(`[exchange-handshake] rejected by peer: ${accept.reason}`);
+	if (accept.t !== "accept") throw new Error(`[exchange-handshake] expected accept, got ${accept.t}`);
+	if (acceptReply.t == null) throw new Error("[exchange-handshake] accept missing session token");
+	const result = await handshake.onAccept(accept);
+	const crypto = result.securityLevel === "encrypted" ? createActionFrameCrypto({
+		link: secure.link,
+		linkedClientId: result.linkedClientId
+	}) : void 0;
+	return {
+		token: acceptReply.t,
+		crypto
+	};
+}
+function asString(frame) {
+	if (typeof frame === "string") return frame;
+	return textDecoder$1.decode(frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame);
+}
+//#endregion
+//#region src/ActionRuntime/Transport/helpers/addTransportStatusMetadata.ts
+function addTransportStatusMetadata(transportStatus) {
+	if (transportStatus.status === "ready") return {
+		status: "ready",
+		readyData: transportStatus.readyData
+	};
+	if (transportStatus.status === "initializing") return {
+		status: "initializing",
+		initializationPromise: transportStatus.initializationPromise,
+		timeStarted: Date.now()
+	};
+	if (transportStatus.status === "failed") return {
+		status: "failed",
+		error: transportStatus.error,
+		timeFailed: Date.now()
+	};
+	if (transportStatus.status === "unsupported") return { status: "unsupported" };
+	return { status: "uninitialized" };
+}
+//#endregion
+//#region src/ActionRuntime/Transport/TransportConnection.ts
+let transportOrd = 0;
+/**
+* Live, per-handler transport runtime built from a reusable {@link Transport} definition. Holds the
+* connection-scoped state (ordinal, initialized config, sockets / abort sets) that must not be shared
+* across handlers. Construct these via `definition._createConnection(...)`, never directly.
+*/
+var TransportConnection = class {
+	def;
+	transOrd = transportOrd++;
+	type;
+	initialized;
+	/** Backref to the public definition that created this connection (used for devtools route info). */
+	definition;
+	constructor(def) {
+		this.def = def;
+		this.type = def.type;
+		this.initialized = def.initialize();
+	}
+	/**
+	* Devtools route info for an action routed through this live connection. Defaults to the stateless
+	* {@link definition}'s info; connections override to enrich it from live state (e.g. the actual
+	* resolved socket URL) when the definition couldn't resolve it on its own.
+	*/
+	getRouteInfo(input) {
+		return this.definition?.getRouteInfo(input);
+	}
+	/**
+	* Whether a `ready`-status transport still needs asynchronous bring-up before its methods exist —
+	* awaiting the carrier to open and/or running a handshake. Default `false`: a stateless transport
+	* (HTTP) is usable the instant `getTransport` reports `ready`, so it stays a terminal *synchronous*
+	* fallback in {@link ConnectionTransportManager}. Stream carriers (Link/WS) override to `true`.
+	*/
+	_needsAsyncBringUp(_readyData) {
+		return false;
+	}
+	/** Await the carrier becoming ready to send (e.g. a socket `open`). Default: nothing to await. */
+	_awaitCarrierReady(_readyData) {
+		return Promise.resolve();
+	}
+	/**
+	* Finalize during async bring-up — may run a handshake, so it can be async. Defaults to the
+	* synchronous {@link _finalizeTransportMethods}; secure stream carriers override to branch plain/secure.
+	*/
+	_finalizeReady(readyData) {
+		return this._finalizeTransportMethods(readyData);
+	}
+	_getCacheKey(input) {
+		const parts = this.initialized.getTransportCacheKey?.(input);
+		if (parts == null) return null;
+		return parts.join("\0");
+	}
+	getCacheKey(input) {
+		const inner = this._getCacheKey(input);
+		if (inner == null) return null;
+		return `${this.transOrd}:${inner}`;
+	}
+	/**
+	* Whether this transport can serve the given action right now. Consulted by the manager before
+	* cache-key resolution and `getTransport`; a `false` result skips this transport (treated as
+	* `unsupported`) and the manager falls through to the next in preference order. Defaults to `true`
+	* when the transport declares no gate.
+	*/
+	isAvailable(input) {
+		return this.initialized.isAvailable?.(input) ?? true;
+	}
+	getTransport(input) {
+		return this._processTransportStatus(input);
+	}
+	_processTransportStatus(input) {
+		const statusInfo = addTransportStatusMetadata(this.initialized.getTransport(input));
+		if (statusInfo.status === "ready") {
+			if (!this._needsAsyncBringUp(statusInfo.readyData)) return {
+				status: "ready",
+				readyData: this._finalizeTransportMethods(statusInfo.readyData)
+			};
+			return {
+				status: "initializing",
+				timeStarted: Date.now(),
+				initializationPromise: this._bringUp(statusInfo.readyData)
+			};
+		}
+		if (statusInfo.status === "initializing") {
+			const initializationPromise = statusInfo.initializationPromise.then((result) => result.status === "ready" ? this._bringUp(result.readyData) : result);
+			return {
+				status: "initializing",
+				timeStarted: statusInfo.timeStarted,
+				initializationPromise
+			};
+		}
+		return statusInfo;
+	}
+	/** Await carrier readiness, then finalize (possibly running a handshake) into the live methods. */
+	async _bringUp(readyData) {
+		await this._awaitCarrierReady(readyData);
+		return {
+			status: "ready",
+			readyData: await this._finalizeReady(readyData)
+		};
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/Exchange/ExchangeConnection.ts
+/**
+* Carrier-agnostic live connection for the exchange (request → single reply) shape — the HTTP
+* counterpart to {@link LinkConnection}. It owns only the bring-up (run the secure handshake on first
+* use); the request/reply lifecycle + crypto live in the shared `establishExchangeSession`.
+*/
+var ExchangeConnection = class extends TransportConnection {
+	constructor(def) {
+		super({
+			...def,
+			type: "exchange"
+		});
+	}
+	_getCacheKey(input) {
+		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
+	}
+	_needsAsyncBringUp(data) {
+		return data.secureChannel != null && data.secureChannel.securityLevel !== "none";
+	}
+	_finalizeReady(data) {
+		const secure = data.secureChannel;
+		if (secure != null && secure.securityLevel !== "none") return finalizeSecureExchangeMethods({
+			...this._sessionContext(data),
+			secure
+		});
+		return this._finalizeTransportMethods(data);
+	}
+	_finalizeTransportMethods(data) {
+		return finalizePlainExchangeMethods(this._sessionContext(data));
+	}
+	_sessionContext(data) {
+		return {
+			carrier: data.carrier,
+			updateRunConfig: data.updateRunConfig,
+			secure: data.secureChannel
+		};
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/Exchange/ExchangeTransport.ts
+/**
+* A carrier-agnostic exchange (request → single reply) transport: it drives nice-action's secure session
+* over any {@link IExchangeCarrier} (HTTP being the one built-in). The duplex counterpart is
+* {@link LinkTransport}; this is the no-push half — its reply rides the response to its own request, so it
+* can't deliver an unsolicited frame (the runtime never picks it for the return path).
+*/
+var ExchangeTransport = class ExchangeTransport extends Transport {
+	options;
+	type = "exchange";
+	constructor(options) {
+		super();
+		this.options = options;
+	}
+	static create(options) {
+		return new ExchangeTransport(options);
+	}
+	_createConnection(_ctx) {
+		const options = this.options;
+		return new ExchangeConnection({ initialize: () => ({
+			getTransportCacheKey: options.getTransportCacheKey,
+			isAvailable: options.available,
+			getTransport: (input) => ({
+				status: "ready",
+				readyData: {
+					carrier: options.openCarrier(input),
+					secureChannel: options.security,
+					updateRunConfig: options.updateRunConfig
+				}
+			})
+		}) });
+	}
+	getRouteInfo(input) {
+		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
+		return {
+			carrierLabel: this.options.label ?? "exchange",
+			summary: this.options.label ?? "exchange"
+		};
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/helpers/createUnsetTransportResolvers.ts
+const createUnsetTransportResolvers = (transportLabel) => ({ onIncomingActionDataJson: (json) => {
+	console.warn(`Received incoming action JSON [${json.domain}:${json.id}] on Transport [${transportLabel}] but no incoming data listener has been set.`);
+} });
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/establishLinkSession.ts
+const HANDSHAKE_TIMEOUT_MS = 15e3;
+/** Plain path (no handshake): route every inbound frame to the runtime; send without crypto. */
+function finalizePlainLinkMethods(ctx) {
+	const disconnectListeners = [];
+	const abortSet = /* @__PURE__ */ new Set();
+	const pipe = makePipe(ctx, void 0);
+	ctx.channel.attach({
+		onMessage: (frame) => void handleIncomingActionFrame(ctx, pipe, frame),
+		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
+		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
+	});
+	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
+}
+/**
+* Secure path: a single message handler feeds the handshake until it completes, then routes action
+* frames (decrypting at the `encrypted` level). Frames that race ahead of activation are buffered and
+* flushed once the handshake lands, so nothing is lost.
+*/
+async function finalizeSecureLinkMethods(ctx) {
+	const disconnectListeners = [];
+	const abortSet = /* @__PURE__ */ new Set();
+	const session = {};
+	let active = false;
+	const handshakeQueue = [];
+	const handshakeWaiters = [];
+	const pendingActionFrames = [];
+	ctx.channel.attach({
+		onMessage: (frame) => {
+			if (active && session.pipe != null) {
+				handleIncomingActionFrame(ctx, session.pipe, frame);
+				return;
+			}
+			if (typeof frame === "string") {
+				const message = decodeHandshakeMessage(frame);
+				if (message != null) {
+					const waiter = handshakeWaiters.shift();
+					if (waiter != null) waiter(message);
+					else handshakeQueue.push(message);
+					return;
+				}
+			}
+			pendingActionFrames.push(frame);
+		},
+		onClose: () => onChannelClosed(ctx, disconnectListeners, abortSet),
+		onError: () => onChannelClosed(ctx, disconnectListeners, abortSet)
+	});
+	const nextHandshakeMessage = () => {
+		const queued = handshakeQueue.shift();
+		if (queued != null) return Promise.resolve(queued);
+		return new Promise((resolve, reject) => {
+			const timeout = setTimeout(() => reject(/* @__PURE__ */ new Error("[link-handshake] timed out waiting for peer reply")), HANDSHAKE_TIMEOUT_MS);
+			handshakeWaiters.push((message) => {
+				clearTimeout(timeout);
+				resolve(message);
+			});
+		});
+	};
+	const pipe = makePipe(ctx, await runClientHandshake(ctx.channel, ctx.secure, nextHandshakeMessage));
+	session.pipe = pipe;
+	active = true;
+	for (const frame of pendingActionFrames) await handleIncomingActionFrame(ctx, pipe, frame);
+	pendingActionFrames.length = 0;
+	return buildSendMethods(ctx, pipe, disconnectListeners, abortSet);
+}
+function makePipe(ctx, crypto) {
+	return createFrameCryptoPipe({
+		write: (frame) => ctx.channel.send(frame),
+		isOpen: () => ctx.channel.isOpen(),
+		crypto
+	});
+}
+async function runClientHandshake(channel, secure, nextHandshakeMessage) {
+	await secure.link.initialize();
+	const handshake = createClientHandshake({
+		link: secure.link,
+		localCoordinate: secure.localCoordinate,
+		dictionaryVersion: secure.dictionaryVersion,
+		securityLevel: secure.securityLevel
+	});
+	channel.send(encodeHandshakeMessage(await handshake.createHello()));
+	const welcome = await nextHandshakeMessage();
+	if (welcome.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${welcome.reason}`);
+	if (welcome.t !== "welcome") throw new Error(`[link-handshake] expected welcome, got ${welcome.t}`);
+	channel.send(encodeHandshakeMessage(await handshake.onWelcome(welcome)));
+	const accept = await nextHandshakeMessage();
+	if (accept.t === "reject") throw new Error(`[link-handshake] rejected by peer: ${accept.reason}`);
+	if (accept.t !== "accept") throw new Error(`[link-handshake] expected accept, got ${accept.t}`);
+	const result = await handshake.onAccept(accept);
+	return result.securityLevel === "encrypted" ? createActionFrameCrypto({
+		link: secure.link,
+		linkedClientId: result.linkedClientId
+	}) : void 0;
+}
+function buildSendMethods(ctx, pipe, disconnectListeners, abortSet) {
+	const channel = ctx.channel;
+	const sendActionData = (inputs) => {
+		const { action, runningAction, timeout } = inputs;
+		if (!channel.isOpen()) {
+			if (action.type === "request") runningAction._abort(ctx.makeDisconnectError(action.id));
+			return;
+		}
+		if (action.type === "request") {
+			abortSet.add(runningAction);
+			const timeoutId = setTimeout(() => {
+				runningAction._abort(err_nice_transport.fromId("timeout", { timeout }));
+			}, timeout);
+			runningAction.addUpdateListeners([(update) => {
+				if (update.type === "finished") {
+					clearTimeout(timeoutId);
+					abortSet.delete(runningAction);
+				}
+			}]);
+		}
+		pipe.send(ctx.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
+	};
+	return {
+		sendActionData,
+		updateRunConfig: ctx.updateRunConfig,
+		addOnDisconnectListener: (cb) => {
+			disconnectListeners.push(cb);
+		},
+		disconnect: () => {
+			try {
+				channel.close();
+			} catch {}
+		},
+		sendReturnData: (payload, clients) => {
+			const formatted = clients != null ? ctx.formatMessage?.outgoing({
+				action: payload,
+				...clients
+			}) : void 0;
+			pipe.send(formatted ?? JSON.stringify(payload.toJsonObject()));
+		}
+	};
+}
+async function handleIncomingActionFrame(ctx, pipe, frame) {
+	const decoded = await pipe.decryptIncoming(frame);
+	if (decoded === void 0) return;
+	const rawJson = decodeActionFrame(decoded, ctx.formatMessage);
+	if (rawJson != null) ctx.resolvers.onIncomingActionDataJson(rawJson);
+}
+function onChannelClosed(ctx, disconnectListeners, abortSet) {
+	for (const cb of disconnectListeners) cb();
+	const error = ctx.makeDisconnectError("—");
+	for (const ra of [...abortSet]) ra._abort(error);
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Link/LinkConnection.ts
+/** Abort error for a closed link channel (carrier-neutral — the carrier itself isn't named). */
+function linkDisconnectError(actionId) {
+	return err_nice_transport.fromId("send_failed", {
+		actionId,
+		actionState: "request",
+		message: "link channel disconnected"
+	});
+}
+/**
+* Carrier-agnostic live connection. It owns only the *bring-up* (open the carrier, then run the secure
+* session); the session itself — handshake, frame crypto, codec, send/receive — lives in the shared
+* {@link finalizeSecureLinkMethods}/{@link finalizePlainLinkMethods}, so a WebSocket, a WebRTC data
+* channel, a Bluetooth characteristic, and an in-memory pipe all run the identical secure layer.
+*/
+var LinkConnection = class extends TransportConnection {
+	resolvers;
+	constructor(def, resolvers) {
+		super({
+			...def,
+			type: "duplex"
+		});
+		this.resolvers = resolvers ?? createUnsetTransportResolvers("link");
+	}
+	_getCacheKey(input) {
+		return this.initialized.getTransportCacheKey?.(input).join("\0") ?? "";
+	}
+	_needsAsyncBringUp() {
+		return true;
+	}
+	_awaitCarrierReady(data) {
+		return data.channel.ready;
+	}
+	_finalizeReady(data) {
+		const secure = data.secureChannel;
+		if (secure != null && secure.securityLevel !== "none") return finalizeSecureLinkMethods({
+			...this._sessionContext(data),
+			secure
+		});
+		return this._finalizeTransportMethods(data);
+	}
+	_sessionContext(data) {
+		return {
+			channel: data.channel,
+			resolvers: this.resolvers,
+			formatMessage: data.formatMessage,
+			updateRunConfig: data.updateRunConfig,
+			makeDisconnectError: linkDisconnectError
+		};
+	}
+	_finalizeTransportMethods(data) {
+		return finalizePlainLinkMethods(this._sessionContext(data));
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/Link/LinkTransport.ts
+/**
+* A carrier-agnostic transport: it drives nice-action's secure session + action routing over any
+* {@link IDuplexCarrier}. The WebSocket transport is the special case that opens a `WebSocket`;
+* this opens whatever `openChannel` returns, so the identical secure layer works over WebRTC, Bluetooth,
+* or an in-memory pipe. Reported with an overridable carrier label in the devtools (defaults to "link").
+*/
+var LinkTransport = class LinkTransport extends Transport {
+	options;
+	type = "duplex";
+	constructor(options) {
+		super();
+		this.options = options;
+	}
+	static create(options) {
+		return new LinkTransport(options);
+	}
+	_createConnection(ctx) {
+		const options = this.options;
+		return new LinkConnection({ initialize: () => ({
+			getTransportCacheKey: options.getTransportCacheKey,
+			isAvailable: options.available,
+			getTransport: (input) => ({
+				status: "ready",
+				readyData: {
+					channel: options.openChannel(input),
+					formatMessage: options.createFormatMessage?.() ?? options.formatMessage,
+					updateRunConfig: options.updateRunConfig,
+					secureChannel: options.security
+				}
+			})
+		}) }, ctx.resolvers);
+	}
+	getRouteInfo(input) {
+		if (this.options.getRouteInfo != null) return this.options.getRouteInfo(input);
+		return {
+			carrierLabel: this.options.label ?? "link",
+			summary: this.options.label ?? "link"
+		};
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Transport/plainTransport.ts
+function plainTransport(options) {
+	const carrier = options.carrier;
+	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
+		openCarrier: carrier.open,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: options.label ?? carrier.carrierLabel,
+		updateRunConfig: options.updateRunConfig
+	});
+	return LinkTransport.create({
+		openChannel: carrier.open,
+		formatMessage: options.formatMessage,
+		createFormatMessage: options.createFormatMessage,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: options.label ?? carrier.carrierLabel,
+		updateRunConfig: options.updateRunConfig
+	});
+}
+//#endregion
+//#region src/ActionRuntime/Transport/secureTransport.ts
+function secureTransport(options) {
+	const link = options.link ?? (options.storageAdapter != null ? new ClientCryptoKeyLink({ storageAdapter: options.storageAdapter }) : void 0);
+	if (link == null) throw new Error("secureTransport: provide `link` or `storageAdapter` for the crypto identity.");
+	const security = {
+		securityLevel: options.securityLevel,
+		link,
+		localCoordinate: options.runtime.coordinate.toJsonObject(),
+		dictionaryVersion: options.channel.dictionaryVersion
+	};
+	const carrier = options.carrier;
+	if (isExchangeCarrierSource(carrier)) return ExchangeTransport.create({
+		openCarrier: carrier.open,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: carrier.carrierLabel,
+		security
+	});
+	return LinkTransport.create({
+		openChannel: carrier.open,
+		createFormatMessage: options.channel.createCodec,
+		getTransportCacheKey: carrier.getCacheKey,
+		available: options.available,
+		getRouteInfo: carrier.getRouteInfo,
+		label: carrier.carrierLabel,
+		security
+	});
+}
+//#endregion
+//#region src/ActionRuntime/Channel/ActionChannel.ts
+/**
+* Declare a transport-agnostic channel by role. Use it for HTTP, custom transports, or as the routing
+* half of a richer channel. The order of each list is part of the contract for wire formats that pack
+* positionally (see `defineSecureChannel`) — add new domains to the end of their list. (`domains` is
+* accepted as a legacy alias for `toAcceptor`.)
+*/
+function defineChannel(options) {
+	return {
+		toAcceptorDomains: options.toAcceptor,
+		toConnectorDomains: options.toConnector
+	};
+}
+/**
+* Open a connection to a peer from a single call — the dial-out dual of `serveChannel`. The channel is
+* the single source of truth for *what* is routed (`toAcceptor` domains forwarded to the peer,
+* `toConnector` pushes handled locally from `onPush`); the call binds the shared facts — the channel's
+* codec/dictionary version, the runtime, and one crypto identity (a {@link ClientCryptoKeyLink} over
+* `storage`) — into every transport in `transports`, so none of them restate the channel or runtime.
+* List several transports to make the path transport-agnostic (secure WS preferred, HTTP fallback):
+* ```ts
+* const handler = connectChannel(runtime, lobbyChannel, {
+*   peer: runtime_coordinate_lobby_do,
+*   storage,
+*   transports: [{ carrier: wsCarrier(url) }, { carrier: httpCarrier(...), secure: false }],
+*   onPush: { player_joined: (p) => { … } },
+* });
+* ```
+* Returns the {@link ConnectorHandler} so the caller can later `clearTransportCache()` it.
+*/
+function connectChannel(runtime, channel, options) {
+	const securityLevel = options.securityLevel ?? "authenticated";
+	const anySecure = options.transports.some((transport) => transport.secure ?? true);
+	let link = options.link;
+	if (anySecure && link == null) {
+		if (options.storage == null) throw new Error("connectChannel: a secure transport requires `storage` (or `link`). Pass it, or set `secure: false` on the transport for a plain connection.");
+		link = new ClientCryptoKeyLink({ storageAdapter: options.storage });
+	}
+	const transports = options.transports.map((transport) => {
+		const carrier = transport.carrier;
+		const secure = transport.secure ?? true;
+		if (isExchangeCarrierSource(carrier)) return secure ? secureTransport({
+			channel,
+			runtime,
+			link,
+			securityLevel: transport.securityLevel ?? securityLevel,
+			available: transport.available,
+			carrier
+		}) : plainTransport({
+			carrier,
+			available: transport.available,
+			label: transport.label
+		});
+		return secure ? secureTransport({
+			channel,
+			runtime,
+			link,
+			securityLevel: transport.securityLevel ?? securityLevel,
+			available: transport.available,
+			carrier
+		}) : plainTransport({
+			carrier,
+			createFormatMessage: channel.createCodec,
+			available: transport.available,
+			label: transport.label
+		});
+	});
+	const pushHandlers = options.onPush != null ? channel.toConnectorDomains.map((domain) => domain.wrapAsPartialLocalHandler(options.onPush)) : [];
+	return runtime.connectTo(options.peer, {
+		transports,
+		domains: [...channel.toAcceptorDomains],
+		localHandlers: pushHandlers,
+		defaultTimeout: options.defaultTimeout
+	});
+}
+/**
+* Register an acceptor handler's execution for a channel straight from its definition: the channel's
+* `toAcceptor` domains are served together with one merged, connection-aware case map (each case gets
+* the primed request + the originating connection, as with
+* {@link AcceptorHandler.forConnectionDomainCases}). The domain list is taken from the channel,
+* never restated. Add the returned handler to the runtime alongside the acceptor handler:
+* ```ts
+* runtime.addHandlers([acceptChannelConnections(serverHandler, channel, { … }), serverHandler]);
+* ```
+*
+* The case's second argument is the raw connection (`TConn | undefined`). For the richer state +
+* broadcast + pushBack context, serve the channel through `serveChannel`'s `channelCases` instead.
+*/
+function acceptChannelConnections(serverHandler, channel, cases) {
+	return serverHandler.forConnectionDomainCasesMulti(channel.toAcceptorDomains, cases, (connection) => connection);
+}
+/**
+* Build the secure {@link AcceptorHandler} for a channel — the accept-in counterpart to
+* {@link connectChannel}. It folds in the same boilerplate as {@link createSecureAcceptorHandler} (the
+* `ClientCryptoKeyLink` + storage-backed TOFU resolver from one `storageAdapter`, the channel's codec +
+* dictionary version, the `security` block from the runtime coordinate) but takes the `(runtime, channel,
+* options)` shape of the channel family. Pair it with {@link acceptChannelConnections} for execution:
+* ```ts
+* const acceptor = acceptChannel(runtime, gameChannel, { clientEnv, storageAdapter, send });
+* runtime.addHandlers([acceptChannelConnections(acceptor, gameChannel, { … }), acceptor]);
+* ```
+*/
+function acceptChannel(runtime, channel, options) {
+	return createSecureAcceptorHandler({
+		channel,
+		runtime,
+		clientEnv: options.clientEnv,
+		storageAdapter: options.storageAdapter,
+		link: options.link,
+		send: options.send,
+		securityLevel: options.securityLevel,
+		verifyKeyResolver: options.verifyKeyResolver,
+		defaultTimeout: options.defaultTimeout
+	});
+}
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.ts
+const textEncoder = new TextEncoder();
+const textDecoder = new TextDecoder();
+/**
+* Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
+* {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
+* acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
+* requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
+* POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
+* and returns the (encrypted) result inline as the reply.
+*
+* Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
+* Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
+* same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+*/
+var ExchangeAcceptor = class {
+	_security;
+	_runtime;
+	_allowedLevels;
+	_noneAllowed;
+	_pendingHandshakes = /* @__PURE__ */ new Map();
+	_sessions = /* @__PURE__ */ new Map();
+	constructor(config) {
+		this._security = config.security;
+		this._runtime = config.runtime;
+		this._allowedLevels = Array.isArray(config.security.securityLevel) ? config.security.securityLevel : [config.security.securityLevel];
+		this._noneAllowed = this._allowedLevels.includes("none");
+	}
+	/** Process one POST body (an exchange envelope), returning the reply body to send back. */
+	async handlePost(body) {
+		const request = decodeExchangeRequest(body);
+		if (request == null) return this._err("malformed exchange request");
+		if (request.k === "hs") return encodeExchange(await this._handleHandshake(request));
+		return encodeExchange(await this._handleAction(request));
+	}
+	async _handleHandshake(request) {
+		const message = decodeHandshakeMessage(request.m);
+		if (message == null) return {
+			k: "err",
+			message: "malformed handshake message"
+		};
+		const security = this._security;
+		await security.link.initialize();
+		let handshake = this._pendingHandshakes.get(request.hsid);
+		if (handshake == null) {
+			handshake = createServerHandshake({
+				link: security.link,
+				localCoordinate: security.localCoordinate,
+				dictionaryVersion: security.dictionaryVersion,
+				securityLevel: security.securityLevel,
+				verifyKeyResolver: security.verifyKeyResolver
+			});
+			this._pendingHandshakes.set(request.hsid, handshake);
+		}
+		if (message.t === "hello") return {
+			k: "hs",
+			m: encodeHandshakeMessage(await handshake.onHello(message))
+		};
+		if (message.t === "prove") {
+			const reply = await handshake.onProve(message);
+			this._pendingHandshakes.delete(request.hsid);
+			const result = handshake.getResult();
+			if (reply.t === "accept" && result != null) {
+				const token = nanoid();
+				this._sessions.set(token, {
+					client: new RuntimeCoordinate(result.remote),
+					securityLevel: result.securityLevel,
+					crypto: result.securityLevel === "encrypted" ? createActionFrameCrypto({
+						link: security.link,
+						linkedClientId: result.linkedClientId
+					}) : void 0
+				});
+				return {
+					k: "hs",
+					m: encodeHandshakeMessage(reply),
+					t: token
+				};
+			}
+			return {
+				k: "hs",
+				m: encodeHandshakeMessage(reply)
+			};
+		}
+		return {
+			k: "err",
+			message: `unexpected handshake message ${message.t}`
+		};
+	}
+	async _handleAction(request) {
+		let session;
+		let candidate;
+		if (request.t != null) {
+			session = this._sessions.get(request.t);
+			if (session == null) return {
+				k: "err",
+				message: "unknown or expired session token"
+			};
+			if ("c" in request) {
+				if (session.crypto == null) return {
+					k: "err",
+					message: "session is not encrypted"
+				};
+				const plain = await session.crypto.decryptFrame(base64ToBytes(request.c));
+				candidate = JSON.parse(textDecoder.decode(plain));
+			} else candidate = request.w;
+		} else {
+			if (!this._noneAllowed || "c" in request) return {
+				k: "err",
+				message: "missing session token"
+			};
+			candidate = request.w;
+		}
+		if (!isActionPayload_Any_JsonObject(candidate)) return {
+			k: "err",
+			message: "malformed action wire"
+		};
+		const wire = candidate;
+		if (session != null && wire.type === "request") wire.context.originClient = session.client.toJsonObject();
+		const resultWire = (await (await this._runtime.handleActionPayloadWire(wire)).waitForResultPayload()).toJsonObject();
+		if (session?.crypto != null) return {
+			k: "act",
+			c: bytesToBase64(await session.crypto.encryptFrame(textEncoder.encode(JSON.stringify(resultWire))))
+		};
+		return {
+			k: "act",
+			w: resultWire
+		};
+	}
+	_err(message) {
+		return encodeExchange({
+			k: "err",
+			message
+		});
+	}
+};
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.ts
+/** Permissive defaults — fine for a public action endpoint; override (or disable) via `cors`. */
+const DEFAULT_CORS_HEADERS = {
+	"Access-Control-Allow-Origin": "*",
+	"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+	"Access-Control-Allow-Headers": "Content-Type",
+	"Access-Control-Max-Age": "86400"
+};
+/**
+* Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
+* boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
+* `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
+* `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
+*
+* It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
+* environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
+* ```ts
+* this.fetchHandler = createActionFetchHandler(this.runtime, {
+*   onWebSocketUpgrade: () => {
+*     const pair = new WebSocketPair();
+*     this.ctx.acceptWebSocket(pair[1]);
+*     return new Response(null, { status: 101, webSocket: pair[0] });
+*   },
+* });
+* // async fetch(request) { return this.fetchHandler(request); }
+* ```
+*/
+function createActionFetchHandler(runtime, options = {}) {
+	const corsHeaders = options.cors === false ? {} : options.cors ?? DEFAULT_CORS_HEADERS;
+	const isActionPath = options.isActionPath ?? ((url) => url.pathname.endsWith("/action"));
+	const isWebSocketPath = options.isWebSocketPath ?? ((url) => url.pathname.endsWith("/ws"));
+	const exchangeAcceptor = options.security != null ? new ExchangeAcceptor({
+		runtime,
+		security: options.security
+	}) : void 0;
+	const withCors = (response) => {
+		if (options.cors === false) return response;
+		const headers = new Headers(response.headers);
+		for (const [key, value] of Object.entries(corsHeaders)) headers.set(key, value);
+		return new Response(response.body, {
+			status: response.status,
+			headers
+		});
+	};
+	return async (request) => {
+		if (request.method === "OPTIONS") return withCors(new Response(null, { status: 204 }));
+		const url = new URL(request.url);
+		const isWebSocketUpgrade = options.isWebSocketUpgrade ?? ((req, u) => req.headers.get("Upgrade") === "websocket" && isWebSocketPath(u));
+		if (options.onWebSocketUpgrade != null && isWebSocketUpgrade(request, url)) return options.onWebSocketUpgrade(request, url);
+		if (request.method === "POST" && isActionPath(url)) {
+			if (exchangeAcceptor != null) {
+				const reply = await exchangeAcceptor.handlePost(await request.text());
+				return withCors(new Response(reply, {
+					status: 200,
+					headers: { "Content-Type": "application/json" }
+				}));
+			}
+			return withCors((await (await runtime.handleActionPayloadWire(await request.json())).waitForResultPayload()).toHttpResponse({ useErrorStatus: options.useErrorStatus }));
+		}
+		return withCors(new Response("Not found", { status: 404 }));
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/ConnectionStateStore.ts
+/**
+* A typed per-connection state store that co-owns the app state and the acceptor handler's routing
+* binding in one attachment, so neither the consumer nor the handler has to hand-merge the two. Create
+* it through {@link createConnectionStateStore} (which also wires binding persistence and replays
+* surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
+*
+* The mechanism is carrier-neutral — it only needs read/write/enumerate callbacks for the connection's
+* attachment — but it pays off on transports whose connections outlive process eviction (e.g. a
+* Durable Object's hibernatable WebSockets), which is why it lives beside the hibernation adapter.
+*
+* ```ts
+* const players = createConnectionStateStore(serverHandler, {
+*   schema: vs_player,
+*   read: (ws) => ws.deserializeAttachment(),
+*   write: (ws, v) => ws.serializeAttachment(v),
+*   getConnections: () => ctx.getWebSockets(),
+* });
+* players.set(ws, player); // binding is preserved automatically
+* const player = players.get(ws);
+* ```
+*/
+var ConnectionStateStore = class {
+	options;
+	constructor(options) {
+		this.options = options;
+	}
+	/** The validated app state for a connection, or `null` if unset / invalid. */
+	get(connection) {
+		return this._readAttachment(connection).app ?? null;
+	}
+	/** Set the app state, preserving the runtime binding already pinned to the connection. */
+	set(connection, app) {
+		const existing = this._readAttachment(connection);
+		this.options.write(connection, {
+			app,
+			binding: existing.binding
+		});
+	}
+	/** Clear the app state but keep the binding (e.g. a spectator that stopped watching). */
+	clearApp(connection) {
+		const existing = this._readAttachment(connection);
+		this.options.write(connection, { binding: existing.binding });
+	}
+	/** Every live connection paired with its (validated) app state — for rebuilding in-memory state after a wake. */
+	entries() {
+		return this.options.getConnections().map((connection) => [connection, this._readAttachment(connection).app ?? null]);
+	}
+	/** @internal Persist a freshly-bound connection's binding, preserving any app state already stored. */
+	_persistBinding(connection, binding) {
+		const existing = this._readAttachment(connection);
+		this.options.write(connection, {
+			app: existing.app,
+			binding
+		});
+	}
+	/** @internal The persisted binding for a connection, if any (used to replay routing after a wake). */
+	_readBinding(connection) {
+		return this._readAttachment(connection).binding;
+	}
+	_readAttachment(connection) {
+		try {
+			const raw = this.options.read(connection);
+			if (typeof raw !== "object" || raw === null) return {};
+			const attachment = raw;
+			const result = {};
+			if (attachment.binding != null) result.binding = attachment.binding;
+			if (attachment.app !== void 0) {
+				const app = this._validateApp(attachment.app);
+				if (app !== void 0) result.app = app;
+			}
+			return result;
+		} catch {
+			return {};
+		}
+	}
+	_validateApp(value) {
+		const schema = this.options.schema;
+		if (schema == null) return value;
+		const result = schema["~standard"].validate(value);
+		if (result instanceof Promise) return void 0;
+		if (result.issues != null) return void 0;
+		return result.value;
+	}
+};
+/**
+* Build a per-connection {@link ConnectionStateStore} bound to an {@link AcceptorHandler}: it registers
+* itself as the handler's connection-bound persistence callback (so bindings are written without
+* overwriting app state) and immediately replays every live connection's stored binding via
+* {@link AcceptorHandler.rehydrateConnection} — so on a transport that resumes after eviction (e.g. a
+* Durable Object waking from hibernation) both the app identity and the action routing come back from a
+* single attachment, with no storage reads and no hand-rolled merge.
+*
+* Lives outside the handler so the generic {@link AcceptorHandler} stays free of any attachment/
+* hibernation concern — it exposes only the neutral `setOnConnectionBound` + `rehydrateConnection`
+* hooks this builder drives.
+*/
+function createConnectionStateStore(handler, options) {
+	const store = new ConnectionStateStore(options);
+	handler.setOnConnectionBound((connection, binding) => store._persistBinding(connection, binding));
+	for (const connection of options.getConnections()) {
+		const binding = store._readBinding(connection);
+		if (binding != null) handler.rehydrateConnection(connection, binding);
+	}
+	return store;
+}
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/createHibernatableWsServerAdapter.ts
+/**
+* Wire the hibernation lifecycle for an acceptor handler on a transport whose connections outlive process
+* eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
+* registers `setAttachment` as the handler's connection-bound callback and immediately replays every
+* live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
+*
+* Layered on top of the generic {@link AcceptorHandler} — it touches only the handler's neutral
+* `setOnConnectionBound` / `rehydrateConnection` / `receive` / `dropConnection` surface, so no
+* hibernation concern leaks into the handler itself.
+*
+* Construct it once when the handler is built, then forward connection events:
+* ```ts
+* const duplex = createHibernatableWsServerAdapter({ handler, getConnections, getAttachment, setAttachment });
+* // webSocketMessage(ws, msg) => duplex.receive(ws, msg);
+* // webSocketClose/Error(ws)  => duplex.drop(ws);
+* ```
+*/
+function createHibernatableWsServerAdapter(options) {
+	const { handler, getConnections, getAttachment, setAttachment } = options;
+	handler.setOnConnectionBound(setAttachment);
+	for (const connection of getConnections()) {
+		const binding = getAttachment(connection);
+		if (binding != null) handler.rehydrateConnection(connection, binding);
+	}
+	return {
+		receive: (connection, frame) => handler.receive(connection, frame),
+		drop: (connection) => handler.dropConnection(connection)
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/AcceptorCarrier.types.ts
+/**
+* Build the inert lifecycle slot a duplex carrier factory spreads into its handle: `receive`/`drop` throw
+* (or no-op) until `serveChannel` calls `_activate` with the carrier's live router. Shared by every duplex
+* carrier factory (`wsAcceptorCarrier`, a WebRTC carrier, the Cloudflare DO helper, …) so the
+* stateful-handle wiring lives in exactly one place.
+*/
+function createDuplexCarrierLifecycle() {
+	let router;
+	return {
+		receive(connection, frame) {
+			if (router == null) throw new Error("acceptor carrier not served yet — pass it to serveChannel() before feeding frames");
+			router.receive(connection, frame);
+		},
+		drop(connection) {
+			router?.drop(connection);
+		},
+		_activate(liveRouter) {
+			router = liveRouter;
+		}
+	};
+}
+/**
+* Narrow an acceptor carrier to the exchange shape via its `shape` discriminant — the one branch
+* `serveChannel` uses to pick the duplex (push-capable) vs exchange (request/reply) wiring. A duplex
+* carrier carries `shape: ETransportShape.duplex`, so the `else` branch is the duplex one.
+*/
+function isExchangeAcceptorCarrier(carrier) {
+	return carrier.shape === "exchange";
+}
+//#endregion
+//#region src/ActionRuntime/Channel/serveChannel.ts
+/** Default accepted set, shared by every carrier: negotiate per connection to whatever the client picks. */
+const DEFAULT_SERVER_SECURITY_LEVELS = [
+	"none",
+	"authenticated",
+	"encrypted"
+];
+function serveChannel(runtime, channel, options) {
+	const duplexCarriers = options.carriers.filter((carrier) => !isExchangeAcceptorCarrier(carrier));
+	const exchangeCarriers = options.carriers.filter(isExchangeAcceptorCarrier);
+	if (exchangeCarriers.length > 1) throw new Error("serveChannel: at most one exchange carrier is supported");
+	const exchangeCarrier = exchangeCarriers[0];
+	const singleDuplex = duplexCarriers.length === 1;
+	if (options.connectionState != null && !singleDuplex) throw new Error("serveChannel: `connectionState` requires exactly one duplex carrier");
+	if (options.channelCases != null && !singleDuplex) throw new Error("serveChannel: `channelCases` requires exactly one duplex carrier");
+	const exchangeSecure = exchangeCarrier != null && (exchangeCarrier.secure ?? true);
+	const anyDuplexSecure = duplexCarriers.some((carrier) => carrier.secure ?? true);
+	const securityLevel = options.securityLevel ?? DEFAULT_SERVER_SECURITY_LEVELS;
+	let secure;
+	if (anyDuplexSecure || exchangeSecure) {
+		const storage = options.storage;
+		if (storage == null) throw new Error("serveChannel: a secure carrier requires `storage`. Pass it, or set `secure: false` on the carrier for a plain endpoint.");
+		secure = {
+			storage,
+			link: options.link ?? new ClientCryptoKeyLink({ storageAdapter: storage }),
+			verifyKeyResolver: options.verifyKeyResolver ?? createStorageTofuVerifyKeyResolver(storage)
+		};
+	}
+	const plainRouter = (handler) => ({
+		receive: (connection, frame) => handler.receive(connection, frame),
+		drop: (connection) => handler.dropConnection(connection)
+	});
+	const asObject = (value) => typeof value === "object" && value != null ? value : {};
+	const handlers = [];
+	let connections;
+	for (const carrier of duplexCarriers) {
+		const handler = (carrier.secure ?? true) && secure != null ? acceptChannel(runtime, channel, {
+			clientEnv: options.clientEnv,
+			storageAdapter: secure.storage,
+			link: secure.link,
+			verifyKeyResolver: secure.verifyKeyResolver,
+			securityLevel,
+			send: carrier.send,
+			defaultTimeout: options.defaultTimeout
+		}) : createAcceptorHandler({
+			clientEnv: options.clientEnv,
+			createFormatMessage: channel.createCodec,
+			send: carrier.send,
+			runtime,
+			defaultTimeout: options.defaultTimeout
+		});
+		const attach = carrier.attachmentStore;
+		let router;
+		if (attach == null) router = plainRouter(handler);
+		else if (options.connectionState != null) {
+			connections = createConnectionStateStore(handler, {
+				schema: options.connectionState.schema,
+				getConnections: attach.getConnections,
+				read: attach.read,
+				write: attach.write
+			});
+			router = plainRouter(handler);
+		} else router = createHibernatableWsServerAdapter({
+			handler,
+			getConnections: attach.getConnections,
+			getAttachment: (connection) => attach.read(connection)?.binding,
+			setAttachment: (connection, binding) => attach.write(connection, {
+				...asObject(attach.read(connection)),
+				binding
+			})
+		});
+		carrier._activate(router);
+		handlers.push(handler);
+	}
+	runtime.addHandlers([...options.handlers ?? [], ...handlers]);
+	const soleDuplex = singleDuplex ? duplexCarriers[0] : void 0;
+	const receive = (connection, frame) => {
+		if (soleDuplex == null) throw new Error(duplexCarriers.length === 0 ? "serveChannel: no duplex carrier to receive on (this server has no socket transport)" : "serveChannel: several duplex carriers — feed each carrier handle's receive() directly");
+		soleDuplex.receive(connection, frame);
+	};
+	const drop = (connection) => {
+		soleDuplex?.drop(connection);
+	};
+	const pushToClient = (target, request, pushOptions) => {
+		const owner = target instanceof RuntimeCoordinate ? handlers.find((handler) => handler.ownsLiveConnectionFor(target)) : handlers.find((handler) => handler.hasConnection(target));
+		if (owner == null) throw new Error("serveChannel: no duplex carrier holds a connection for the push target");
+		return owner.pushToClient(runtime, target, request, pushOptions);
+	};
+	const broadcast = (makeRequest, broadcastOptions) => {
+		if (!singleDuplex) throw new Error("serveChannel: broadcast requires exactly one duplex carrier — broadcast over a specific handlers[i] instead");
+		handlers[0].broadcast(makeRequest, {
+			runtime,
+			...broadcastOptions
+		});
+	};
+	const makeConnectionContext = (connection, request) => ({
+		connection: connection ?? null,
+		origin: request.context.originClient,
+		get state() {
+			return connection != null && connections != null ? connections.get(connection) : null;
+		},
+		setState(value) {
+			if (connection != null && connections != null) connections.set(connection, value);
+		},
+		clearState() {
+			if (connection != null && connections != null) connections.clearApp(connection);
+		},
+		broadcast(makeRequest, contextOptions) {
+			broadcast(makeRequest, {
+				except: contextOptions?.exceptSelf ? connection ?? null : null,
+				where: contextOptions?.where,
+				timeout: contextOptions?.timeout,
+				onError: contextOptions?.onError
+			});
+		},
+		pushBack(pushRequest, pushOptions) {
+			if (connection == null) throw new Error("serveChannel: connection context has no live socket to push back to (HTTP-exchange path)");
+			return pushToClient(connection, pushRequest, pushOptions);
+		}
+	});
+	if (options.channelCases != null) runtime.addHandlers([handlers[0].forConnectionDomainCasesMulti(channel.toAcceptorDomains, options.channelCases, makeConnectionContext)]);
+	const exchangeSecurity = exchangeSecure && secure != null ? {
+		link: secure.link,
+		verifyKeyResolver: secure.verifyKeyResolver,
+		localCoordinate: runtime.coordinate.toJsonObject(),
+		dictionaryVersion: channel.dictionaryVersion,
+		securityLevel
+	} : void 0;
+	const defaultIsUpgrade = (request) => request.headers.get("Upgrade") === "websocket";
+	const upgraders = [];
+	for (const carrier of duplexCarriers) {
+		if (carrier.upgrade == null) continue;
+		upgraders.push({
+			isUpgrade: carrier.isUpgrade ?? defaultIsUpgrade,
+			upgrade: carrier.upgrade
+		});
+	}
+	return {
+		handlers,
+		fetch: createActionFetchHandler(runtime, {
+			cors: exchangeCarrier?.cors,
+			onWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => (upgraders.find((u) => u.isUpgrade(request, url)) ?? upgraders[0]).upgrade(request, url),
+			isWebSocketUpgrade: upgraders.length === 0 ? void 0 : (request, url) => upgraders.some((u) => u.isUpgrade(request, url)),
+			isActionPath: exchangeCarrier != null ? exchangeCarrier.isActionPath ?? (() => true) : () => false,
+			security: exchangeSecurity,
+			useErrorStatus: exchangeCarrier?.useErrorStatus
+		}),
+		receive,
+		drop,
+		pushToClient,
+		broadcast,
+		connections
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Channel/serveHost.ts
+function serveHost(runtime, channel, host, options) {
+	const server = serveChannel(runtime, channel, {
+		...options,
+		carriers: host.carriers,
+		storage: host.storage
+	});
+	host.onServed?.(server);
+	return server;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/duplex/ws/wsAcceptorCarrier.ts
+/**
+* A WebSocket {@link IDuplexAcceptorCarrier}: the accept-in dual of {@link wsCarrier}. It describes how to
+* write frames back to a live socket, how to upgrade an inbound request into one, and (optionally) how to
+* persist bindings across hibernation. Hand it to `serveChannel`'s `carriers` list — the secure session,
+* codec, and crypto identity are supplied centrally there, so this only carries the WS-specific surface.
+*/
+function wsAcceptorCarrier(options) {
+	return {
+		...createDuplexCarrierLifecycle(),
+		shape: "duplex",
+		carrierLabel: options.carrierLabel ?? "ws",
+		secure: options.secure,
+		send: options.send,
+		upgrade: options.upgrade,
+		isUpgrade: options.isUpgrade ?? ((request) => request.headers.get("Upgrade") === "websocket"),
+		attachmentStore: options.attachmentStore
+	};
+}
+//#endregion
+//#region src/ActionRuntime/Transport/Carrier/exchange/http/httpAcceptorCarrier.ts
+/**
+* An HTTP {@link IExchangeAcceptorCarrier}: the accept-in dual of {@link httpCarrier}. It serves the
+* secure exchange protocol (handshake → token session → encrypted frames) over web-standard
+* `Request`/`Response`. The crypto identity, runtime coordinate, dictionary version, and accepted security
+* levels are all supplied centrally by `serveChannel`, so this only needs to say which requests carry an
+* action envelope and how to answer CORS.
+*/
+function httpAcceptorCarrier(options = {}) {
+	return {
+		shape: "exchange",
+		carrierLabel: options.carrierLabel ?? "http",
+		secure: options.secure,
+		isActionPath: options.isActionPath,
+		cors: options.cors,
+		useErrorStatus: options.useErrorStatus
+	};
+}
+//#endregion
+export { EErrId_NiceAction as $, createServerHandshake as A, PeerLinkHandler as B, createAcceptorHandler as C, ESecurityLevel as D, EHandshakeMessageType as E, ActionLocalHandler as F, err_nice_external_client as G, ETransportStatus as H, createLocalHandler as I, ActionSchema as J, isActionPayload_Any_JsonObject as K, ActionRuntime as L, decodeHandshakeMessage as M, encodeHandshakeMessage as N, createClientHandshake as O, runtimeLinkId as P, isAction_Base_JsonObject as Q, ConnectorHandler as R, AcceptorHandler as S, decodeActionFrame as T, EErrId_NiceTransport as U, ETransportShape as V, err_nice_transport as W, actionSchema as X, EActionResponseMode as Y, isActionPayload_Result_JsonObject as Z, decodeExchangeReply as _, isExchangeAcceptorCarrier as a, EActionProgressType as at, Transport as b, createConnectionStateStore as c, RuntimeCoordinate as ct, acceptChannel as d, err_nice_action as et, acceptChannelConnections as f, ExchangeTransport as g, LinkTransport as h, serveChannel as i, EActionPayloadType as it, createStorageTofuVerifyKeyResolver as j, createInMemoryTofuVerifyKeyResolver as k, createActionFetchHandler as l, runtimeCoordinateToStringIds as lt, defineChannel as m, wsAcceptorCarrier as n, ActionPayload_Request as nt, createHibernatableWsServerAdapter as o, ActionPayload as ot, connectChannel as p, isActionPayload_Request_JsonObject as q, serveHost as r, ActionPayload_Result as rt, ConnectionStateStore as s, ActionBase as st, httpAcceptorCarrier as t, RunningAction as tt, ExchangeAcceptor as u, UNSET_RUNTIME_ENV_ID as ut, decodeExchangeRequest as v, createActionFrameCrypto as w, createSecureAcceptorHandler as x, encodeExchange as y, createConnectorHandler as z };
+
+//# sourceMappingURL=httpAcceptorCarrier-DL8lf0xB.mjs.map