@nice-code/action 0.23.0 → 0.25.0

package/build/{ActionPayload.types-B-OSg09t.d.mts → AcceptorHandler-BizUtq4u.d.mts}

@@ -175,6 +175,28 @@ type TInferOutputFromSchema<SCH extends ActionSchema<any, any, any>> = SCH exten
 } : never;
 type TWrappableDomainActionHandler<DOM extends IActionDomain> = { [K in TDomainActionId<DOM>]: (...args: [TInferInputFromSchema<DOM["actionSchema"][K]>["Input"]] extends [never] ? [] : [input: TInferInputFromSchema<DOM["actionSchema"][K]>["Input"]]) => [TInferOutputFromSchema<DOM["actionSchema"][K]>["Output"]] extends [never] ? Promise<void> | void : Promise<TInferOutputFromSchema<DOM["actionSchema"][K]>["Output"]> };
 //#endregion
+//#region src/ActionDefinition/Action/ActionBase.d.ts
+declare abstract class ActionBase<FORM extends EActionForm, DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> implements IActionBase<FORM, DOM, ID> {
+  readonly form: FORM;
+  readonly _domain: ActionDomain<DOM>;
+  readonly id: ID;
+  readonly domain: DOM["domain"];
+  readonly allDomains: DOM["allDomains"];
+  readonly schema: DOM["actionSchema"][ID];
+  constructor(form: FORM, _domain: ActionDomain<DOM>, id: ID);
+  protected toJsonObject(): IActionBase_JsonObject<FORM, DOM, ID>;
+  protected toJsonString(): string;
+}
+//#endregion
+//#region src/ActionDefinition/Action/Core/ActionCore.types.d.ts
+interface IActionCore<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends IActionBase<EActionForm.core, DOM, ID> {}
+type IActionCore_JsonObject<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = {
+  form: EActionForm.core;
+  domain: DOM["domain"];
+  allDomains: DOM["allDomains"];
+  id: ID;
+};
+//#endregion
 //#region src/ActionRuntime/RuntimeCoordinate.d.ts
 interface IRuntimeCoordinateSpecifics {
   /**
@@ -238,43 +260,6 @@ declare class RuntimeCoordinate implements IRuntimeCoordinate {
   toStringIds(): TRuntimeCoordinateStringId[];
 }
 //#endregion
-//#region src/ActionDefinition/Action/ActionBase.types.d.ts
-declare enum EActionForm {
-  core = "core",
-  context = "context",
-  data = "data"
-}
-interface INiceActionIdAndDomain<DOM extends IActionDomain = IActionDomain> {
-  domain: DOM["domain"];
-  id: keyof DOM["actionSchema"] & string;
-}
-interface IActionBase<FORM extends EActionForm, DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends INiceActionIdAndDomain<DOM> {
-  id: ID;
-  form: FORM;
-  _domain: ActionDomain<DOM>;
-  allDomains: DOM["allDomains"];
-  schema: DOM["actionSchema"][ID];
-}
-interface IActionBase_JsonObject<FORM extends EActionForm = EActionForm, DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> {
-  form: FORM;
-  domain: DOM["domain"];
-  allDomains: DOM["allDomains"];
-  id: ID;
-}
-//#endregion
-//#region src/ActionDefinition/Action/ActionBase.d.ts
-declare abstract class ActionBase<FORM extends EActionForm, DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> implements IActionBase<FORM, DOM, ID> {
-  readonly form: FORM;
-  readonly _domain: ActionDomain<DOM>;
-  readonly id: ID;
-  readonly domain: DOM["domain"];
-  readonly allDomains: DOM["allDomains"];
-  readonly schema: DOM["actionSchema"][ID];
-  constructor(form: FORM, _domain: ActionDomain<DOM>, id: ID);
-  protected toJsonObject(): IActionBase_JsonObject<FORM, DOM, ID>;
-  protected toJsonString(): string;
-}
-//#endregion
 //#region src/ActionDefinition/Action/Context/ActionContext.types.d.ts
 interface IActionRouteItem {
   runtime: RuntimeCoordinate;
@@ -338,6 +323,17 @@ declare abstract class ActionPayload<DT extends EActionPayloadType, DOM extends
   abstract toJsonObject(): IActionPayload_Base_JsonObject<DT, DOM, ID>;
 }
 //#endregion
+//#region src/ActionDefinition/Action/Payload/ActionPayload_Progress.d.ts
+declare class ActionPayload_Progress<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionPayload<EActionPayloadType.progress, DOM, ID> implements IActionPayload_Progress<DOM, ID> {
+  readonly progress: TActionProgress;
+  constructor(params: {
+    context: ActionContext<DOM, ID>;
+  } | ActionPayload_Request<DOM, ID>, progress: TActionProgress, data: IActionPayload_Data_Base);
+  toJsonObject(): IActionPayload_Progress_JsonObject<DOM, ID>;
+  toJsonString(): string;
+  toHttpResponse(): Response;
+}
+//#endregion
 //#region src/ActionDefinition/Action/Payload/ActionPayload_Result.d.ts
 declare class ActionPayload_Result<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionPayload<EActionPayloadType.result, DOM, ID> {
   readonly result: TActionResultOutcome<TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"], TInferActionError<DOM["actionSchema"][ID]>>;
@@ -420,40 +416,79 @@ interface IRunningActionUserMethods<DOM extends IActionDomain, ID extends keyof
   abort(reason?: unknown): void;
 }
 //#endregion
-//#region src/ActionDefinition/Action/Core/ActionCore.types.d.ts
-interface IActionCore<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends IActionBase<EActionForm.core, DOM, ID> {}
-type IActionCore_JsonObject<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = {
-  form: EActionForm.core;
-  domain: DOM["domain"];
-  allDomains: DOM["allDomains"];
-  id: ID;
-};
+//#region src/ActionDefinition/Action/RunningAction.d.ts
+declare class RunningAction<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> implements IRunningActionUserMethods<DOM, ID> {
+  protected _state: IRunningActionState<DOM, ID>;
+  readonly context: ActionContext<DOM, ID>;
+  readonly cuid: string;
+  readonly id: ID;
+  readonly _domain: ActionDomain<DOM>;
+  readonly domain: DOM["domain"];
+  readonly allDomains: DOM["allDomains"];
+  readonly parentCuid?: string;
+  readonly callSite?: string;
+  private readonly _resultPayloadPromise;
+  private _resolveResult;
+  private _rejectResult;
+  private _isAborted;
+  private readonly _updates;
+  private readonly _updateListeners;
+  constructor(initialState: IRunningActionState_ConstructorParams<DOM, ID>);
+  get state(): IRunningActionState<DOM, ID>;
+  abort(reason?: unknown): void;
+  addUpdateListeners(listeners: TRunningActionUpdateListener<DOM, ID>[]): () => void;
+  iterateUpdates(): AsyncIterable<TRunningActionUpdate<DOM, ID>>;
+  _sendUpdate(update: TRunningActionUpdate<DOM, ID>): void;
+  _completeWithResult(result: ActionPayload_Result<DOM, ID>): boolean;
+  _abort(reason?: unknown): boolean;
+  _failWithError(error: unknown): boolean;
+  _updateProgress(progress: ActionPayload_Progress<DOM, ID>): void;
+  waitForResultPayload(): Promise<ActionPayload_Result<DOM, ID>>;
+  _resolveFromJson(resultJson: IActionPayload_Result_JsonObject<DOM, ID>): boolean;
+}
 //#endregion
-//#region src/ActionDefinition/Action/Action.combined.types.d.ts
-/**
- * Distributes a union ID into a proper discriminated union of ActionPayload_Request instances,
- * so that narrowing on `.id` also narrows `.input`.
- */
-type TDistributeActionPayload_Request<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string> = ID extends keyof DOM["actionSchema"] & string ? ActionPayload_Request<DOM, ID> : never;
-/**
- * Distributes a union ID into a proper discriminated union of ActionPayload_Result instances,
- * so that narrowing on `.id` also narrows `.result`.
- */
-type TDistributeActionPayload_Result<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string> = ID extends keyof DOM["actionSchema"] & string ? ActionPayload_Result<DOM, ID> : never;
-/**
- *
- *  COMBINED JSON TYPES
- *
- */
-type TAction_Any_JsonObject<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = IActionCore_JsonObject<DOM, ID> | TActionPayload_Any_JsonObject<DOM, ID> | IActionContext_JsonObject<DOM, ID>;
-/**
- *
- *  UTILITY TYPES
- *
- */
-type TDistributedDomainActions<DOM extends IActionDomain, ACT extends IActionBase<any, DOM, any>> = { [ID in keyof DOM["actionSchema"] & string]: TNarrowActionType<DOM, ACT, ID> }[keyof DOM["actionSchema"] & string];
-type TNarrowActionType<DOM extends IActionDomain, ACT extends IActionBase<any, DOM, any>, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = ACT extends ActionPayload_Result<any> ? ActionPayload_Result<DOM, ID> : ACT extends ActionPayload_Request<any> ? ActionPayload_Request<DOM, ID> : ACT extends ActionPayload_Progress<any> ? ActionPayload_Progress<DOM, ID> : ACT extends ActionCore<any> ? ActionCore<DOM, ID> : never;
-type TNarrowActionJsonTypeToActionInstanceType<DOM extends IActionDomain, ACT extends TAction_Any_JsonObject<DOM>, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = ACT extends IActionPayload_Request_JsonObject<any> ? ActionPayload_Request<DOM, ID> : ACT extends IActionPayload_Result_JsonObject<any> ? ActionPayload_Result<DOM, ID> : ACT extends IActionPayload_Progress_JsonObject<any> ? ActionPayload_Progress<DOM, ID> : ACT extends IActionCore_JsonObject<any> ? ActionCore<DOM, ID> : never;
+//#region src/ActionDefinition/Domain/ActionDomainBase.d.ts
+declare abstract class ActionDomainBase<ACT_DOM extends IActionDomain = IActionDomain> implements IActionDomain<ACT_DOM["allDomains"], ACT_DOM["actionSchema"]> {
+  readonly domain: ACT_DOM["domain"];
+  readonly allDomains: ACT_DOM["allDomains"];
+  readonly actionSchema: ACT_DOM["actionSchema"];
+  protected _listeners: TRunningActionUpdateListener<any, any>[];
+  constructor(definition: ACT_DOM);
+  /**
+   * Add an observer that is called after every action dispatched through this domain.
+   * Returns an unsubscribe function — call it to remove the listener.
+   */
+  addActionListener(listener: TDistributeRunningActionUpdateListener<ACT_DOM, keyof ACT_DOM["actionSchema"] & string>): () => void;
+  /**
+   * @internal
+   * Observers registered directly on this domain via {@link addActionListener}.
+   * Used to wire observers (e.g. devtools) onto RunningActions that aren't created
+   * through the local-dispatch path — notably inbound actions pushed from a backend
+   * or another client over a bidirectional transport.
+   */
+  _getActionObservers(): TRunningActionUpdateListener<any, any>[];
+}
+//#endregion
+//#region src/ActionDefinition/Domain/ActionRootDomain.d.ts
+declare class ActionRootDomain<ROOT_DOM extends IActionRootDomain = IActionRootDomain> extends ActionDomainBase<ROOT_DOM> {
+  readonly domainDefinition: {
+    domain: ROOT_DOM["domain"];
+  };
+  private _actionRuntimeManager;
+  constructor(domainDefinition: {
+    domain: ROOT_DOM["domain"];
+  });
+  createChildDomain<SUB_DOM extends IActionDomainChildOptions>(subDomainDef: SUB_DOM & { [K in Exclude<keyof SUB_DOM, keyof IActionDomainChildOptions>]: never }): ActionDomain<TActionDomainChildDef<ROOT_DOM, SUB_DOM>>;
+  _registerRuntime(runtime: ActionRuntime): void;
+  _hasRuntime(runtime: ActionRuntime): boolean;
+  getRuntime(clientSpecifier: IRuntimeCoordinate): ActionRuntime | undefined;
+  _runAction<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string, ACT extends ActionPayload_Request<DOM, ID> = ActionPayload_Request<DOM, ID>>(actionPayload: ACT, options?: IExecuteActionOptions<DOM, ID>): Promise<RunningAction<DOM, ID>>;
+}
+//#endregion
+//#region src/ActionDefinition/Domain/helpers/createRootActionDomain.d.ts
+declare const createActionRootDomain: <ID extends string>(definition: {
+  domain: ID;
+}) => ActionRootDomain<IActionRootDomain<ID>>;
 //#endregion
 //#region src/ActionRuntime/ActionDomainManager.d.ts
 declare class ActionDomainManager {
@@ -532,133 +567,20 @@ declare class ActionRouter<DATA> {
   private _push;
 }
 //#endregion
-//#region src/ActionRuntime/Handler/ActionHandler.types.d.ts
-declare enum EActionHandlerType {
-  peer = "peer",
-  local = "local"
-}
-interface IActionHandler_Json<T extends EActionHandlerType> {
-  type: T;
-}
-interface IActionHandler_Peer_Json extends IActionHandler_Json<EActionHandlerType.peer> {
-  client: IRuntimeCoordinate;
-}
-interface IActionHandler_Local_Json extends IActionHandler_Json<EActionHandlerType.local> {}
-type TActionHandler_Json = IActionHandler_Local_Json | IActionHandler_Peer_Json;
-interface IHandleActionOptions {
-  timeout?: number;
-  targetPeer?: RuntimeCoordinate;
-  targetLocalRuntime?: ActionRuntime;
-}
-interface IExecuteActionOptions<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends IHandleActionOptions {
-  listeners?: TRunningActionUpdateListener<DOM, ID>[];
-}
-interface IActionHandler_Base<T extends EActionHandlerType> {
-  cuid: string;
-  handlerType: T;
-  getActionRouter: () => ActionRouter<any>;
-}
-/**
- *
- *  LOCAL ACTION HANDLER
- *
- */
-interface IHandleActionOptions_Local extends IHandleActionOptions {}
-interface IActionHandler_Local extends IActionHandler_Base<EActionHandlerType.local> {
-  handleActionRequest: <DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions_Local) => Promise<RunningAction<DOM, ID>>;
-}
-/**
- *
- *  PEER-LINK ACTION HANDLER
- *
- */
-interface IHandleActionOptions_Peer extends IHandleActionOptions {}
-interface IActionHandler_Peer extends IActionHandler_Base<EActionHandlerType.peer> {
-  peerClient: RuntimeCoordinate;
-  handleActionRequest: <DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions_Peer) => Promise<RunningAction<DOM, ID>>;
-  _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any>) => void): void;
+//#region src/ActionRuntime/Handler/ActionHandler.d.ts
+declare abstract class ActionHandler<T extends EActionHandlerType> implements IActionHandler_Base<T> {
+  abstract readonly handlerType: T;
+  readonly cuid: string;
+  abstract readonly actionRouter: ActionRouter<any>;
+  constructor();
+  getActionRouter(): ActionRouter<any>;
+  abstract handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
+  abstract toJsonObject(): TActionHandler_Json;
+  abstract toHandlerRouteItem(...args: any[]): IActionRouteItemHandler;
 }
-/**
- *
- *  COMBINED
- *
- */
-type TActionHandler = IActionHandler_Local | IActionHandler_Peer;
 //#endregion
-//#region src/ActionDefinition/Action/Payload/ActionPayload_Request.d.ts
-declare class ActionPayload_Request<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionPayload<EActionPayloadType.request, DOM, ID> {
-  readonly input: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"];
-  readonly inputHash: string;
-  _callSite?: string;
-  constructor(params: {
-    context: ActionContext<DOM, ID>;
-  }, input: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"], data: IActionPayload_Data_Base);
-  successResult(...args: [TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]] extends [never] ? [] | [output: TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]] : [output: TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]]): ActionPayload_Result<DOM, ID>;
-  errorResult(err: TInferActionError<DOM["actionSchema"][ID]>): ActionPayload_Result<DOM, ID>;
-  progress(progress: TActionProgress): ActionPayload_Progress<DOM, ID>;
-  toJsonObject(): IActionPayload_Request_JsonObject<DOM, ID>;
-  toJsonString(): string;
-  runToOutput(options?: IExecuteActionOptions<DOM, ID>): Promise<TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]>;
-  runToResultPayload(options?: IExecuteActionOptions<DOM, ID>): Promise<ActionPayload_Result<DOM, ID>>;
-  run(options?: IExecuteActionOptions<DOM, ID>): Promise<RunningAction<DOM, ID>>;
-}
-//#endregion
-//#region src/ActionDefinition/Action/Payload/ActionPayload_Progress.d.ts
-declare class ActionPayload_Progress<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionPayload<EActionPayloadType.progress, DOM, ID> implements IActionPayload_Progress<DOM, ID> {
-  readonly progress: TActionProgress;
-  constructor(params: {
-    context: ActionContext<DOM, ID>;
-  } | ActionPayload_Request<DOM, ID>, progress: TActionProgress, data: IActionPayload_Data_Base);
-  toJsonObject(): IActionPayload_Progress_JsonObject<DOM, ID>;
-  toJsonString(): string;
-  toHttpResponse(): Response;
-}
-//#endregion
-//#region src/ActionDefinition/Action/RunningAction.d.ts
-declare class RunningAction<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> implements IRunningActionUserMethods<DOM, ID> {
-  protected _state: IRunningActionState<DOM, ID>;
-  readonly context: ActionContext<DOM, ID>;
-  readonly cuid: string;
-  readonly id: ID;
-  readonly _domain: ActionDomain<DOM>;
-  readonly domain: DOM["domain"];
-  readonly allDomains: DOM["allDomains"];
-  readonly parentCuid?: string;
-  readonly callSite?: string;
-  private readonly _resultPayloadPromise;
-  private _resolveResult;
-  private _rejectResult;
-  private _isAborted;
-  private readonly _updates;
-  private readonly _updateListeners;
-  constructor(initialState: IRunningActionState_ConstructorParams<DOM, ID>);
-  get state(): IRunningActionState<DOM, ID>;
-  abort(reason?: unknown): void;
-  addUpdateListeners(listeners: TRunningActionUpdateListener<DOM, ID>[]): () => void;
-  iterateUpdates(): AsyncIterable<TRunningActionUpdate<DOM, ID>>;
-  _sendUpdate(update: TRunningActionUpdate<DOM, ID>): void;
-  _completeWithResult(result: ActionPayload_Result<DOM, ID>): boolean;
-  _abort(reason?: unknown): boolean;
-  _failWithError(error: unknown): boolean;
-  _updateProgress(progress: ActionPayload_Progress<DOM, ID>): void;
-  waitForResultPayload(): Promise<ActionPayload_Result<DOM, ID>>;
-  _resolveFromJson(resultJson: IActionPayload_Result_JsonObject<DOM, ID>): boolean;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/ActionHandler.d.ts
-declare abstract class ActionHandler<T extends EActionHandlerType> implements IActionHandler_Base<T> {
-  abstract readonly handlerType: T;
-  readonly cuid: string;
-  abstract readonly actionRouter: ActionRouter<any>;
-  constructor();
-  getActionRouter(): ActionRouter<any>;
-  abstract handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
-  abstract toJsonObject(): TActionHandler_Json;
-  abstract toHandlerRouteItem(...args: any[]): IActionRouteItemHandler;
-}
-//#endregion
-//#region src/utils/typescript/MaybePromise.d.ts
-type MaybePromise<T> = T | Promise<T>;
+//#region src/utils/typescript/MaybePromise.d.ts
+type MaybePromise<T> = T | Promise<T>;
 //#endregion
 //#region src/ActionRuntime/Handler/Local/ActionLocalHandler.types.d.ts
 type THandleActionExecutionFn<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = (action: TDistributeActionPayload_Request<DOM, ID>) => MaybePromise<ActionPayload_Result<DOM, ID> | IActionPayload_Result_JsonObject<DOM, ID> | TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"] | undefined>;
@@ -708,72 +630,6 @@ declare class ActionLocalHandler extends ActionHandler<EActionHandlerType.local>
 }
 declare const createLocalHandler: () => ActionLocalHandler;
 //#endregion
-//#region src/ActionRuntime/Handler/PeerLink/PeerLinkHandler.d.ts
-/**
- * Shared base for every handler that routes a domain set to/from *another runtime* (a "peer") — the
- * unified peer-link concept. Both specializations extend this as siblings, differing only in *who
- * establishes the connection*, which is a transport trait, not a routing one:
- *
- * - {@link ConnectorHandler} — **dial-out**: this runtime opens connection(s) to one peer
- *   over a transport stack (with caching + fallback). The classic "client → backend" link.
- * - {@link AcceptorHandler} — **accept-in**: connections are accepted from many peers and fed in
- *   via `receive()`; it keeps a per-connection registry and can push to any of them.
- *
- * To the runtime there is no "client" vs "server" — both are peer-link handlers (`handlerType =
- * external`) keyed to a peer coordinate, chosen by the return-path dispatch via {@link sendReturnPayload}.
- */
-declare abstract class PeerLinkHandler extends ActionHandler<EActionHandlerType.peer> implements IActionHandler_Peer {
-  /** The peer runtime this handler links to (an env-only coordinate for an accept-in handler). */
-  readonly peerClient: RuntimeCoordinate;
-  readonly handlerType = EActionHandlerType.peer;
-  /**
-   * Whether this link can deliver an *unsolicited* frame to the peer (a result/progress pushed back on
-   * the return path, or a `broadcast`). A duplex carrier (WebSocket/WebRTC/…) can; an exchange-only
-   * carrier (HTTP) cannot — its reply must ride the response to its own request. The runtime's
-   * return-path dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) skips handlers that can't
-   * push, so an exchange-only handler is never asked to deliver one.
-   */
-  abstract readonly canPush: boolean;
-  readonly actionRouter: ActionRouter<true>;
-  /** Listeners installed by the runtime (`resolveIncomingActionPayload`) for inbound peer frames. */
-  private readonly _incomingActionDataListeners;
-  constructor(peerCoordinate: RuntimeCoordinate);
-  forDomain<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>): this;
-  forAction<ACT_DOM extends IActionDomain, ID extends keyof ACT_DOM["actionSchema"] & string>(action: ActionCore<ACT_DOM, ID>): this;
-  forActionIds<ACT_DOM extends IActionDomain, IDS extends ReadonlyArray<keyof ACT_DOM["actionSchema"] & string>>(domain: ActionDomain<ACT_DOM>, ids: IDS): this;
-  _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any, any>) => void): void;
-  /** Hand a decoded inbound frame to the runtime (called by each specialization's receive path). */
-  protected _emitIncoming(json: TActionPayload_Any_JsonObject<any, any>): void;
-  /**
-   * Dispatch a result/progress payload back to the action's origin peer over this link. The runtime's
-   * return-path dispatch calls it on whichever peer-link handler best reaches `originClient`. Returns
-   * `true` if it was sent, `false` if no channel was available.
-   */
-  abstract sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
-    targetLocalRuntime: ActionRuntime;
-  }): Promise<boolean>;
-  /**
-   * Whether this handler currently holds a *live* connection bound to `origin`. The runtime's return-path
-   * dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) prefers a handler that owns the origin's
-   * connection over a mere coordinate match, so with several duplex acceptors a result/push routes back
-   * over the carrier the client connected on. Defaults to `false`; an acceptor overrides it from its
-   * connection registry.
-   */
-  ownsLiveConnectionFor(_origin: RuntimeCoordinate): boolean;
-  /** Release any long-lived connections this handler owns (a teardown). No-op by default. */
-  clearTransportCache(): void;
-}
-//#endregion
-//#region src/ActionRuntime/ActionRuntime.types.d.ts
-interface IRuntimeMeta {
-  assumed: boolean;
-  runtimeName: RuntimeName;
-}
-interface IActionRuntimeManagerContext {
-  domain?: string;
-}
-type TActionRuntimeHandler = ActionLocalHandler | PeerLinkHandler;
-//#endregion
 //#region src/ActionRuntime/Transport/crypto/actionHandshake.d.ts
 /** How much the channel protects after the handshake — chosen by the consumer (perf vs security). */
 declare enum ESecurityLevel {
@@ -958,6 +814,51 @@ declare function createServerHandshake(config: IServerHandshakeConfig): {
   getResult(): IHandshakeResult | undefined;
 };
 //#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.d.ts
+interface ISecureAcceptorHandlerOptions<TConn> {
+  /** The shared channel identity (codec + dictionary version) — same one the clients use. */
+  channel: IActionChannel;
+  /**
+   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
+   * used as the offline-return scoring fallback (a live connection always wins regardless). Optional —
+   * omit it for a multi-role server accepting several client envs over one acceptor.
+   */
+  clientEnv?: RuntimeCoordinate;
+  /** This server's runtime — its coordinate is the server identity presented in the handshake. */
+  runtime: ActionRuntime;
+  /**
+   * One backing store for the server's crypto identity *and* its trust-on-first-use verify-key pins.
+   * Their keys don't collide, so a single adapter is enough; back it with persistent storage (e.g. a
+   * Durable Object's storage) so identity and pins survive eviction.
+   */
+  storage: StorageAdapter;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
+  /**
+   * The server's crypto identity. Defaults to a fresh {@link ClientCryptoKeyLink} over `storage`.
+   * Pass an existing link to share one identity across several acceptors on the same server (e.g. a
+   * WebSocket acceptor and a secure-HTTP {@link createActionFetchHandler}), so they present the same
+   * verify/exchange keys — avoiding a divergent-key race when two fresh links initialize concurrently.
+   */
+  link?: ClientCryptoKeyLink;
+  /** Accepted level(s); defaults to negotiating any of none/authenticated/encrypted. */
+  securityLevel?: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key; defaults to storage-backed TOFU over `storage`. */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
+  defaultTimeout?: number;
+}
+/**
+ * Build an {@link AcceptorHandler} for the secure binary channel with the boilerplate folded in:
+ * it creates the {@link ClientCryptoKeyLink} and the storage-backed TOFU resolver from a single
+ * `storage`, installs the channel's per-connection codec, and assembles the `security` block
+ * from the runtime coordinate + channel version (accepting all three levels by default).
+ *
+ * For a hibernatable transport (e.g. a Durable Object), pair it with
+ * {@link createHibernatableWsServerAdapter} to wire persistence + replay.
+ */
+declare function createSecureAcceptorHandler<TConn = unknown>(options: ISecureAcceptorHandlerOptions<TConn>): AcceptorHandler<TConn>;
+//#endregion
 //#region src/ActionRuntime/Transport/Transport.d.ts
 /**
  * Context handed to a {@link Transport} definition when a handler builds a live connection from it.
@@ -967,9 +868,8 @@ interface ITransportConnectionContext {
   resolvers?: IActionTransportResolvers;
 }
 /**
- * Reusable transport definition. Devs construct these (`secureTransport({ carrier: wsCarrier(() => ({ url })) })`,
- * `plainTransport({ carrier: httpCarrier(...) })`, …) and pass them to a
- * `ConnectorHandler`. A single
+ * Reusable transport definition. Built by the internal `transport({ carrier, secure })` factory (which
+ * `connectChannel` / `serveChannel` drive) and passed to a `ConnectorHandler`. A single
  * definition can be shared across multiple handlers — each handler builds its own live
  * {@link TransportConnection} via {@link TransportConnection._createConnection}.
  */
@@ -1197,6 +1097,62 @@ interface IActionTransportDef<TYPE extends ETransportShape, INIT extends IAction
   initialize: () => INIT;
 }
 //#endregion
+//#region src/ActionRuntime/Handler/PeerLink/PeerLinkHandler.d.ts
+/**
+ * Shared base for every handler that routes a domain set to/from *another runtime* (a "peer") — the
+ * unified peer-link concept. Both specializations extend this as siblings, differing only in *who
+ * establishes the connection*, which is a transport trait, not a routing one:
+ *
+ * - {@link ConnectorHandler} — **dial-out**: this runtime opens connection(s) to one peer
+ *   over a transport stack (with caching + fallback). The classic "client → backend" link.
+ * - {@link AcceptorHandler} — **accept-in**: connections are accepted from many peers and fed in
+ *   via `receive()`; it keeps a per-connection registry and can push to any of them.
+ *
+ * To the runtime there is no "client" vs "server" — both are peer-link handlers (`handlerType =
+ * external`) keyed to a peer coordinate, chosen by the return-path dispatch via {@link sendReturnPayload}.
+ */
+declare abstract class PeerLinkHandler extends ActionHandler<EActionHandlerType.peer> implements IActionHandler_Peer {
+  /** The peer runtime this handler links to (an env-only coordinate for an accept-in handler). */
+  readonly peerClient: RuntimeCoordinate;
+  readonly handlerType = EActionHandlerType.peer;
+  /**
+   * Whether this link can deliver an *unsolicited* frame to the peer (a result/progress pushed back on
+   * the return path, or a `broadcast`). A duplex carrier (WebSocket/WebRTC/…) can; an exchange-only
+   * carrier (HTTP) cannot — its reply must ride the response to its own request. The runtime's
+   * return-path dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) skips handlers that can't
+   * push, so an exchange-only handler is never asked to deliver one.
+   */
+  abstract readonly canPush: boolean;
+  readonly actionRouter: ActionRouter<true>;
+  /** Listeners installed by the runtime (`resolveIncomingActionPayload`) for inbound peer frames. */
+  private readonly _incomingActionDataListeners;
+  constructor(peerCoordinate: RuntimeCoordinate);
+  forDomain<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>): this;
+  forAction<ACT_DOM extends IActionDomain, ID extends keyof ACT_DOM["actionSchema"] & string>(action: ActionCore<ACT_DOM, ID>): this;
+  forActionIds<ACT_DOM extends IActionDomain, IDS extends ReadonlyArray<keyof ACT_DOM["actionSchema"] & string>>(domain: ActionDomain<ACT_DOM>, ids: IDS): this;
+  _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any, any>) => void): void;
+  /** Hand a decoded inbound frame to the runtime (called by each specialization's receive path). */
+  protected _emitIncoming(json: TActionPayload_Any_JsonObject<any, any>): void;
+  /**
+   * Dispatch a result/progress payload back to the action's origin peer over this link. The runtime's
+   * return-path dispatch calls it on whichever peer-link handler best reaches `originClient`. Returns
+   * `true` if it was sent, `false` if no channel was available.
+   */
+  abstract sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
+    targetLocalRuntime: ActionRuntime;
+  }): Promise<boolean>;
+  /**
+   * Whether this handler currently holds a *live* connection bound to `origin`. The runtime's return-path
+   * dispatch ({@link ActionRuntime.getReturnHandlerForOrigin}) prefers a handler that owns the origin's
+   * connection over a mere coordinate match, so with several duplex acceptors a result/push routes back
+   * over the carrier the client connected on. Defaults to `false`; an acceptor overrides it from its
+   * connection registry.
+   */
+  ownsLiveConnectionFor(_origin: RuntimeCoordinate): boolean;
+  /** Release any long-lived connections this handler owns (a teardown). No-op by default. */
+  clearTransportCache(): void;
+}
+//#endregion
 //#region src/ActionRuntime/Handler/PeerLink/Connector/ConnectorHandler.types.d.ts
 interface IConnectorHandlerConfig {
   defaultTimeout?: number;
@@ -1242,180 +1198,98 @@ declare class ConnectorHandler extends PeerLinkHandler {
 }
 declare const createConnectorHandler: (config: IConnectorHandlerConfig) => ConnectorHandler;
 //#endregion
-//#region src/ActionRuntime/ActionRuntime.d.ts
-declare class ActionRuntime {
-  private _coordinate;
-  readonly timeCreated: number;
-  readonly runtimeInfo: IRuntimeMeta;
-  private readonly actionRouter;
-  private readonly _pendingRunningActions;
-  private readonly _registeredPeerHandlers;
-  private _applied;
-  static getDefault(): ActionRuntime;
-  constructor(coordinate: RuntimeCoordinate);
-  get coordinate(): RuntimeCoordinate;
-  specifyRuntimeCoordinate(specifics: IRuntimeCoordinateSpecifics & {
-    envId?: string;
-  }): void;
-  registerRunningAction(ra: RunningAction<any, any>): void;
-  resolveIncomingActionPayload(json: TActionPayload_Any_JsonObject<any, any>): void;
-  /**
-   * Handle an incoming action wire (e.g. from a transport layer), route it to
-   * the correct handler, and return the response. The most specific handler
-   * match is chosen (action-ID-specific beats domain-wildcard).
-   */
-  handleActionPayloadWire<D extends IActionDomain, ID extends keyof D["actionSchema"] & string>(wire: TActionPayload_Any_JsonObject<D, ID>): Promise<RunningAction<D, ID>>;
-  handleActionPayloadWire(wire: unknown): Promise<RunningAction<any, any>>;
-  handleActionPayload<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: TActionPayload_Any_Instance<DOM, ID>, options?: Omit<IHandleActionOptions, "targetLocalRuntime">): Promise<RunningAction<DOM, ID>>;
-  /**
-   * @internal
-   *
-   * Return the first handler registered for the given action, or `undefined`
-   * if none has been registered (action-ID-specific beats domain-wildcard).
-   */
-  _getHandlerForAction<ACT extends TActionPayload_Any_Instance<any, any>>(action: ACT, options?: Omit<IHandleActionOptions, "targetLocalRuntime">): TActionHandler | undefined;
-  getHandlerForActionOrThrow<ACT extends TActionPayload_Any_Instance<any, any>>(action: ACT, options?: Omit<IHandleActionOptions, "localRuntime">): TActionHandler;
-  /**
-   * Register one or more handlers. Each handler's own `actionRouter` defines
-   * which domains/actions it handles — those routing keys are mirrored into
-   * this runtime's router so the same action can be served by multiple handlers.
-   * Duplicate registrations (same handler cuid for the same key) are skipped.
-   */
-  addHandlers(handlers: TActionRuntimeHandler[]): this;
-  /**
-   * @internal Low-level primitive — the public way to open a connection is `connectChannel`, which
-   * derives routing from a channel and binds the crypto identity for you. This stays as the raw building
-   * block it sits on (it restates domain lists by hand) and is not part of the supported surface.
-   *
-   * Declare an external "backend client" in one call: build an
-   * {@link ConnectorHandler} for `externalCoordinate` carrying the given
-   * `transports`, route the listed `domains`/`actions` to it, register it (plus any
-   * `localHandlers` — e.g. server→client push handlers that share the same channel)
-   * on this runtime, and `apply()`. Returns the external handler so the caller can
-   * later `clearTransportCache()` it.
-   */
-  connectTo(externalCoordinate: RuntimeCoordinate, options: {
-    transports: Transport[];
-    domains?: ActionDomain<any>[];
-    actions?: ActionCore<any, any>[];
-    localHandlers?: TActionRuntimeHandler[];
-    defaultTimeout?: number;
-  }): ConnectorHandler;
-  private applyRuntimeForDomain;
-  /**
-   * Register this runtime with all root domains covered by its currently-added handlers,
-   * making it eligible to execute actions dispatched from those domains.
-   * After apply() is called, any subsequent addHandlers() calls also auto-register.
-   */
-  apply(): this;
-  /**
-   * Find the best registered external handler that can reach `originClient` directly.
-   * Used to locate the return-path channel for dispatching results back to the action origin.
-   * Returns `undefined` if no handler matches (score > 0 required, i.e. at least id must match).
-   *
-   * A handler that currently holds the origin's *live* connection always wins over a mere coordinate
-   * match — so with several duplex acceptors (e.g. WS + WebRTC) a result/push routes back over the carrier
-   * the client actually connected on, never a same-coordinate sibling that lacks the socket. Only when no
-   * handler owns a live connection do we fall back to the plain best-coordinate-score pick (the
-   * single-acceptor and connector-only cases, unchanged).
-   */
-  getReturnHandlerForOrigin(originClient: RuntimeCoordinate): PeerLinkHandler | undefined;
-  resetRuntime(): void;
-  private _trySetupReturnDispatch;
-}
-//#endregion
-//#region src/ActionDefinition/Domain/ActionDomainBase.d.ts
-declare abstract class ActionDomainBase<ACT_DOM extends IActionDomain = IActionDomain> implements IActionDomain<ACT_DOM["allDomains"], ACT_DOM["actionSchema"]> {
-  readonly domain: ACT_DOM["domain"];
-  readonly allDomains: ACT_DOM["allDomains"];
-  readonly actionSchema: ACT_DOM["actionSchema"];
-  protected _listeners: TRunningActionUpdateListener<any, any>[];
-  constructor(definition: ACT_DOM);
-  /**
-   * Add an observer that is called after every action dispatched through this domain.
-   * Returns an unsubscribe function — call it to remove the listener.
-   */
-  addActionListener(listener: TDistributeRunningActionUpdateListener<ACT_DOM, keyof ACT_DOM["actionSchema"] & string>): () => void;
+//#region src/ActionRuntime/Transport/Carrier/Carrier.types.d.ts
+/**
+ * Carrier shapes — the only transport-specific surface a new protocol must implement. The secure
+ * session (handshake + frame crypto + codec) and the action routing on top of it are carrier-agnostic;
+ * a carrier just moves frames. Two shapes capture every carrier:
+ *
+ * - {@link IDuplexCarrier} — a persistent, push-capable byte stream (WebSocket, WebRTC `RTCDataChannel`,
+ *   Bluetooth GATT, an in-memory pipe). Either side can send at any time, so it supports server→client
+ *   pushes (the return path + broadcast).
+ * - {@link IExchangeCarrier} — a request → single-correlated-reply carrier with no unsolicited push
+ *   (HTTP, and anything request/response-shaped). The reply rides the response to its own request.
+ *
+ * Frames are `string` (text — handshake control messages and JSON action frames) or binary
+ * (`Uint8Array`/`ArrayBuffer` — the optimized binary wire / encrypted frames).
+ */
+type TFrame$1 = string | Uint8Array | ArrayBuffer;
+/**
+ * A bidirectional, push-capable byte stream. Reduces every duplex carrier to "open, send bytes, receive
+ * bytes, close" — a WebSocket, a WebRTC data channel, a Bluetooth characteristic, or an in-memory pipe
+ * all satisfy this, so the identical secure session runs over each.
+ */
+interface IDuplexCarrier {
+  /** Resolves once the carrier is open and ready to send; rejects if it closes/errors before opening. */
+  readonly ready: Promise<void>;
+  /** Whether the carrier is currently open (a synchronous guard before `send`). */
+  isOpen(): boolean;
+  /** Write one frame to the peer. */
+  send(frame: TFrame$1): void;
   /**
-   * @internal
-   * Observers registered directly on this domain via {@link addActionListener}.
-   * Used to wire observers (e.g. devtools) onto RunningActions that aren't created
-   * through the local-dispatch path — notably inbound actions pushed from a backend
-   * or another client over a bidirectional transport.
+   * Register the carrier's handlers. Called exactly once by the session after `ready`. `onMessage`
+   * receives every inbound frame; `onClose` fires when the carrier goes away.
    */
-  _getActionObservers(): TRunningActionUpdateListener<any, any>[];
+  attach(handlers: {
+    onMessage: (frame: TFrame$1) => void;
+    onClose: () => void;
+    onError?: (error: unknown) => void;
+  }): void;
+  /** Close the carrier deliberately (a teardown). */
+  close(): void;
+  /** Optional human-readable endpoint for the devtools route chip. */
+  readonly label?: string;
 }
-//#endregion
-//#region src/ActionDefinition/Domain/ActionRootDomain.d.ts
-declare class ActionRootDomain<ROOT_DOM extends IActionRootDomain = IActionRootDomain> extends ActionDomainBase<ROOT_DOM> {
-  readonly domainDefinition: {
-    domain: ROOT_DOM["domain"];
-  };
-  private _actionRuntimeManager;
-  constructor(domainDefinition: {
-    domain: ROOT_DOM["domain"];
-  });
-  createChildDomain<SUB_DOM extends IActionDomainChildOptions>(subDomainDef: SUB_DOM & { [K in Exclude<keyof SUB_DOM, keyof IActionDomainChildOptions>]: never }): ActionDomain<TActionDomainChildDef<ROOT_DOM, SUB_DOM>>;
-  _registerRuntime(runtime: ActionRuntime): void;
-  _hasRuntime(runtime: ActionRuntime): boolean;
-  getRuntime(clientSpecifier: IRuntimeCoordinate): ActionRuntime | undefined;
-  _runAction<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string, ACT extends ActionPayload_Request<DOM, ID> = ActionPayload_Request<DOM, ID>>(actionPayload: ACT, options?: IExecuteActionOptions<DOM, ID>): Promise<RunningAction<DOM, ID>>;
+/**
+ * A request → single-correlated-reply carrier with no unsolicited push (HTTP). One `exchange` sends a
+ * frame and resolves with exactly the one reply frame for it; the carrier itself correlates them (the
+ * HTTP transaction), so no correlation id is needed on the wire.
+ */
+interface IExchangeCarrier {
+  /** Send one frame, await the single correlated reply frame. */
+  exchange(frame: TFrame$1, opts?: {
+    signal?: AbortSignal;
+  }): Promise<TFrame$1>;
+  /** Optional human-readable endpoint for the devtools route chip. */
+  readonly label?: string;
 }
-//#endregion
-//#region src/ActionDefinition/Domain/ActionDomain.d.ts
-type TActionMap<ACT_DOM extends IActionDomain> = { [K in keyof ACT_DOM["actionSchema"] & string]: ActionCore<ACT_DOM, K> };
-declare class ActionDomain<ACT_DOM extends IActionDomain = IActionDomain> extends ActionDomainBase<ACT_DOM> {
-  private _rootDomain;
-  private readonly _actionMap;
-  constructor(definition: ACT_DOM, {
-    rootDomain
-  }: {
-    rootDomain: ActionRootDomain<any>;
-  });
-  get rootDomain(): ActionRootDomain<any>;
-  /**
-   * @internal
-   * All action observers that should see actions on this domain: the root domain's
-   * observers plus this subdomain's own. Mirrors the listener set the local-dispatch
-   * path assembles in `runAction`/`_runAction`, so inbound actions (pushed from a
-   * backend or another client) can be wired up identically and surface in devtools.
-   */
-  _collectActionObservers(): TRunningActionUpdateListener<any, any>[];
-  _registerRuntime(runtime: ActionRuntime): void;
-  createChildDomain<SUB_DOM extends IActionDomainChildOptions>(subDomainDef: SUB_DOM & { [K in Exclude<keyof SUB_DOM, keyof IActionDomainChildOptions>]: never }): ActionDomain<TActionDomainChildDef<ACT_DOM, SUB_DOM>>;
-  get action(): TActionMap<ACT_DOM>;
-  actionsMap(): TActionMap<ACT_DOM>;
-  actionForId<ID extends keyof ACT_DOM["actionSchema"] & string>(id: ID): ActionCore<ACT_DOM, ID>;
-  wrapAsPartialLocalHandler(wrappedActionExecutor: Partial<TWrappableDomainActionHandler<ACT_DOM>>): ActionLocalHandler;
-  wrapAsLocalHandler(wrappedActionExecutor: TWrappableDomainActionHandler<ACT_DOM>): ActionLocalHandler;
-  hydrateContext<ID extends keyof ACT_DOM["actionSchema"] & string>(id: ID, contextData: IActionContext_Data_JsonObject): ActionContext<ACT_DOM, ID>;
-  isDomainAction<ACT extends IActionBase<any, ACT_DOM, any>>(action: ACT | unknown | null | undefined): action is TDistributedDomainActions<ACT_DOM, ACT>;
-  hydrateRequestPayload<ID extends keyof ACT_DOM["actionSchema"] & string, P extends IActionPayload_Request_JsonObject<ACT_DOM, ID>>(serialized: P): TDistributeActionPayload_Request<ACT_DOM, ID>;
-  hydrateResultPayload<ID extends keyof ACT_DOM["actionSchema"] & string, R extends IActionPayload_Result_JsonObject<ACT_DOM, ID>>(serialized: R): TDistributeActionPayload_Result<ACT_DOM, ID>;
-  hydrateAnyAction<ID extends keyof ACT_DOM["actionSchema"] & string, AJ extends TAction_Any_JsonObject<ACT_DOM, ID>>(actionJson: AJ): TNarrowActionJsonTypeToActionInstanceType<ACT_DOM, AJ, ID>;
-  runAction<ID extends keyof ACT_DOM["actionSchema"] & string, ACT extends ActionPayload_Request<ACT_DOM, ID>>(request: ACT, options?: IExecuteActionOptions<ACT_DOM, ID>): Promise<RunningAction<ACT_DOM, ID>>;
-  private createActionMap;
+type TCarrier = IDuplexCarrier | IExchangeCarrier;
+/**
+ * A reusable opener for a {@link IDuplexCarrier} plus the per-action metadata a duplex transport needs.
+ * Built by the small carrier factories (`wsCarrier`, `rtcCarrier`, `inMemoryCarrier`) and passed as a
+ * `carrier` to `connectChannel`'s transports (the internal `transport()` factory drives it) — so adding a
+ * new carrier is "write one of these", nothing else.
+ */
+interface IDuplexCarrierSource {
+  /** Open (or reuse) the carrier for an action. */
+  open: (input: ITransportRouteActionParams) => IDuplexCarrier;
+  /** Keys identifying a reusable carrier, so one carrier is shared across actions to the same peer. */
+  getCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Devtools route info for an action routed over this carrier. */
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+  /** Short carrier-kind label for the devtools chip (e.g. `"ws"`, `"webrtc"`, `"memory"`). */
+  readonly carrierLabel: string;
 }
-//#endregion
-//#region src/ActionDefinition/Action/Core/ActionCore.d.ts
-declare class ActionCore<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionBase<EActionForm.core, DOM, ID> implements IActionCore<DOM, ID> {
-  readonly _domain: ActionDomain<DOM>;
-  readonly form = EActionForm.core;
-  constructor(_domain: ActionDomain<DOM>, id: ID);
-  is<ACT extends IActionBase<any, any, any>>(action: ACT | unknown | null | undefined): action is TNarrowActionType<DOM, ACT, ID>;
-  toJsonObject(): IActionBase_JsonObject<EActionForm.core, DOM, ID>;
-  request(...args: [TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"]] extends [never] ? [input?: never] : [input: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"]]): ActionPayload_Request<DOM, ID>;
-  deserializeInput(serialized: TInferInputFromSchema<DOM["actionSchema"][ID]>["SerdeInput"]): TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"];
-  serializeInput(raw: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"]): TInferInputFromSchema<DOM["actionSchema"][ID]>["SerdeInput"];
-  validateInput(input: unknown): TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"];
-  validateOutput(output: unknown): TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"];
+/**
+ * The exchange-shape counterpart to {@link IDuplexCarrierSource}: a reusable opener for an
+ * {@link IExchangeCarrier} plus the per-action metadata an exchange transport needs. Built by
+ * `httpCarrier` and passed as a `carrier` to `connectChannel`'s transports — adding a new request/reply
+ * protocol is "write one of these". The `shape` tag lets the internal `transport()` factory pick the
+ * duplex vs exchange transport.
+ */
+interface IExchangeCarrierSource {
+  /** Discriminant so a generic factory can tell an exchange source from a duplex one. */
+  readonly shape: "exchange";
+  /** Open (or reuse) the carrier for an action. */
+  open: (input: ITransportRouteActionParams) => IExchangeCarrier;
+  /** Keys identifying a reusable carrier, so one carrier is shared across actions to the same peer. */
+  getCacheKey?: (input: ITransportRouteActionParams) => string[];
+  /** Devtools route info for an action routed over this carrier. */
+  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+  /** Short carrier-kind label for the devtools chip (e.g. `"http"`). */
+  readonly carrierLabel: string;
 }
 //#endregion
-//#region src/ActionDefinition/Domain/helpers/createRootActionDomain.d.ts
-declare const createActionRootDomain: <ID extends string>(definition: {
-  domain: ID;
-}) => ActionRootDomain<IActionRootDomain<ID>>;
-//#endregion
 //#region src/ActionRuntime/Transport/codec/actionWireCodec.d.ts
 /**
  * Shared building blocks for the binary action codecs (the stateless {@link createBinaryWireAdapter} and
@@ -1441,841 +1315,468 @@ interface IActionWireFormat {
   incoming?: (input: string | ArrayBuffer | Uint8Array | Blob) => TActionPayload_Any_JsonObject<any, any> | undefined;
 }
 //#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/AcceptorHandler.d.ts
-/** The codec shape `AcceptorHandler` uses to pack/unpack frames — same as the Link transport's. */
-type TActionChannelFormatMessage = IActionWireFormat;
-/** How a connection encodes its frames, remembered so we answer each client in its own dialect. */
-type TActionConnectionEncoding = "json" | "binary";
-/** A connection's restorable identity — what to persist so a binding survives transport eviction. */
-interface IAcceptorConnectionBinding {
-  /** Full client coordinate, so `originClient` can be re-injected into frames that omit it. */
-  client: IRuntimeCoordinate;
-  encoding: TActionConnectionEncoding;
-  /**
-   * Secure-session state (set once a connection's handshake completes). Persist it alongside the
-   * binding so an authenticated/encrypted connection resumes after eviction without re-handshaking —
-   * the `keyMaterial` lets the server re-derive the shared key from its own persisted identity.
-   */
-  secure?: {
-    securityLevel: ESecurityLevel;
-    linkedClientId: TTypeAndId;
-    keyMaterial?: IHandshakeEncryptionKeyMaterial;
-  };
+//#region src/ActionRuntime/Transport/codec/createBinaryWireSessionFactory.d.ts
+type TFormatMessage = IActionWireFormat;
+interface IBinaryWireSessionOptions {
+  /** Override how long an unresolved correlation is retained before being swept (ms). */
+  correlationTtlMs?: number;
 }
 /**
- * Server-side secure-channel config. When set, each connection negotiates a level from
- * {@link securityLevel}: an `authenticated`/`encrypted` client must complete the handshake (and is then
- * bound to its *authenticated* coordinate) before any action frame is accepted. A `none` client (only
- * when `none` is in the allowed set) is accepted as-is with a self-asserted identity. For the
- * `encrypted` level the codec source should be a session factory (`createFormatMessage`).
+ * Builds a factory of *stateful, per-connection* codecs for {@link LinkTransport} /
+ * `AcceptorHandler` — the maximally compact binary wire. Call the returned factory once per live
+ * connection (each socket on the client, each accepted connection on the server) so every channel
+ * gets its own correlation + identity state.
+ *
+ * On top of everything {@link createBinaryWireAdapter} drops, a session also drops:
+ * - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
+ *   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
+ *   only needs to be unique per socket, so a counter suffices.
+ * - **`originClient` after the first request** — the first request each side sends carries its
+ *   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
+ *   reply carries the initiator's own origin, which the initiator already knows).
+ *
+ * Both ends MUST build the factory from the same domains in the same order (positional dictionary).
+ * Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
+ *
+ * Hibernation note: after a server connection is evicted its session resets, so a still-connected
+ * client (whose session persists) will keep omitting `originClient`. The server must therefore restore
+ * the connection→client binding from its own store (see `AcceptorHandler.rehydrateConnection`) and
+ * inject `originClient` from there — the session alone can't recover it.
  */
-interface IAcceptorSecurity {
-  /**
-   * Accepted level(s). A single level is strict; an array is a negotiable allowed set — the server
-   * adopts whichever level each client requests (e.g. `[none, authenticated, encrypted]` serves all
-   * three over one endpoint).
+declare function createBinaryWireSessionFactory(domains: ActionDomain<any>[], options?: IBinaryWireSessionOptions): () => TFormatMessage;
+//#endregion
+//#region src/ActionRuntime/Channel/ActionChannel.d.ts
+/**
+ * A transport-agnostic routing contract between two runtimes, declared *by role* rather than by
+ * "client"/"server". The two ends are named for the only asymmetry that survives every carrier (WS,
+ * WebRTC, BLE, raw TCP): which side dials and which side accepts.
+ *
+ * - The **connector** dials out and opens the link ({@link connectChannel}).
+ * - The **acceptor** accepts incoming links and can push back ({@link acceptChannelConnections}).
+ *
+ * `toAcceptor` domains flow connector→acceptor (the classic "request"); `toConnector` domains flow
+ * acceptor→connector (the classic "push"). Both ends derive their routing from the same channel instead
+ * of restating domain lists — and because the contract is independent of how bytes move, the very same
+ * channel can be carried over HTTP, secure WebSockets, or a mix (WS preferred, HTTP fallback).
+ *
+ * Beyond the routing, a channel also carries its *wire identity* — the per-connection binary codec both
+ * ends build from the same domain list, plus the `dictionaryVersion` the handshake checks for drift.
+ * Whether a given transport runs encrypted is a per-transport choice (see {@link IConnectTransport.secure}
+ * and the acceptor's `securityLevel`), not a property of the channel — so one `defineChannel` definition
+ * serves both plain and secure transports.
+ */
+interface IActionChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[]> {
+  /**
+   * Domains the connector *sends to the acceptor* (connector→acceptor requests). The connector forwards
+   * them over its transport(s); the acceptor executes them.
    */
-  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
-  /** This server's crypto identity (verify + exchange key pairs, optionally persisted). */
-  link: ClientCryptoKeyLink;
-  /** This server's coordinate — its identity to clients during the handshake. */
-  localCoordinate: IRuntimeCoordinate;
-  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
+  toAcceptorDomains: TO_ACCEPTOR;
+  /**
+   * Domains the acceptor *pushes to the connector* (acceptor→connector). The connector registers local
+   * handlers for them ({@link connectChannel}'s `onPush`); the acceptor broadcasts them. Pushes need a
+   * bidirectional transport (e.g. a WebSocket) — over a request-only transport like HTTP they simply
+   * never flow.
+   */
+  toConnectorDomains: TO_CONNECTOR;
+  /** Wire dictionary version — derived from the domains by default; the handshake rejects a mismatch. */
   dictionaryVersion: string;
-  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
+  /** Per-connection session codec factory (call once per live connection). */
+  createCodec: () => IActionWireFormat;
 }
-interface IAcceptorHandlerBaseOptions<TConn> {
+/**
+ * Declare a transport-agnostic channel by role — the single source of truth both peers share. Each end
+ * MUST call this with the same domains in the same order (the binary wire dictionary is positional); the
+ * `dictionaryVersion` is derived from those domains unless you pin an explicit one. The wire dictionary
+ * spans `[...toAcceptor, ...toConnector]` in that order, so add new domains to the end of their list to
+ * keep older peers compatible.
+ *
+ * Declare the domains *by role* — `toAcceptor` (connector→acceptor requests) and `toConnector`
+ * (acceptor→connector pushes) — so the routing for both ends is derived from the channel (see
+ * {@link connectChannel} and {@link serveChannel}) instead of being restated at each end. Security is a
+ * per-transport concern, not a channel one, so this same definition is used whether a transport runs
+ * plain or encrypted.
+ */
+declare function defineChannel<const TO_ACCEPTOR extends readonly ActionDomain<any>[] = [], const TO_CONNECTOR extends readonly ActionDomain<any>[] = []>(options: {
+  /** Domains the connector sends to the acceptor (connector→acceptor requests), in a stable order. */toAcceptor: TO_ACCEPTOR; /** Domains the acceptor pushes to the connector (acceptor→connector), in a stable order. */
+  toConnector: TO_CONNECTOR; /** Pin a human-readable version instead of the derived hash (must match on both ends). */
+  dictionaryVersion?: string; /** Tuning for the per-connection binary session (e.g. correlation TTL). */
+  sessionOptions?: IBinaryWireSessionOptions;
+}): IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>;
+type TUnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends ((k: infer I) => void) ? I : never;
+type TDomainPushHandlers<D> = D extends ActionDomain<infer DEF> ? Partial<TWrappableDomainActionHandler<DEF>> : never;
+/**
+ * The `onPush` map for a channel: the merged set of every acceptor→connector (`toConnector`) action
+ * handler, each receiving the pushed action's input. Derived from the channel's `toConnectorDomains`, so
+ * the keys and input types follow the channel definition.
+ */
+type TChannelPushHandlers<TO_CONNECTOR extends readonly ActionDomain<any>[]> = TUnionToIntersection<TDomainPushHandlers<TO_CONNECTOR[number]>>;
+/**
+ * One transport to the peer, declared by *carrier* — the dial-out dual of `serveChannel`'s acceptor
+ * carriers. {@link connectChannel} binds the shared facts (channel codec/version, runtime, crypto
+ * identity) into each one, so a descriptor only carries what differs between transports: the carrier and
+ * whether it runs the secure handshake.
+ *
+ * A duplex carrier (`wsCarrier(() => ({ url }))`, `rtcCarrier(dc)`) builds a push-capable link; an exchange carrier
+ * (`httpCarrier(...)`) builds a request/reply transport. List them in preference order — the connection
+ * prefers the first that's ready and falls through on failure (e.g. secure WS preferred, HTTP fallback).
+ */
+interface IConnectTransport {
+  /** How to reach the peer — a duplex carrier (push-capable) or an exchange carrier (request/reply). */
+  carrier: IDuplexCarrierSource | IExchangeCarrierSource;
   /**
-   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`).
-   * The runtime's return-path dispatch scores incoming actions' `originClient` against this to pick
-   * this handler for sending results/pushes back over the right channel.
+   * Run the authenticated/encrypted handshake over this carrier. Defaults to `true`. A secure transport
+   * draws its identity from the connection's shared `link`/`storage`; set `false` for a plain transport
+   * (e.g. a bare HTTP fallback beside a secure WS), which then needs no `storage`.
    */
-  clientEnv: RuntimeCoordinate;
-  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
-  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
+  secure?: boolean;
+  /** Security level for this secure transport; defaults to the connection-level `securityLevel`. */
+  securityLevel?: ESecurityLevel;
   /**
-   * The runtime this handler belongs to. When set, {@link AcceptorHandler.broadcast} can be called
-   * without threading a runtime through each call. Optional — `pushToClient` still takes one explicitly.
+   * Optional availability gate — when it returns `false` this transport is skipped and the connection
+   * falls through to the next in preference order, re-evaluated per dispatch. Omit = always available.
    */
-  runtime?: ActionRuntime;
-  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
-  defaultTimeout?: number;
+  available?: (input: ITransportRouteActionParams) => boolean;
+  /** Override the devtools chip label (defaults to the carrier's own label). */
+  label?: string;
+}
+interface IConnectChannelOptions<TO_CONNECTOR extends readonly ActionDomain<any>[]> {
+  /** The peer's runtime coordinate — the acceptor this connection dials. */
+  peer: RuntimeCoordinate;
   /**
-   * Called once when a connection is first bound to a client identity. Use it to persist the binding
-   * for transports that can resume after eviction — e.g. a Durable Object's hibernatable WebSocket:
-   * `(ws, binding) => ws.serializeAttachment(binding)` — then replay it via {@link AcceptorHandler.rehydrateConnection}
-   * when the channel comes back.
+   * The transports to the peer, by carrier, in preference order (e.g. secure WS preferred, HTTP fallback).
+   * They all carry the channel's `toAcceptor` domains; the connection prefers the first that's ready and
+   * falls through on failure. {@link connectChannel} binds the channel + runtime + crypto identity into
+   * each — the dial-out dual of `serveChannel`'s `carriers`.
    */
-  onConnectionBound?: (connection: TConn, binding: IAcceptorConnectionBinding) => void;
+  transports: readonly IConnectTransport[];
   /**
-   * Enable the authenticated (optionally encrypted) handshake. When omitted, connections are trusted
-   * as-is (identity self-asserted) — fine for dev / trusted networks.
+   * One backing store for this connection's crypto identity, fanned across every *secure* transport so
+   * they present the same verify/exchange keys. Required when any transport is secure (the default); a
+   * fully-plain connection (every transport `secure: false`) may omit it. Pass `link` instead to share an
+   * existing identity.
    */
-  security?: IAcceptorSecurity;
+  storage?: StorageAdapter;
+  /** The connection's crypto identity. Defaults to a fresh {@link ClientCryptoKeyLink} over `storage`. */
+  link?: ClientCryptoKeyLink;
+  /** Default security level for secure transports; defaults to `authenticated`. */
+  securityLevel?: ESecurityLevel;
+  /** Handlers for the channel's acceptor→connector pushes. Optional — omit for a send-only connection. */
+  onPush?: TChannelPushHandlers<TO_CONNECTOR>;
+  /** Default per-action timeout for this connection. */
+  defaultTimeout?: number;
 }
 /**
- * Provide exactly one codec source:
- * - `formatMessage` — a single shared codec for every connection (stateless, e.g. `createBinaryWireAdapter`).
- * - `createFormatMessage` — a per-connection factory for stateful codecs (e.g.
- *   `createBinaryWireSessionFactory`, whose sessions hold correlation + identity state). Required for the
- *   leanest binary wire; the handler creates and caches one codec per connection.
+ * Open a connection to a peer from a single call — the dial-out dual of `serveChannel`. The channel is
+ * the single source of truth for *what* is routed (`toAcceptor` domains forwarded to the peer,
+ * `toConnector` pushes handled locally from `onPush`); the call binds the shared facts — the channel's
+ * codec/dictionary version, the runtime, and one crypto identity (a {@link ClientCryptoKeyLink} over
+ * `storage`) — into every transport in `transports`, so none of them restate the channel or runtime.
+ * List several transports to make the path transport-agnostic (secure WS preferred, HTTP fallback):
+ * ```ts
+ * const handler = connectChannel(runtime, lobbyChannel, {
+ *   peer: runtime_coordinate_lobby_do,
+ *   storage,
+ *   transports: [{ carrier: wsCarrier(() => ({ url })) }, { carrier: httpCarrier(...), secure: false }],
+ *   onPush: { player_joined: (p) => { … } },
+ * });
+ * ```
+ * Returns the {@link ConnectorHandler} so the caller can later `clearTransportCache()` it.
  */
-type IAcceptorHandlerOptions<TConn> = IAcceptorHandlerBaseOptions<TConn> & ({
-  formatMessage: TActionChannelFormatMessage;
-  createFormatMessage?: never;
-} | {
-  createFormatMessage: () => TActionChannelFormatMessage;
-  formatMessage?: never;
-});
+declare function connectChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[]>(runtime: ActionRuntime, channel: IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IConnectChannelOptions<TO_CONNECTOR>): ConnectorHandler;
+type TDomainAcceptorCases<D, TCtx> = D extends ActionDomain<infer DEF> ? { [ID in keyof DEF["actionSchema"] & string]?: TAcceptorCaseFn<DEF, ID, TCtx> } : never;
 /**
- * A connection-aware execution case (see {@link AcceptorHandler.forConnectionDomainCases}). It receives
- * the primed request plus a per-invocation `context` — whatever the wiring's context mapper produces from
- * the originating connection. The low-level handler passes the raw connection (`TConn | undefined`); the
- * higher-level `serveChannel` enriches it into an `IConnectionContext` (state + broadcast + pushBack). A
- * case may return the action's raw output, a result payload, or nothing (auto-wrapped as an empty
- * success) — exactly like a local handler case.
+ * The connection-aware case map for a channel's acceptor side: the merged set of every
+ * connector→acceptor (`toAcceptor`) action handler, each receiving the primed request plus a per-action
+ * `context`. `TCtx` is whatever the wiring supplies as that second argument — the raw connection
+ * (`TConn | undefined`) for the low-level `acceptChannelConnections`, or an enriched `IConnectionContext`
+ * for `serveChannel`'s `channelCases`. Derived from the channel's `toAcceptorDomains`, so the keys and
+ * input/output types follow the channel.
  */
-type TAcceptorCaseFn<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string, TCtx> = (action: TDistributeActionPayload_Request<DOM, ID>, context: TCtx) => ReturnType<THandleActionExecutionFn<DOM, ID>> | void;
+type TChannelAcceptorCases<TO_ACCEPTOR extends readonly ActionDomain<any>[], TCtx> = TUnionToIntersection<TDomainAcceptorCases<TO_ACCEPTOR[number], TCtx>>;
 /**
- * The connection-aware case the bare {@link AcceptorHandler} serves: its `context` is the originating
- * client's live connection (resolved from the request's `originClient`, `undefined` if the socket is
- * gone). It's {@link TAcceptorCaseFn} fixed to `TConn | undefined` — the un-enriched shape used by
- * {@link AcceptorHandler.forConnectionDomainCases} and `acceptChannelConnections`.
+ * Register an acceptor handler's execution for a channel straight from its definition: the channel's
+ * `toAcceptor` domains are served together with one merged, connection-aware case map (each case gets
+ * the primed request + the originating connection, as with
+ * {@link AcceptorHandler.forConnectionDomainCases}). The domain list is taken from the channel,
+ * never restated. Add the returned handler to the runtime alongside the acceptor handler:
+ * ```ts
+ * runtime.addHandlers([acceptChannelConnections(serverHandler, channel, { … }), serverHandler]);
+ * ```
+ *
+ * The case's second argument is the raw connection (`TConn | undefined`). For the richer state +
+ * broadcast + pushBack context, serve the channel through `serveChannel`'s `channelCases` instead.
  */
-type TAcceptorConnectionCaseFn<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string, TConn> = TAcceptorCaseFn<DOM, ID, TConn | undefined>;
+declare function acceptChannelConnections<TO_ACCEPTOR extends readonly ActionDomain<any>[], TConn>(serverHandler: AcceptorHandler<TConn>, channel: IActionChannel<TO_ACCEPTOR, any>, cases: TChannelAcceptorCases<TO_ACCEPTOR, TConn | undefined>): ActionLocalHandler;
 /**
- * Server-side handler for backends that accept many client connections over a single open channel
- * (WebSockets, Durable Objects, …). It is transport-agnostic: you feed it inbound frames with
- * {@link receive} and tell it how to write outbound frames via the `send` option.
- *
- * Add it alongside your local execution handler:
+ * {@link acceptChannel}'s options — the secure-acceptor builder options minus the `channel` and `runtime`
+ * it already takes positionally. One option bag, shared with the underlying {@link createSecureAcceptorHandler}.
+ */
+type IAcceptChannelOptions<TConn> = Omit<ISecureAcceptorHandlerOptions<TConn>, "channel" | "runtime">;
+/**
+ * Build the secure {@link AcceptorHandler} for a channel — the accept-in counterpart to
+ * {@link connectChannel}. It folds in the boilerplate of {@link createSecureAcceptorHandler} (the
+ * `ClientCryptoKeyLink` + storage-backed TOFU resolver from one `storage`, the channel's codec +
+ * dictionary version, the `security` block from the runtime coordinate) but takes the `(runtime, channel,
+ * options)` shape of the channel family. Pair it with {@link acceptChannelConnections} for execution:
  * ```ts
- * const serverHandler = createAcceptorHandler({ clientEnv, formatMessage, send: (ws, f) => ws.send(f) });
- * runtime.addHandlers([localHandler, serverHandler]);
- * // per inbound message (e.g. a Durable Object's webSocketMessage):
- * serverHandler.receive(ws, message);
+ * const acceptor = acceptChannel(runtime, gameChannel, { clientEnv, storage, send });
+ * runtime.addHandlers([acceptChannelConnections(acceptor, gameChannel, { … }), acceptor]);
  * ```
- *
- * Inbound requests route to your local handler; the runtime's return dispatch then calls this
- * handler back (it is an external handler keyed to `clientEnv`) to send the result to the originating
- * connection. The handler keeps a per-connection identity registry so each result lands on the right
- * socket, and remembers each connection's encoding so binary and JSON clients can share the channel.
- *
- * It registers an empty action router, so it is never chosen to *execute* an inbound request — only
- * to ferry results/pushes back out.
  */
-declare class AcceptorHandler<TConn = unknown> extends PeerLinkHandler {
-  /** Accept-in over a live (duplex) connection registry — it pushes results/broadcasts to bound sockets. */
-  readonly canPush = true;
-  private readonly _formatMessage?;
-  private readonly _createFormatMessage?;
-  private readonly _send;
-  private readonly _runtime?;
-  private readonly _serverTimeout;
-  private _onConnectionBound?;
-  private readonly _security?;
-  /** Normalized accepted levels; whether `none` (plain) is allowed; whether any level needs a handshake. */
-  private readonly _allowedLevels;
-  private readonly _noneAllowed;
-  private readonly _handshakeMode;
-  private readonly _connByClient;
-  private readonly _clientByConn;
-  private readonly _connEncoding;
-  private readonly _codecByConn;
-  private readonly _sessionByConn;
-  constructor(options: IAcceptorHandlerOptions<TConn>);
+declare function acceptChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[], TConn = unknown>(runtime: ActionRuntime, channel: IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IAcceptChannelOptions<TConn>): AcceptorHandler<TConn>;
+//#endregion
+//#region src/ActionRuntime/ActionRuntime.types.d.ts
+interface IRuntimeMeta {
+  assumed: boolean;
+  runtimeName: RuntimeName;
+}
+interface IActionRuntimeManagerContext {
+  domain?: string;
+}
+type TActionRuntimeHandler = ActionLocalHandler | PeerLinkHandler;
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/ConnectionStateStore.d.ts
+/**
+ * The composite value persisted to a connection's attachment: the consumer's own app state plus the
+ * {@link AcceptorHandler} routing binding. Co-storing them in one slot means a transport whose
+ * sockets outlive process eviction (e.g. a Durable Object's hibernatable WebSocket) recovers both the
+ * application identity *and* the action routing from a single attachment after a wake — no storage reads.
+ */
+interface IConnectionAttachment<TApp> {
+  app?: TApp;
+  binding?: IAcceptorConnectionBinding;
+}
+interface IConnectionStateStoreOptions<TConn, TApp> {
+  /** Read a connection's raw attachment (e.g. `(ws) => ws.deserializeAttachment()`). */
+  read: (connection: TConn) => unknown;
+  /** Persist a connection's attachment (e.g. `(ws, value) => ws.serializeAttachment(value)`). */
+  write: (connection: TConn, value: IConnectionAttachment<TApp>) => void;
   /**
-   * The codec for a connection: a per-connection session (cached) when a factory was provided, else
-   * the single shared `formatMessage`.
+   * All currently-live connections (e.g. `() => ctx.getWebSockets()`). Used to replay routing bindings
+   * after a wake (via {@link createConnectionStateStore}) and to enumerate app state in
+   * {@link ConnectionStateStore.entries}.
    */
-  private _codecFor;
+  getConnections: () => TConn[];
   /**
-   * Register (or replace) the connection-bound persistence callback after construction. Used by
-   * lifecycle helpers like {@link createHibernatableWsServerAdapter} so persistence and replay are
-   * owned by one place instead of being split across the constructor options.
-   */
-  setOnConnectionBound(onConnectionBound: (connection: TConn, binding: IAcceptorConnectionBinding) => void): void;
-  /**
-   * Feed one inbound frame from a connection into the runtime. Decodes text or binary, binds the
-   * connection to the requesting client's identity, then routes it (requests execute locally;
-   * results/progress resolve pending server-initiated actions).
-   */
-  receive(connection: TConn, frame: string | ArrayBuffer | Uint8Array): void;
-  private _receivePlain;
-  /**
-   * The secure session for a connection (built lazily on its first secure-mode frame), with the
-   * handler-owned effects — raw send, identity binding + persistence, and inbound routing — wired in as
-   * callbacks. The session owns all crypto/handshake/chain state; the handler keeps only the registry.
-   */
-  private _sessionFor;
-  /** Bind + persist a connection's authenticated identity once its handshake completes. */
-  private _onConnectionAuthenticated;
-  /** Decode a decrypted authenticated frame, inject the *authenticated* identity, and route it. */
-  private _routeAuthedActionBytes;
-  /**
-   * Ensure an inbound request carries the client's identity and that this connection is bound to it,
-   * so its result can be routed back. A session codec omits `originClient` after the first request, so
-   * when it's missing we restore it from the (possibly rehydrated) binding instead. (Plain mode only;
-   * secure mode binds the authenticated coordinate at handshake time.)
-   */
-  private _resolveRequestIdentity;
-  /**
-   * Restore a connection→client binding without an inbound frame — for transports that resume after
-   * eviction. Pair it with the {@link IAcceptorHandlerOptions.onConnectionBound} hook: persist
-   * the binding there, then replay each live connection here when the channel comes back (e.g. a
-   * Durable Object iterating `ctx.getWebSockets()` as it wakes from hibernation).
-   */
-  rehydrateConnection(connection: TConn, binding: IAcceptorConnectionBinding): void;
-  toJsonObject(): IActionHandler_Peer_Json;
-  toHandlerRouteItem(): IActionRouteItemHandler;
-  /** Forget a connection (call on socket close) so stale entries don't misroute later results. */
-  dropConnection(connection: TConn): void;
-  /** Live connection for a client coordinate, if currently registered. */
-  getConnectionForClient(client: RuntimeCoordinate): TConn | undefined;
-  /** This acceptor owns the origin's return path when it currently holds a live connection bound to it. */
-  ownsLiveConnectionFor(origin: RuntimeCoordinate): boolean;
-  /** Whether this acceptor currently tracks `connection` — used to pick the owning handler among several. */
-  hasConnection(connection: TConn): boolean;
-  /**
-   * Send (and optionally await) a server-initiated action to a specific connected client. Pass the
-   * connection token directly (e.g. the `ws`) or a client `RuntimeCoordinate` to look one up.
-   */
-  pushToClient<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(runtime: ActionRuntime, target: TConn | RuntimeCoordinate, request: ActionPayload_Request<DOM, ID>, options?: {
-    timeout?: number;
-  }): RunningAction<DOM, ID>;
-  /**
-   * Build a local handler whose cases are connection-aware: each case receives the primed request and
-   * the originating client's live connection (resolved from `originClient`), so handlers don't repeat
-   * the `getConnectionForClient(action.context.originClient)` lookup. Cases may return raw output or
-   * nothing, just like {@link ActionLocalHandler.forDomainActionCases}. Add the returned handler to the
-   * runtime alongside this server handler:
-   * ```ts
-   * runtime.addHandlers([serverHandler.forConnectionDomainCases(domain, { … }), serverHandler]);
-   * ```
-   */
-  forConnectionDomainCases<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>, cases: { [ID in keyof FOR_DOM["actionSchema"] & string]?: TAcceptorConnectionCaseFn<FOR_DOM, ID, TConn> }): ActionLocalHandler;
-  /**
-   * Like {@link forConnectionDomainCases} but spanning several domains with one merged case map — used
-   * by channel-derived wiring (`acceptChannelConnections` / `serveChannel`) where the channel's
-   * `toAcceptor` domains are served together. Each domain takes only the cases whose ids it owns, so a
-   * single map can cover several domains and unrelated ids are ignored.
-   *
-   * `mapContext` turns the resolved connection into whatever the case's second argument should be: the
-   * raw connection for the low-level helper, or an enriched `IConnectionContext` for `serveChannel`. It's
-   * called once per inbound action, after the originating connection is resolved.
-   */
-  forConnectionDomainCasesMulti<TCtx>(domains: readonly ActionDomain<any>[], cases: Record<string, TAcceptorCaseFn<any, any, TCtx> | undefined>, mapContext: (connection: TConn | undefined, request: ActionPayload_Request<any, any>) => TCtx): ActionLocalHandler;
-  /**
-   * Fan a server-initiated request out to every currently-bound connection. A fresh request is built
-   * per connection (each push mutates its own action context) and dispatched fire-and-forget. Pass
-   * `except` to skip the originating socket and `where` to filter by connection (e.g. read its
-   * attachment for a role). Iterating bound connections (rather than every accepted socket) skips
-   * sockets that are still mid-handshake and so can't yet receive a frame.
+   * Optional Standard Schema (valibot, zod, …) validating the *app* portion on read. A value that
+   * fails validation reads back as `null` — the same lenient behavior as a hand-written safeParse
+   * helper. The binding is the library's own shape and is never validated.
    */
-  broadcast<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(makeRequest: () => ActionPayload_Request<DOM, ID>, options?: {
-    runtime?: ActionRuntime;
-    except?: TConn | null;
-    where?: (connection: TConn) => boolean;
-    timeout?: number;
-    onError?: (error: unknown, connection: TConn) => void;
-  }): void;
-  sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
-    targetLocalRuntime: ActionRuntime;
-  }): Promise<boolean>;
-  handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
-  private _dispatch;
-  private _sendPayload;
-  private _bindConnection;
-  private _resolveConnection;
-  private _resolveSingleConnection;
+  schema?: StandardSchemaV1<unknown, TApp>;
 }
-declare const createAcceptorHandler: <TConn = unknown>(options: IAcceptorHandlerOptions<TConn>) => AcceptorHandler<TConn>;
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/Carrier.types.d.ts
 /**
- * Carrier shapes — the only transport-specific surface a new protocol must implement. The secure
- * session (handshake + frame crypto + codec) and the action routing on top of it are carrier-agnostic;
- * a carrier just moves frames. Two shapes capture every carrier:
+ * A typed per-connection state store that co-owns the app state and the acceptor handler's routing
+ * binding in one attachment, so neither the consumer nor the handler has to hand-merge the two. Create
+ * it through {@link createConnectionStateStore} (which also wires binding persistence and replays
+ * surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
  *
- * - {@link IDuplexCarrier} — a persistent, push-capable byte stream (WebSocket, WebRTC `RTCDataChannel`,
- *   Bluetooth GATT, an in-memory pipe). Either side can send at any time, so it supports server→client
- *   pushes (the return path + broadcast).
- * - {@link IExchangeCarrier} — a request → single-correlated-reply carrier with no unsolicited push
- *   (HTTP, and anything request/response-shaped). The reply rides the response to its own request.
+ * The mechanism is carrier-neutral — it only needs read/write/enumerate callbacks for the connection's
+ * attachment — but it pays off on transports whose connections outlive process eviction (e.g. a
+ * Durable Object's hibernatable WebSockets), which is why it lives beside the hibernation adapter.
  *
- * Frames are `string` (text — handshake control messages and JSON action frames) or binary
- * (`Uint8Array`/`ArrayBuffer` — the optimized binary wire / encrypted frames).
- */
-type TFrame$1 = string | Uint8Array | ArrayBuffer;
-/**
- * A bidirectional, push-capable byte stream. Reduces every duplex carrier to "open, send bytes, receive
- * bytes, close" — a WebSocket, a WebRTC data channel, a Bluetooth characteristic, or an in-memory pipe
- * all satisfy this, so the identical secure session runs over each.
+ * ```ts
+ * const players = createConnectionStateStore(serverHandler, {
+ *   schema: vs_player,
+ *   read: (ws) => ws.deserializeAttachment(),
+ *   write: (ws, v) => ws.serializeAttachment(v),
+ *   getConnections: () => ctx.getWebSockets(),
+ * });
+ * players.set(ws, player); // binding is preserved automatically
+ * const player = players.get(ws);
+ * ```
  */
-interface IDuplexCarrier {
-  /** Resolves once the carrier is open and ready to send; rejects if it closes/errors before opening. */
-  readonly ready: Promise<void>;
-  /** Whether the carrier is currently open (a synchronous guard before `send`). */
-  isOpen(): boolean;
-  /** Write one frame to the peer. */
-  send(frame: TFrame$1): void;
-  /**
-   * Register the carrier's handlers. Called exactly once by the session after `ready`. `onMessage`
-   * receives every inbound frame; `onClose` fires when the carrier goes away.
-   */
-  attach(handlers: {
-    onMessage: (frame: TFrame$1) => void;
-    onClose: () => void;
-    onError?: (error: unknown) => void;
-  }): void;
-  /** Close the carrier deliberately (a teardown). */
-  close(): void;
-  /** Optional human-readable endpoint for the devtools route chip. */
-  readonly label?: string;
+declare class ConnectionStateStore<TConn, TApp> {
+  private readonly options;
+  constructor(options: IConnectionStateStoreOptions<TConn, TApp>);
+  /** The validated app state for a connection, or `null` if unset / invalid. */
+  get(connection: TConn): TApp | null;
+  /** Set the app state, preserving the runtime binding already pinned to the connection. */
+  set(connection: TConn, app: TApp): void;
+  /** Clear the app state but keep the binding (e.g. a spectator that stopped watching). */
+  clearApp(connection: TConn): void;
+  /** Every live connection paired with its (validated) app state — for rebuilding in-memory state after a wake. */
+  entries(): [TConn, TApp | null][];
+  /** @internal Persist a freshly-bound connection's binding, preserving any app state already stored. */
+  _persistBinding(connection: TConn, binding: IAcceptorConnectionBinding): void;
+  /** @internal The persisted binding for a connection, if any (used to replay routing after a wake). */
+  _readBinding(connection: TConn): IAcceptorConnectionBinding | undefined;
+  private _readAttachment;
+  private _validateApp;
 }
 /**
- * A request → single-correlated-reply carrier with no unsolicited push (HTTP). One `exchange` sends a
- * frame and resolves with exactly the one reply frame for it; the carrier itself correlates them (the
- * HTTP transaction), so no correlation id is needed on the wire.
+ * Build a per-connection {@link ConnectionStateStore} bound to an {@link AcceptorHandler}: it registers
+ * itself as the handler's connection-bound persistence callback (so bindings are written without
+ * overwriting app state) and immediately replays every live connection's stored binding via
+ * {@link AcceptorHandler.rehydrateConnection} — so on a transport that resumes after eviction (e.g. a
+ * Durable Object waking from hibernation) both the app identity and the action routing come back from a
+ * single attachment, with no storage reads and no hand-rolled merge.
+ *
+ * Lives outside the handler so the generic {@link AcceptorHandler} stays free of any attachment/
+ * hibernation concern — it exposes only the neutral `setOnConnectionBound` + `rehydrateConnection`
+ * hooks this builder drives.
  */
-interface IExchangeCarrier {
-  /** Send one frame, await the single correlated reply frame. */
-  exchange(frame: TFrame$1, opts?: {
-    signal?: AbortSignal;
-  }): Promise<TFrame$1>;
-  /** Optional human-readable endpoint for the devtools route chip. */
-  readonly label?: string;
+declare function createConnectionStateStore<TConn, TApp>(handler: AcceptorHandler<TConn>, options: IConnectionStateStoreOptions<TConn, TApp>): ConnectionStateStore<TConn, TApp>;
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/createHibernatableWsServerAdapter.d.ts
+interface IHibernatableWsServerAdapterOptions<TConn> {
+  /** The handler to drive (from `createSecureAcceptorHandler` or `createAcceptorHandler`). */
+  handler: AcceptorHandler<TConn>;
+  /** All currently-live connections — replayed on construction to rebuild bindings after a wake. */
+  getConnections: () => TConn[];
+  /** Read a connection's persisted binding (e.g. `(ws) => ws.deserializeAttachment()`). */
+  getAttachment: (connection: TConn) => IAcceptorConnectionBinding | undefined;
+  /** Persist a connection's binding when it is bound (e.g. `(ws, b) => ws.serializeAttachment(b)`). */
+  setAttachment: (connection: TConn, binding: IAcceptorConnectionBinding) => void;
 }
-type TCarrier = IDuplexCarrier | IExchangeCarrier;
 /**
- * A reusable opener for a {@link IDuplexCarrier} plus the per-action metadata a duplex transport needs.
- * Built by the small carrier factories (`wsCarrier`, `rtcCarrier`, `inMemoryCarrier`) and handed to
- * {@link secureTransport} / `LinkTransport` — so adding a new carrier is "write one of these", nothing
- * else.
+ * The neutral lifecycle surface for a duplex (push-capable) acceptor: feed it each inbound frame and tell
+ * it when a connection goes away. Carrier-agnostic — a WebSocket, a WebRTC data channel, or any other
+ * duplex connection drives the same two methods.
  */
-interface IDuplexCarrierSource {
-  /** Open (or reuse) the carrier for an action. */
-  open: (input: ITransportRouteActionParams) => IDuplexCarrier;
-  /** Keys identifying a reusable carrier, so one carrier is shared across actions to the same peer. */
-  getCacheKey?: (input: ITransportRouteActionParams) => string[];
-  /** Devtools route info for an action routed over this carrier. */
-  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
-  /** Short carrier-kind label for the devtools chip (e.g. `"ws"`, `"webrtc"`, `"memory"`). */
-  readonly carrierLabel: string;
+interface IDuplexConnectionRouter<TConn> {
+  /** Feed one inbound frame from a connection into the handler. */
+  receive: (connection: TConn, frame: string | ArrayBuffer | Uint8Array) => void;
+  /** Forget a connection (call on socket close/error). */
+  drop: (connection: TConn) => void;
 }
 /**
- * The exchange-shape counterpart to {@link IDuplexCarrierSource}: a reusable opener for an
- * {@link IExchangeCarrier} plus the per-action metadata an exchange transport needs. Built by
- * `httpCarrier` and handed to {@link secureTransport} — adding a new request/reply protocol is "write
- * one of these". The `shape` tag lets {@link secureTransport} pick the duplex vs exchange transport.
+ * Wire the hibernation lifecycle for an acceptor handler on a transport whose connections outlive process
+ * eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
+ * registers `setAttachment` as the handler's connection-bound callback and immediately replays every
+ * live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
+ *
+ * Layered on top of the generic {@link AcceptorHandler} — it touches only the handler's neutral
+ * `setOnConnectionBound` / `rehydrateConnection` / `receive` / `dropConnection` surface, so no
+ * hibernation concern leaks into the handler itself.
+ *
+ * Construct it once when the handler is built, then forward connection events:
+ * ```ts
+ * const duplex = createHibernatableWsServerAdapter({ handler, getConnections, getAttachment, setAttachment });
+ * // webSocketMessage(ws, msg) => duplex.receive(ws, msg);
+ * // webSocketClose/Error(ws)  => duplex.drop(ws);
+ * ```
  */
-interface IExchangeCarrierSource {
-  /** Discriminant so a generic factory can tell an exchange source from a duplex one. */
-  readonly shape: "exchange";
-  /** Open (or reuse) the carrier for an action. */
-  open: (input: ITransportRouteActionParams) => IExchangeCarrier;
-  /** Keys identifying a reusable carrier, so one carrier is shared across actions to the same peer. */
-  getCacheKey?: (input: ITransportRouteActionParams) => string[];
-  /** Devtools route info for an action routed over this carrier. */
-  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
-  /** Short carrier-kind label for the devtools chip (e.g. `"http"`). */
-  readonly carrierLabel: string;
-}
+declare function createHibernatableWsServerAdapter<TConn>(options: IHibernatableWsServerAdapterOptions<TConn>): IDuplexConnectionRouter<TConn>;
 //#endregion
-//#region src/ActionRuntime/Transport/codec/createBinaryWireSessionFactory.d.ts
-type TFormatMessage = IActionWireFormat;
-interface IBinaryWireSessionOptions {
-  /** Override how long an unresolved correlation is retained before being swept (ms). */
-  correlationTtlMs?: number;
-}
+//#region src/ActionRuntime/Transport/Carrier/AcceptorCarrier.types.d.ts
 /**
- * Builds a factory of *stateful, per-connection* codecs for {@link LinkTransport} /
- * `AcceptorHandler` — the maximally compact binary wire. Call the returned factory once per live
- * connection (each socket on the client, each accepted connection on the server) so every channel
- * gets its own correlation + identity state.
- *
- * On top of everything {@link createBinaryWireAdapter} drops, a session also drops:
- * - **`cuid`** — replaced by a per-connection integer correlation id. The initiator maps it to its
- *   real cuid; the responder echoes it; each side reconstructs the cuid from its own map. Correlation
- *   only needs to be unique per socket, so a counter suffices.
- * - **`originClient` after the first request** — the first request each side sends carries its
- *   identity; the peer remembers it and injects it into later frames. Replies omit it entirely (a
- *   reply carries the initiator's own origin, which the initiator already knows).
- *
- * Both ends MUST build the factory from the same domains in the same order (positional dictionary).
- * Text frames still return `undefined` from `incoming`, so JSON clients remain interoperable.
+ * Acceptor-side carrier descriptors — the accept-in dual of the connector's {@link IDuplexCarrierSource}
+ * / {@link IExchangeCarrierSource}. Where a connector source knows how to *open* a carrier to a peer, an
+ * acceptor carrier knows how to *serve* one peer's traffic on this server. Both shapes are carrier-neutral
+ * about security: `serveChannel` builds the crypto identity (link + TOFU resolver) and the security block
+ * once from `(runtime, channel)` and fans it across every carrier, so a carrier descriptor never restates
+ * it.
  *
- * Hibernation note: after a server connection is evicted its session resets, so a still-connected
- * client (whose session persists) will keep omitting `originClient`. The server must therefore restore
- * the connection→client binding from its own store (see `AcceptorHandler.rehydrateConnection`) and
- * inject `originClient` from there — the session alone can't recover it.
- */
-declare function createBinaryWireSessionFactory(domains: ActionDomain<any>[], options?: IBinaryWireSessionOptions): () => TFormatMessage;
-//#endregion
-//#region src/ActionRuntime/Channel/secureChannel.d.ts
-/** The per-connection binary session codec — built once per socket from the channel's domains. */
-type TChannelCodec = IActionWireFormat;
-/**
- * The shared identity of a secure channel (carrier-agnostic — WS, WebRTC, HTTP, …): the wire
- * dictionary version both ends check during the handshake, plus the per-connection codec factory both
- * ends build from the *same* domain list. Define it once (typically in code shared by both peers) and
- * hand it to `secureTransport` on the connector and `serveChannel` (or the lower-level `acceptChannel` /
- * `createSecureAcceptorHandler`) on the acceptor, so the codec and version can never drift apart.
- */
-interface ISecureChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[]> extends IActionChannel<TO_ACCEPTOR, TO_CONNECTOR> {
-  /** Wire dictionary version — derived from the domains by default; the handshake rejects a mismatch. */
-  dictionaryVersion: string;
-  /** Per-connection session codec factory (call once per live connection). */
-  createCodec: () => TChannelCodec;
-}
-/**
- * Bundle a secure channel's shared identity from its transported domains. Both ends MUST call this
- * with the same domains in the same order (the binary wire dictionary is positional). The
- * `dictionaryVersion` is derived from those domains unless you pin an explicit one.
+ * Two shapes mirror the connector side:
  *
- * Declare the domains *by role* — `toAcceptor` (connector→acceptor requests) and `toConnector`
- * (acceptor→connector pushes) — so the routing for both ends is derived from the channel (see
- * {@link connectChannel} and `acceptChannelConnections`) instead of being restated at each end. The
- * wire dictionary spans `[...toAcceptor, ...toConnector]` in that order; add new domains to the end of
- * their list to keep older peers compatible. (`domains` is still accepted as a legacy alias for
- * `toAcceptor`.)
+ * - {@link IDuplexAcceptorCarrier} — a persistent, push-capable byte stream (WebSocket, WebRTC, …). It can
+ *   push acceptor→connector, so it carries the return path and broadcasts, and it may need an upgrade step
+ *   (e.g. a Durable Object's `WebSocketPair`) and optional hibernation persistence.
+ * - {@link IExchangeAcceptorCarrier} — a request → single-correlated-reply carrier with no unsolicited push
+ *   (HTTP). The reply rides the response to its own request; there is nothing to push and nothing to
+ *   upgrade.
  */
-declare function defineSecureChannel<const TO_ACCEPTOR extends readonly ActionDomain<any>[] = [], const TO_CONNECTOR extends readonly ActionDomain<any>[] = []>(options: {
-  /** Domains the connector sends to the acceptor (connector→acceptor requests), in a stable order. */toAcceptor: TO_ACCEPTOR; /** Domains the acceptor pushes to the connector (acceptor→connector), in a stable order. */
-  toConnector: TO_CONNECTOR; /** Pin a human-readable version instead of the derived hash (must match on both ends). */
-  dictionaryVersion?: string; /** Tuning for the per-connection binary session (e.g. correlation TTL). */
-  sessionOptions?: IBinaryWireSessionOptions;
-}): ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>;
-//#endregion
-//#region src/ActionRuntime/Channel/ActionChannel.d.ts
 /**
- * A transport-agnostic routing contract between two runtimes, declared *by role* rather than by
- * "client"/"server". The two ends are named for the only asymmetry that survives every carrier (WS,
- * WebRTC, BLE, raw TCP): which side dials and which side accepts.
- *
- * - The **connector** dials out and opens the link ({@link connectChannel}).
- * - The **acceptor** accepts incoming links and can push back ({@link acceptChannelConnections}).
- *
- * `toAcceptor` domains flow connector→acceptor (the classic "request"); `toConnector` domains flow
- * acceptor→connector (the classic "push"). Both ends derive their routing from the same channel instead
- * of restating domain lists — and because the contract is independent of how bytes move, the very same
- * channel can be carried over HTTP, secure WebSockets, or a mix (WS preferred, HTTP fallback).
+ * Raw read/write access to a connection's persisted attachment, for a duplex carrier whose connections
+ * outlive process eviction (e.g. a Durable Object's hibernatable WebSockets). Optional — omit for a
+ * transport that never hibernates (per-connection state is then in-memory only).
  *
- * Build a plain one with {@link defineChannel}; layer wire-specific identity on top with
- * `defineSecureChannel` (which returns an `ISecureChannel` — still an `IActionChannel`, so it works
- * everywhere a channel is expected).
+ * `serveChannel` owns the attachment *layout*: it co-stores the routing binding and (when
+ * `connectionState` is requested) per-connection app state as one composite in this single slot, so both
+ * survive a wake. The carrier only has to say how to read/write the slot and enumerate live connections.
  */
-interface IActionChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[]> {
-  /**
-   * Domains the connector *sends to the acceptor* (connector→acceptor requests). The connector forwards
-   * them over its transport(s); the acceptor executes them.
-   */
-  toAcceptorDomains: TO_ACCEPTOR;
-  /**
-   * Domains the acceptor *pushes to the connector* (acceptor→connector). The connector registers local
-   * handlers for them ({@link connectChannel}'s `onPush`); the acceptor broadcasts them. Pushes need a
-   * bidirectional transport (e.g. a WebSocket) — over a request-only transport like HTTP they simply
-   * never flow.
-   */
-  toConnectorDomains: TO_CONNECTOR;
+interface IAcceptorAttachmentStore<TConn> {
+  /** All currently-live connections — enumerated on build to replay binding + app state after a wake. */
+  getConnections: () => TConn[];
+  /** Read a connection's persisted attachment (e.g. `(ws) => ws.deserializeAttachment()`). */
+  read: (connection: TConn) => unknown;
+  /** Persist a connection's attachment (e.g. `(ws, value) => ws.serializeAttachment(value)`). */
+  write: (connection: TConn, value: unknown) => void;
 }
 /**
- * Declare a transport-agnostic channel by role. Use it for HTTP, custom transports, or as the routing
- * half of a richer channel. The order of each list is part of the contract for wire formats that pack
- * positionally (see `defineSecureChannel`) — add new domains to the end of their list. (`domains` is
- * accepted as a legacy alias for `toAcceptor`.)
- */
-declare function defineChannel<const TO_ACCEPTOR extends readonly ActionDomain<any>[] = [], const TO_CONNECTOR extends readonly ActionDomain<any>[] = []>(options: {
-  toAcceptor: TO_ACCEPTOR;
-  toConnector: TO_CONNECTOR;
-}): IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>;
-type TUnionToIntersection<U> = (U extends any ? (k: U) => void : never) extends ((k: infer I) => void) ? I : never;
-type TDomainPushHandlers<D> = D extends ActionDomain<infer DEF> ? Partial<TWrappableDomainActionHandler<DEF>> : never;
-/**
- * The `onPush` map for a channel: the merged set of every acceptor→connector (`toConnector`) action
- * handler, each receiving the pushed action's input. Derived from the channel's `toConnectorDomains`, so
- * the keys and input types follow the channel definition.
+ * A duplex carrier is also its own lifecycle handle: once it has been passed to `serveChannel`, feed each
+ * inbound frame to {@link receive} and forget a connection on close/error with {@link drop}. This is how a
+ * server with *several* duplex carriers routes each connection's traffic to the right one — you hold the
+ * carrier you created and feed it directly, so no per-carrier router lookup is needed. The methods throw if
+ * called before the carrier is served. (`serveChannel` binds the live router via {@link _activate}.)
  */
-type TChannelPushHandlers<TO_CONNECTOR extends readonly ActionDomain<any>[]> = TUnionToIntersection<TDomainPushHandlers<TO_CONNECTOR[number]>>;
+interface IDuplexCarrierLifecycle<TConn> {
+  /** Feed one inbound frame from a live connection into the server. Throws until the carrier is served. */
+  receive(connection: TConn, frame: TFrame$1): void;
+  /** Forget a connection on close/error. No-op until the carrier is served. */
+  drop(connection: TConn): void;
+  /** @internal `serveChannel` binds this carrier's live connection router here. */
+  _activate(router: IDuplexConnectionRouter<TConn>): void;
+}
 /**
- * One transport to the peer, declared by *carrier* — the dial-out dual of `serveChannel`'s acceptor
- * carriers. {@link connectChannel} binds the shared facts (channel codec/version, runtime, crypto
- * identity) into each one, so a descriptor only carries what differs between transports: the carrier and
- * whether it runs the secure handshake.
- *
- * A duplex carrier (`wsCarrier(() => ({ url }))`, `rtcCarrier(dc)`) builds a push-capable link; an exchange carrier
- * (`httpCarrier(...)`) builds a request/reply transport. List them in preference order — the connection
- * prefers the first that's ready and falls through on failure (e.g. secure WS preferred, HTTP fallback).
+ * A duplex (push-capable) carrier on the acceptor side. Describes how to write a frame back to a live
+ * connection, how to perform the transport-specific upgrade that admits one, which requests are such
+ * upgrades, and (optionally) how to persist bindings across hibernation. Built by `wsAcceptorCarrier` and
+ * handed to `serveChannel`'s `carriers` list — the returned carrier is also its own lifecycle handle (see
+ * {@link IDuplexCarrierLifecycle}).
  */
-interface IConnectTransport {
-  /** How to reach the peer — a duplex carrier (push-capable) or an exchange carrier (request/reply). */
-  carrier: IDuplexCarrierSource | IExchangeCarrierSource;
+interface IDuplexAcceptorCarrier<TConn = unknown> extends IDuplexCarrierLifecycle<TConn> {
+  /** Discriminant so `serveChannel` can tell a duplex carrier from an exchange one. */
+  readonly shape: ETransportShape.duplex;
   /**
-   * Run the authenticated/encrypted handshake over this carrier. Defaults to `true`. A secure transport
-   * draws its identity from the connection's shared `link`/`storage`; set `false` for a plain transport
-   * (e.g. a bare HTTP fallback beside a secure WS), which then needs no `storage`.
+   * Whether each connection runs the secure handshake (default `true`). `false` makes it a plain duplex
+   * carrier: connections speak the channel's wire codec directly with a self-asserted identity — no
+   * handshake, pins, or encryption (the duplex dual of `httpAcceptorCarrier({ secure: false })`). A plain
+   * carrier ignores the central crypto identity, so it needs no `storage` on `serveChannel`.
    */
   secure?: boolean;
-  /** Security level for this secure transport; defaults to the connection-level `securityLevel`. */
-  securityLevel?: ESecurityLevel;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: TFrame$1) => void;
   /**
-   * Optional availability gate — when it returns `false` this transport is skipped and the connection
-   * falls through to the next in preference order, re-evaluated per dispatch. Omit = always available.
+   * Perform the transport-specific upgrade for an inbound request, returning its raw response (e.g. a
+   * Durable Object's `new WebSocketPair()` + `ctx.acceptWebSocket()` → a `101`). Omit for a carrier that
+   * is fed connections out of band (the server then only routes frames via {@link receive}/{@link drop}).
    */
-  available?: (input: ITransportRouteActionParams) => boolean;
-  /** Override the devtools chip label (defaults to the carrier's own label). */
-  label?: string;
-}
-interface IConnectChannelOptions<TO_CONNECTOR extends readonly ActionDomain<any>[]> {
-  /** The peer's runtime coordinate — the acceptor this connection dials. */
-  peer: RuntimeCoordinate;
+  upgrade?: (request: Request, url: URL) => Response | Promise<Response>;
   /**
-   * The transports to the peer, by carrier, in preference order (e.g. secure WS preferred, HTTP fallback).
-   * They all carry the channel's `toAcceptor` domains; the connection prefers the first that's ready and
-   * falls through on failure. {@link connectChannel} binds the channel + runtime + crypto identity into
-   * each — the dial-out dual of `serveChannel`'s `carriers`.
+   * Whether an inbound request is an upgrade for this carrier. Defaults to an `Upgrade: websocket` header.
+   * Only consulted when {@link upgrade} is present.
    */
-  transports: readonly IConnectTransport[];
+  isUpgrade?: (request: Request, url: URL) => boolean;
   /**
-   * One backing store for this connection's crypto identity, fanned across every *secure* transport so
-   * they present the same verify/exchange keys. Required when any transport is secure (the default); a
-   * fully-plain connection (every transport `secure: false`) may omit it. Pass `link` instead to share an
-   * existing identity.
+   * Optional attachment read/write for connections that survive eviction (Durable Object hibernation).
+   * Present → `serveChannel` persists the routing binding (and any `connectionState`) here and replays it
+   * on wake. Absent → per-connection state is in-memory only.
    */
-  storage?: StorageAdapter;
-  /** The connection's crypto identity. Defaults to a fresh {@link ClientCryptoKeyLink} over `storage`. */
-  link?: ClientCryptoKeyLink;
-  /** Default security level for secure transports; defaults to `authenticated`. */
-  securityLevel?: ESecurityLevel;
-  /** Handlers for the channel's acceptor→connector pushes. Optional — omit for a send-only connection. */
-  onPush?: TChannelPushHandlers<TO_CONNECTOR>;
-  /** Default per-action timeout for this connection. */
-  defaultTimeout?: number;
+  attachmentStore?: IAcceptorAttachmentStore<TConn>;
+  /** Short carrier-kind label for the devtools chip (e.g. `"ws"`, `"webrtc"`). */
+  readonly carrierLabel: string;
 }
 /**
- * Open a connection to a peer from a single call — the dial-out dual of `serveChannel`. The channel is
- * the single source of truth for *what* is routed (`toAcceptor` domains forwarded to the peer,
- * `toConnector` pushes handled locally from `onPush`); the call binds the shared facts — the channel's
- * codec/dictionary version, the runtime, and one crypto identity (a {@link ClientCryptoKeyLink} over
- * `storage`) — into every transport in `transports`, so none of them restate the channel or runtime.
- * List several transports to make the path transport-agnostic (secure WS preferred, HTTP fallback):
- * ```ts
- * const handler = connectChannel(runtime, lobbyChannel, {
- *   peer: runtime_coordinate_lobby_do,
- *   storage,
- *   transports: [{ carrier: wsCarrier(() => ({ url })) }, { carrier: httpCarrier(...), secure: false }],
- *   onPush: { player_joined: (p) => { … } },
- * });
- * ```
- * Returns the {@link ConnectorHandler} so the caller can later `clearTransportCache()` it.
- */
-declare function connectChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[]>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IConnectChannelOptions<TO_CONNECTOR>): ConnectorHandler;
-type TDomainAcceptorCases<D, TCtx> = D extends ActionDomain<infer DEF> ? { [ID in keyof DEF["actionSchema"] & string]?: TAcceptorCaseFn<DEF, ID, TCtx> } : never;
-/**
- * The connection-aware case map for a channel's acceptor side: the merged set of every
- * connector→acceptor (`toAcceptor`) action handler, each receiving the primed request plus a per-action
- * `context`. `TCtx` is whatever the wiring supplies as that second argument — the raw connection
- * (`TConn | undefined`) for the low-level `acceptChannelConnections`, or an enriched `IConnectionContext`
- * for `serveChannel`'s `channelCases`. Derived from the channel's `toAcceptorDomains`, so the keys and
- * input/output types follow the channel.
- */
-type TChannelAcceptorCases<TO_ACCEPTOR extends readonly ActionDomain<any>[], TCtx> = TUnionToIntersection<TDomainAcceptorCases<TO_ACCEPTOR[number], TCtx>>;
-/**
- * Register an acceptor handler's execution for a channel straight from its definition: the channel's
- * `toAcceptor` domains are served together with one merged, connection-aware case map (each case gets
- * the primed request + the originating connection, as with
- * {@link AcceptorHandler.forConnectionDomainCases}). The domain list is taken from the channel,
- * never restated. Add the returned handler to the runtime alongside the acceptor handler:
- * ```ts
- * runtime.addHandlers([acceptChannelConnections(serverHandler, channel, { … }), serverHandler]);
- * ```
- *
- * The case's second argument is the raw connection (`TConn | undefined`). For the richer state +
- * broadcast + pushBack context, serve the channel through `serveChannel`'s `channelCases` instead.
+ * An exchange (request/reply) carrier on the acceptor side, over web-standard `Request`/`Response`. By
+ * default it speaks the *secure* exchange protocol (handshake → token session → encrypted frames), whose
+ * identity is supplied centrally by `serveChannel`. Set {@link secure} to `false` for a plain endpoint
+ * that POSTs the raw action wire and returns the result inline — the request/reply dual of the connector's
+ * plain HTTP transport (`{ carrier: httpCarrier(...), secure: false }`). So a server can pair a secure
+ * duplex (WebSocket) with a plain HTTP fallback on the same runtime. Built by `httpAcceptorCarrier`.
  */
-declare function acceptChannelConnections<TO_ACCEPTOR extends readonly ActionDomain<any>[], TConn>(serverHandler: AcceptorHandler<TConn>, channel: IActionChannel<TO_ACCEPTOR, any>, cases: TChannelAcceptorCases<TO_ACCEPTOR, TConn | undefined>): ActionLocalHandler;
-interface IAcceptChannelOptions<TConn> {
-  /**
-   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
-   * used to score return-path dispatch back to the right connection.
-   */
-  clientEnv: RuntimeCoordinate;
+interface IExchangeAcceptorCarrier {
+  /** Discriminant so `serveChannel` can tell an exchange carrier from a duplex one. */
+  readonly shape: ETransportShape.exchange;
   /**
-   * One backing store for the acceptor's crypto identity *and* its trust-on-first-use verify-key pins
-   * (their keys don't collide). Back it with persistent storage so identity + pins survive eviction.
+   * Whether this endpoint runs the secure exchange protocol (default `true`). `false` makes it a plain
+   * endpoint: the body is the raw action wire and the result is the response body — no handshake, token,
+   * or encryption. A plain endpoint ignores the central crypto identity entirely.
    */
-  storageAdapter: StorageAdapter;
-  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
-  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
+  secure?: boolean;
+  /** Which requests carry an action exchange envelope on `POST`. Defaults to `serveChannel`'s path match. */
+  isActionPath?: (url: URL) => boolean;
   /**
-   * The acceptor's crypto identity. Defaults to a fresh `ClientCryptoKeyLink` over `storageAdapter`.
-   * Pass an existing link to share one identity across several acceptors on the same server (e.g. this
-   * WebSocket acceptor and a secure-HTTP `createActionFetchHandler`), so they present the same keys.
+   * CORS headers merged onto every response (a preflight `OPTIONS` is answered `204`). Defaults to the
+   * permissive `*` set; pass `false` to attach no CORS headers at all.
    */
-  link?: ClientCryptoKeyLink;
-  /** Accepted level(s); defaults to negotiating any of none/authenticated/encrypted. */
-  securityLevel?: ESecurityLevel | readonly ESecurityLevel[];
-  /** Trust decision for a client's verify key; defaults to storage-backed TOFU over `storageAdapter`. */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
-  /** Timeout (ms) applied to acceptor-initiated actions awaiting a client response. */
-  defaultTimeout?: number;
+  cors?: Record<string, string> | false;
+  /** Plain mode only: use the error's HTTP status for failures (default `true`). Ignored when secure. */
+  useErrorStatus?: boolean;
+  /** Short carrier-kind label for the devtools chip (e.g. `"http"`). */
+  readonly carrierLabel: string;
 }
-/**
- * Build the secure {@link AcceptorHandler} for a channel — the accept-in counterpart to
- * {@link connectChannel}. It folds in the same boilerplate as {@link createSecureAcceptorHandler} (the
- * `ClientCryptoKeyLink` + storage-backed TOFU resolver from one `storageAdapter`, the channel's codec +
- * dictionary version, the `security` block from the runtime coordinate) but takes the `(runtime, channel,
- * options)` shape of the channel family. Pair it with {@link acceptChannelConnections} for execution:
- * ```ts
- * const acceptor = acceptChannel(runtime, gameChannel, { clientEnv, storageAdapter, send });
- * runtime.addHandlers([acceptChannelConnections(acceptor, gameChannel, { … }), acceptor]);
- * ```
- */
-declare function acceptChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[], TConn = unknown>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IAcceptChannelOptions<TConn>): AcceptorHandler<TConn>;
-//#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/ConnectionStateStore.d.ts
-/**
- * The composite value persisted to a connection's attachment: the consumer's own app state plus the
- * {@link AcceptorHandler} routing binding. Co-storing them in one slot means a transport whose
- * sockets outlive process eviction (e.g. a Durable Object's hibernatable WebSocket) recovers both the
- * application identity *and* the action routing from a single attachment after a wake — no storage reads.
- */
-interface IConnectionAttachment<TApp> {
-  app?: TApp;
-  binding?: IAcceptorConnectionBinding;
-}
-interface IConnectionStateStoreOptions<TConn, TApp> {
-  /** Read a connection's raw attachment (e.g. `(ws) => ws.deserializeAttachment()`). */
-  read: (connection: TConn) => unknown;
-  /** Persist a connection's attachment (e.g. `(ws, value) => ws.serializeAttachment(value)`). */
-  write: (connection: TConn, value: IConnectionAttachment<TApp>) => void;
-  /**
-   * All currently-live connections (e.g. `() => ctx.getWebSockets()`). Used to replay routing bindings
-   * after a wake (via {@link createConnectionStateStore}) and to enumerate app state in
-   * {@link ConnectionStateStore.entries}.
-   */
-  getConnections: () => TConn[];
-  /**
-   * Optional Standard Schema (valibot, zod, …) validating the *app* portion on read. A value that
-   * fails validation reads back as `null` — the same lenient behavior as a hand-written safeParse
-   * helper. The binding is the library's own shape and is never validated.
-   */
-  schema?: StandardSchemaV1<unknown, TApp>;
-}
-/**
- * A typed per-connection state store that co-owns the app state and the acceptor handler's routing
- * binding in one attachment, so neither the consumer nor the handler has to hand-merge the two. Create
- * it through {@link createConnectionStateStore} (which also wires binding persistence and replays
- * surviving connections after a wake), then `get`/`set`/`clearApp` the app state directly.
- *
- * The mechanism is carrier-neutral — it only needs read/write/enumerate callbacks for the connection's
- * attachment — but it pays off on transports whose connections outlive process eviction (e.g. a
- * Durable Object's hibernatable WebSockets), which is why it lives beside the hibernation adapter.
- *
- * ```ts
- * const players = createConnectionStateStore(serverHandler, {
- *   schema: vs_player,
- *   read: (ws) => ws.deserializeAttachment(),
- *   write: (ws, v) => ws.serializeAttachment(v),
- *   getConnections: () => ctx.getWebSockets(),
- * });
- * players.set(ws, player); // binding is preserved automatically
- * const player = players.get(ws);
- * ```
- */
-declare class ConnectionStateStore<TConn, TApp> {
-  private readonly options;
-  constructor(options: IConnectionStateStoreOptions<TConn, TApp>);
-  /** The validated app state for a connection, or `null` if unset / invalid. */
-  get(connection: TConn): TApp | null;
-  /** Set the app state, preserving the runtime binding already pinned to the connection. */
-  set(connection: TConn, app: TApp): void;
-  /** Clear the app state but keep the binding (e.g. a spectator that stopped watching). */
-  clearApp(connection: TConn): void;
-  /** Every live connection paired with its (validated) app state — for rebuilding in-memory state after a wake. */
-  entries(): [TConn, TApp | null][];
-  /** @internal Persist a freshly-bound connection's binding, preserving any app state already stored. */
-  _persistBinding(connection: TConn, binding: IAcceptorConnectionBinding): void;
-  /** @internal The persisted binding for a connection, if any (used to replay routing after a wake). */
-  _readBinding(connection: TConn): IAcceptorConnectionBinding | undefined;
-  private _readAttachment;
-  private _validateApp;
-}
-/**
- * Build a per-connection {@link ConnectionStateStore} bound to an {@link AcceptorHandler}: it registers
- * itself as the handler's connection-bound persistence callback (so bindings are written without
- * overwriting app state) and immediately replays every live connection's stored binding via
- * {@link AcceptorHandler.rehydrateConnection} — so on a transport that resumes after eviction (e.g. a
- * Durable Object waking from hibernation) both the app identity and the action routing come back from a
- * single attachment, with no storage reads and no hand-rolled merge.
- *
- * Lives outside the handler so the generic {@link AcceptorHandler} stays free of any attachment/
- * hibernation concern — it exposes only the neutral `setOnConnectionBound` + `rehydrateConnection`
- * hooks this builder drives.
- */
-declare function createConnectionStateStore<TConn, TApp>(handler: AcceptorHandler<TConn>, options: IConnectionStateStoreOptions<TConn, TApp>): ConnectionStateStore<TConn, TApp>;
-//#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/Hibernation/createHibernatableWsServerAdapter.d.ts
-interface IHibernatableWsServerAdapterOptions<TConn> {
-  /** The handler to drive (from `createSecureAcceptorHandler` or `createAcceptorHandler`). */
-  handler: AcceptorHandler<TConn>;
-  /** All currently-live connections — replayed on construction to rebuild bindings after a wake. */
-  getConnections: () => TConn[];
-  /** Read a connection's persisted binding (e.g. `(ws) => ws.deserializeAttachment()`). */
-  getAttachment: (connection: TConn) => IAcceptorConnectionBinding | undefined;
-  /** Persist a connection's binding when it is bound (e.g. `(ws, b) => ws.serializeAttachment(b)`). */
-  setAttachment: (connection: TConn, binding: IAcceptorConnectionBinding) => void;
-}
-/**
- * The neutral lifecycle surface for a duplex (push-capable) acceptor: feed it each inbound frame and tell
- * it when a connection goes away. Carrier-agnostic — a WebSocket, a WebRTC data channel, or any other
- * duplex connection drives the same two methods.
- */
-interface IDuplexConnectionRouter<TConn> {
-  /** Feed one inbound frame from a connection into the handler. */
-  receive: (connection: TConn, frame: string | ArrayBuffer | Uint8Array) => void;
-  /** Forget a connection (call on socket close/error). */
-  drop: (connection: TConn) => void;
-}
-/**
- * Wire the hibernation lifecycle for an acceptor handler on a transport whose connections outlive process
- * eviction (e.g. a Durable Object's hibernatable WebSockets). It owns persistence end to end:
- * registers `setAttachment` as the handler's connection-bound callback and immediately replays every
- * live connection's stored binding via `getAttachment`, so results/pushes still route after a wake.
- *
- * Layered on top of the generic {@link AcceptorHandler} — it touches only the handler's neutral
- * `setOnConnectionBound` / `rehydrateConnection` / `receive` / `dropConnection` surface, so no
- * hibernation concern leaks into the handler itself.
- *
- * Construct it once when the handler is built, then forward connection events:
- * ```ts
- * const duplex = createHibernatableWsServerAdapter({ handler, getConnections, getAttachment, setAttachment });
- * // webSocketMessage(ws, msg) => duplex.receive(ws, msg);
- * // webSocketClose/Error(ws)  => duplex.drop(ws);
- * ```
- */
-declare function createHibernatableWsServerAdapter<TConn>(options: IHibernatableWsServerAdapterOptions<TConn>): IDuplexConnectionRouter<TConn>;
-//#endregion
-//#region src/ActionRuntime/Transport/Carrier/AcceptorCarrier.types.d.ts
-/**
- * Acceptor-side carrier descriptors — the accept-in dual of the connector's {@link IDuplexCarrierSource}
- * / {@link IExchangeCarrierSource}. Where a connector source knows how to *open* a carrier to a peer, an
- * acceptor carrier knows how to *serve* one peer's traffic on this server. Both shapes are carrier-neutral
- * about security: `serveChannel` builds the crypto identity (link + TOFU resolver) and the security block
- * once from `(runtime, channel)` and fans it across every carrier, so a carrier descriptor never restates
- * it.
- *
- * Two shapes mirror the connector side:
- *
- * - {@link IDuplexAcceptorCarrier} — a persistent, push-capable byte stream (WebSocket, WebRTC, …). It can
- *   push acceptor→connector, so it carries the return path and broadcasts, and it may need an upgrade step
- *   (e.g. a Durable Object's `WebSocketPair`) and optional hibernation persistence.
- * - {@link IExchangeAcceptorCarrier} — a request → single-correlated-reply carrier with no unsolicited push
- *   (HTTP). The reply rides the response to its own request; there is nothing to push and nothing to
- *   upgrade.
- */
-/**
- * Raw read/write access to a connection's persisted attachment, for a duplex carrier whose connections
- * outlive process eviction (e.g. a Durable Object's hibernatable WebSockets). Optional — omit for a
- * transport that never hibernates (per-connection state is then in-memory only).
- *
- * `serveChannel` owns the attachment *layout*: it co-stores the routing binding and (when
- * `connectionState` is requested) per-connection app state as one composite in this single slot, so both
- * survive a wake. The carrier only has to say how to read/write the slot and enumerate live connections.
- */
-interface IAcceptorAttachmentStore<TConn> {
-  /** All currently-live connections — enumerated on build to replay binding + app state after a wake. */
-  getConnections: () => TConn[];
-  /** Read a connection's persisted attachment (e.g. `(ws) => ws.deserializeAttachment()`). */
-  read: (connection: TConn) => unknown;
-  /** Persist a connection's attachment (e.g. `(ws, value) => ws.serializeAttachment(value)`). */
-  write: (connection: TConn, value: unknown) => void;
-}
-/**
- * A duplex carrier is also its own lifecycle handle: once it has been passed to `serveChannel`, feed each
- * inbound frame to {@link receive} and forget a connection on close/error with {@link drop}. This is how a
- * server with *several* duplex carriers routes each connection's traffic to the right one — you hold the
- * carrier you created and feed it directly, so no per-carrier router lookup is needed. The methods throw if
- * called before the carrier is served. (`serveChannel` binds the live router via {@link _activate}.)
- */
-interface IDuplexCarrierLifecycle<TConn> {
-  /** Feed one inbound frame from a live connection into the server. Throws until the carrier is served. */
-  receive(connection: TConn, frame: TFrame$1): void;
-  /** Forget a connection on close/error. No-op until the carrier is served. */
-  drop(connection: TConn): void;
-  /** @internal `serveChannel` binds this carrier's live connection router here. */
-  _activate(router: IDuplexConnectionRouter<TConn>): void;
-}
-/**
- * A duplex (push-capable) carrier on the acceptor side. Describes how to write a frame back to a live
- * connection, how to perform the transport-specific upgrade that admits one, which requests are such
- * upgrades, and (optionally) how to persist bindings across hibernation. Built by `wsAcceptorCarrier` and
- * handed to `serveChannel`'s `carriers` list — the returned carrier is also its own lifecycle handle (see
- * {@link IDuplexCarrierLifecycle}).
- */
-interface IDuplexAcceptorCarrier<TConn = unknown> extends IDuplexCarrierLifecycle<TConn> {
-  /** Discriminant so `serveChannel` can tell a duplex carrier from an exchange one. */
-  readonly shape: ETransportShape.duplex;
-  /**
-   * Whether each connection runs the secure handshake (default `true`). `false` makes it a plain duplex
-   * carrier: connections speak the channel's wire codec directly with a self-asserted identity — no
-   * handshake, pins, or encryption (the duplex dual of `httpAcceptorCarrier({ secure: false })`). A plain
-   * carrier ignores the central crypto identity, so it needs no `storage` on `serveChannel`.
-   */
-  secure?: boolean;
-  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
-  send: (connection: TConn, frame: TFrame$1) => void;
-  /**
-   * Perform the transport-specific upgrade for an inbound request, returning its raw response (e.g. a
-   * Durable Object's `new WebSocketPair()` + `ctx.acceptWebSocket()` → a `101`). Omit for a carrier that
-   * is fed connections out of band (the server then only routes frames via {@link receive}/{@link drop}).
-   */
-  upgrade?: (request: Request, url: URL) => Response | Promise<Response>;
-  /**
-   * Whether an inbound request is an upgrade for this carrier. Defaults to an `Upgrade: websocket` header.
-   * Only consulted when {@link upgrade} is present.
-   */
-  isUpgrade?: (request: Request, url: URL) => boolean;
-  /**
-   * Optional attachment read/write for connections that survive eviction (Durable Object hibernation).
-   * Present → `serveChannel` persists the routing binding (and any `connectionState`) here and replays it
-   * on wake. Absent → per-connection state is in-memory only.
-   */
-  attachmentStore?: IAcceptorAttachmentStore<TConn>;
-  /** Short carrier-kind label for the devtools chip (e.g. `"ws"`, `"webrtc"`). */
-  readonly carrierLabel: string;
-}
-/**
- * An exchange (request/reply) carrier on the acceptor side, over web-standard `Request`/`Response`. By
- * default it speaks the *secure* exchange protocol (handshake → token session → encrypted frames), whose
- * identity is supplied centrally by `serveChannel`. Set {@link secure} to `false` for a plain endpoint
- * that POSTs the raw action wire and returns the result inline — the request/reply dual of the connector's
- * `plainTransport({ carrier: httpCarrier(...) })`. So a server can pair a secure duplex (WebSocket) with a
- * plain HTTP fallback on the same runtime. Built by `httpAcceptorCarrier`.
- */
-interface IExchangeAcceptorCarrier {
-  /** Discriminant so `serveChannel` can tell an exchange carrier from a duplex one. */
-  readonly shape: ETransportShape.exchange;
-  /**
-   * Whether this endpoint runs the secure exchange protocol (default `true`). `false` makes it a plain
-   * endpoint: the body is the raw action wire and the result is the response body — no handshake, token,
-   * or encryption. A plain endpoint ignores the central crypto identity entirely.
-   */
-  secure?: boolean;
-  /** Which requests carry an action exchange envelope on `POST`. Defaults to `serveChannel`'s path match. */
-  isActionPath?: (url: URL) => boolean;
-  /**
-   * CORS headers merged onto every response (a preflight `OPTIONS` is answered `204`). Defaults to the
-   * permissive `*` set; pass `false` to attach no CORS headers at all.
-   */
-  cors?: Record<string, string> | false;
-  /** Plain mode only: use the error's HTTP status for failures (default `true`). Ignored when secure. */
-  useErrorStatus?: boolean;
-  /** Short carrier-kind label for the devtools chip (e.g. `"http"`). */
-  readonly carrierLabel: string;
-}
-type TAcceptorCarrier<TConn = unknown> = IDuplexAcceptorCarrier<TConn> | IExchangeAcceptorCarrier;
+type TAcceptorCarrier<TConn = unknown> = IDuplexAcceptorCarrier<TConn> | IExchangeAcceptorCarrier;
 /**
  * Narrow an acceptor carrier to the exchange shape via its `shape` discriminant — the one branch
  * `serveChannel` uses to pick the duplex (push-capable) vs exchange (request/reply) wiring. A duplex
@@ -2332,9 +1833,12 @@ interface IConnectionContext<TConn, TApp = unknown> {
 interface IServeChannelOptions<TO_ACCEPTOR extends readonly ActionDomain<any>[], TConn, TApp = unknown> {
   /**
    * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
-   * used to score return-path dispatch back to the right connection.
+   * used only as the offline-return scoring fallback — a result/push to a live client always routes over
+   * the carrier it connected on regardless of this. Optional: omit it for a multi-role server that accepts
+   * clients of several envs over one acceptor (it then scores 0 against every client, so the live
+   * connection always decides).
    */
-  clientEnv: RuntimeCoordinate;
+  clientEnv?: RuntimeCoordinate;
   /**
    * One backing store for the server's crypto identity *and* its trust-on-first-use verify-key pins
    * (their keys don't collide). It is built once and shared across every carrier, so the WebSocket and the
@@ -2465,12 +1969,12 @@ interface IChannelServer<TConn, TApp = unknown> {
  * carrier, and so on — so it stays carrier-agnostic. Passing `connectionState` narrows the return so
  * `server.connections` is non-optional.
  */
-declare function serveChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[], TConn, TApp>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IServeChannelOptions<TO_ACCEPTOR, TConn, TApp> & {
+declare function serveChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[], TConn, TApp>(runtime: ActionRuntime, channel: IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IServeChannelOptions<TO_ACCEPTOR, TConn, TApp> & {
   connectionState: IServeConnectionStateOptions<TApp>;
 }): IChannelServer<TConn, TApp> & {
   connections: ConnectionStateStore<TConn, TApp>;
 };
-declare function serveChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TConn = unknown, TApp = unknown>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IServeChannelOptions<TO_ACCEPTOR, TConn, TApp>): IChannelServer<TConn, TApp>;
+declare function serveChannel<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TConn = unknown, TApp = unknown>(runtime: ActionRuntime, channel: IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>, options: IServeChannelOptions<TO_ACCEPTOR, TConn, TApp>): IChannelServer<TConn, TApp>;
 //#endregion
 //#region src/ActionRuntime/Channel/serveHost.d.ts
 /**
@@ -2503,157 +2007,12 @@ type TServeHostOptions<TO_ACCEPTOR extends readonly ActionDomain<any>[], TConn,
  * the host adapter and nothing else. Passing `connectionState` narrows the return so `server.connections`
  * is non-optional, exactly as with `serveChannel`.
  */
-declare function serveHost<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[], TConn, TApp>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, host: IChannelHostAdapter<TConn>, options: TServeHostOptions<TO_ACCEPTOR, TConn, TApp> & {
+declare function serveHost<TO_ACCEPTOR extends readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[], TConn, TApp>(runtime: ActionRuntime, channel: IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>, host: IChannelHostAdapter<TConn>, options: TServeHostOptions<TO_ACCEPTOR, TConn, TApp> & {
   connectionState: IServeConnectionStateOptions<TApp>;
 }): IChannelServer<TConn, TApp> & {
   connections: ConnectionStateStore<TConn, TApp>;
 };
-declare function serveHost<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TConn = unknown, TApp = unknown>(runtime: ActionRuntime, channel: ISecureChannel<TO_ACCEPTOR, TO_CONNECTOR>, host: IChannelHostAdapter<TConn>, options: TServeHostOptions<TO_ACCEPTOR, TConn, TApp>): IChannelServer<TConn, TApp>;
-//#endregion
-//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.d.ts
-/** Acceptor secure config for the exchange (HTTP) endpoint — same identity an `AcceptorHandler` uses. */
-interface IExchangeAcceptorSecurity {
-  /** This acceptor's crypto identity (verify + exchange key pairs, optionally persisted). */
-  link: ClientCryptoKeyLink;
-  /** This acceptor's coordinate — its identity to clients during the handshake. */
-  localCoordinate: IRuntimeCoordinate;
-  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
-  dictionaryVersion: string;
-  /** Accepted level(s) — a single level is strict, an array is a negotiable allowed set. */
-  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
-  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
-}
-interface IExchangeAcceptorConfig {
-  security: IExchangeAcceptorSecurity;
-  /** The runtime that executes an inbound action wire and produces its result. */
-  runtime: ActionRuntime;
-}
-/**
- * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
- * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
- * acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
- * requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
- * POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
- * and returns the (encrypted) result inline as the reply.
- *
- * Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
- * Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
- * same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
- */
-declare class ExchangeAcceptor {
-  private readonly _security;
-  private readonly _runtime;
-  private readonly _allowedLevels;
-  private readonly _noneAllowed;
-  private readonly _pendingHandshakes;
-  private readonly _sessions;
-  constructor(config: IExchangeAcceptorConfig);
-  /** Process one POST body (an exchange envelope), returning the reply body to send back. */
-  handlePost(body: string): Promise<string>;
-  private _handleHandshake;
-  private _handleAction;
-  private _err;
-}
-//#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.d.ts
-interface IActionFetchHandlerOptions {
-  /**
-   * CORS headers merged onto every response (a preflight `OPTIONS` is answered `204` with them).
-   * Defaults to permissive `*`; pass `false` to attach no CORS headers at all.
-   */
-  cors?: Record<string, string> | false;
-  /** Which requests carry an action wire on `POST`. Default: pathname ends with `/action`. */
-  isActionPath?: (url: URL) => boolean;
-  /** Which requests are WebSocket upgrades. Default: pathname ends with `/ws`. */
-  isWebSocketPath?: (url: URL) => boolean;
-  /**
-   * Whether a request is a WebSocket upgrade for this endpoint, given the whole request (not just the
-   * URL). When set it *replaces* the default gate (an `Upgrade: websocket` header on an
-   * {@link isWebSocketPath} match) — use it when the discriminant needs a header or method, not only the
-   * path. Only consulted when {@link onWebSocketUpgrade} is present.
-   */
-  isWebSocketUpgrade?: (request: Request, url: URL) => boolean;
-  /**
-   * Perform the transport-specific WebSocket upgrade (e.g. a Durable Object's
-   * `new WebSocketPair()` + `ctx.acceptWebSocket()` returning a `101`). Omit for HTTP-only endpoints.
-   * Its response is returned as-is — a `101` upgrade carries no CORS headers.
-   */
-  onWebSocketUpgrade?: (request: Request, url: URL) => Response | Promise<Response>;
-  /** Forwarded to `ActionPayload_Result.toHttpResponse` — use the error's HTTP status (default true). */
-  useErrorStatus?: boolean;
-  /**
-   * Enable the secure exchange protocol (handshake + token sessions + body encryption) on the `/action`
-   * endpoint, mirroring an `AcceptorHandler`'s `security`. The matching connector is
-   * `secureTransport({ carrier: httpCarrier(...), securityLevel })`. When omitted, the endpoint speaks
-   * today's plain protocol (the raw action wire is POSTed and the result is the response body).
-   */
-  security?: IExchangeAcceptorSecurity;
-}
-/**
- * Build the `fetch` handler a server/Durable-Object exposes for action traffic, folding in the
- * boilerplate every endpoint repeats: CORS (incl. the `OPTIONS` preflight), routing the `/action`
- * `POST` body through the runtime (`handleActionPayloadWire` → `waitForResultPayload` →
- * `toHttpResponse`), an optional WebSocket-upgrade hook, and a `404` fallback.
- *
- * It only touches web-standard `Request`/`Response`, so it stays transport-agnostic — the one
- * environment-specific bit (the WS upgrade) is injected via {@link IActionFetchHandlerOptions.onWebSocketUpgrade}:
- * ```ts
- * this.fetchHandler = createActionFetchHandler(this.runtime, {
- *   onWebSocketUpgrade: () => {
- *     const pair = new WebSocketPair();
- *     this.ctx.acceptWebSocket(pair[1]);
- *     return new Response(null, { status: 101, webSocket: pair[0] });
- *   },
- * });
- * // async fetch(request) { return this.fetchHandler(request); }
- * ```
- */
-declare function createActionFetchHandler(runtime: ActionRuntime, options?: IActionFetchHandlerOptions): (request: Request) => Promise<Response>;
-//#endregion
-//#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.d.ts
-interface ISecureAcceptorHandlerOptions<TConn> {
-  /** The shared channel identity (codec + dictionary version) — same one the clients use. */
-  channel: ISecureChannel;
-  /**
-   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
-   * used to route results/pushes back over this handler.
-   */
-  clientEnv: RuntimeCoordinate;
-  /** This server's runtime — its coordinate is the server identity presented in the handshake. */
-  runtime: ActionRuntime;
-  /**
-   * One backing store for the server's crypto identity *and* its trust-on-first-use verify-key pins.
-   * Their keys don't collide, so a single adapter is enough; back it with persistent storage (e.g. a
-   * Durable Object's storage) so identity and pins survive eviction.
-   */
-  storageAdapter: StorageAdapter;
-  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
-  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
-  /**
-   * The server's crypto identity. Defaults to a fresh {@link ClientCryptoKeyLink} over `storageAdapter`.
-   * Pass an existing link to share one identity across several acceptors on the same server (e.g. a
-   * WebSocket acceptor and a secure-HTTP {@link createActionFetchHandler}), so they present the same
-   * verify/exchange keys — avoiding a divergent-key race when two fresh links initialize concurrently.
-   */
-  link?: ClientCryptoKeyLink;
-  /** Accepted level(s); defaults to negotiating any of none/authenticated/encrypted. */
-  securityLevel?: ESecurityLevel | readonly ESecurityLevel[];
-  /** Trust decision for a client's verify key; defaults to storage-backed TOFU over `storageAdapter`. */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
-  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
-  defaultTimeout?: number;
-}
-/**
- * Build an {@link AcceptorHandler} for the secure binary channel with the boilerplate folded in:
- * it creates the {@link ClientCryptoKeyLink} and the storage-backed TOFU resolver from a single
- * `storageAdapter`, installs the channel's per-connection codec, and assembles the `security` block
- * from the runtime coordinate + channel version (accepting all three levels by default).
- *
- * For a hibernatable transport (e.g. a Durable Object), pair it with
- * {@link createHibernatableWsServerAdapter} to wire persistence + replay.
- */
-declare function createSecureAcceptorHandler<TConn = unknown>(options: ISecureAcceptorHandlerOptions<TConn>): AcceptorHandler<TConn>;
+declare function serveHost<TO_ACCEPTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TO_CONNECTOR extends readonly ActionDomain<any>[] = readonly ActionDomain<any>[], TConn = unknown, TApp = unknown>(runtime: ActionRuntime, channel: IActionChannel<TO_ACCEPTOR, TO_CONNECTOR>, host: IChannelHostAdapter<TConn>, options: TServeHostOptions<TO_ACCEPTOR, TConn, TApp>): IChannelServer<TConn, TApp>;
 //#endregion
 //#region src/ActionRuntime/Handler/PeerLink/Connector/err_nice_external_client.d.ts
 declare const err_nice_external_client: import("@nice-code/error").NiceErrorDomain<{
@@ -2693,16 +2052,15 @@ declare function createInMemoryChannelPair(): IInMemoryChannelPair;
 //#endregion
 //#region src/ActionRuntime/Transport/Carrier/duplex/inMemory/inMemoryCarrier.d.ts
 interface IInMemoryCarrier {
-  /** The connector end — pass as the `carrier` to {@link secureTransport} / `LinkTransport`. */
+  /** The connector end — pass as the `carrier` to one of `connectChannel`'s transports. */
   carrier: IDuplexCarrierSource;
   /** The acceptor end — wire into an `AcceptorHandler` (`send` + `receive`). */
   serverEndpoint: IInMemoryServerEndpoint;
 }
 /**
  * A loopback duplex carrier with no socket — two cross-wired in-process ends. The connector end is an
- * {@link IDuplexCarrierSource} for {@link secureTransport}; the acceptor end plugs into an
- * `AcceptorHandler`. Ideal for tests and for running two runtimes in one process, or proving a
- * non-WS carrier end to end.
+ * {@link IDuplexCarrierSource} for `connectChannel`; the acceptor end plugs into an `AcceptorHandler`.
+ * Ideal for tests and for running two runtimes in one process, or proving a non-WS carrier end to end.
  */
 declare function inMemoryCarrier(): IInMemoryCarrier;
 //#endregion
@@ -2738,8 +2096,8 @@ interface IRtcCarrierOptions {
 }
 /**
  * A WebRTC {@link IDuplexCarrierSource} over an already-negotiated `RTCDataChannel` (signaling is the
- * app's concern). Hand it to {@link secureTransport} so two browsers/apps linked peer-to-peer run the
- * identical secure session as a WebSocket.
+ * app's concern). Pass it as a `carrier` to `connectChannel` so two browsers/apps linked peer-to-peer run
+ * the identical secure session as a WebSocket.
  */
 declare function rtcCarrier(dataChannel: IRtcDataChannelLike, options?: IRtcCarrierOptions): IDuplexCarrierSource;
 //#endregion
@@ -2806,8 +2164,8 @@ interface IWsCarrierOptions {
 }
 /**
  * A WebSocket {@link IDuplexCarrierSource}: opens an `arraybuffer` socket (cached per endpoint) and adapts
- * it to a carrier. Hand it to {@link secureTransport} (or `LinkTransport`) — the WebSocket is now "just
- * another carrier" under the shared secure session, with no WS-specific transport class.
+ * it to a carrier. Pass it as a `carrier` to `connectChannel` — the WebSocket is now "just another
+ * carrier" under the shared secure session, with no WS-specific transport class.
  *
  * `createRequest` derives the socket URL per action (keep it simple with `() => ({ url })`), so dynamic
  * endpoints (e.g. a per-run query param) need no `createWebSocket` escape hatch.
@@ -2819,8 +2177,9 @@ interface IHttpAcceptorCarrierOptions {
   /**
    * Whether this endpoint runs the secure exchange protocol (default `true`). Pass `false` for a plain
    * endpoint — the body is the raw action wire and the result is the response body, the request/reply dual
-   * of `plainTransport({ carrier: httpCarrier(...) })`. A plain endpoint ignores the crypto identity, so it
-   * can sit alongside a secure WebSocket on the same server (e.g. a secure WS preferred, plain HTTP fallback).
+   * of a connector's plain HTTP transport (`{ carrier: httpCarrier(...), secure: false }`). A plain
+   * endpoint ignores the crypto identity, so it can sit alongside a secure WebSocket on the same server
+   * (e.g. a secure WS preferred, plain HTTP fallback).
    */
   secure?: boolean;
   /** Which requests carry an action exchange envelope on `POST`. Defaults to `serveChannel`'s path match. */
@@ -2863,129 +2222,16 @@ interface IHttpCarrierOptions {
 }
 /**
  * An HTTP {@link IExchangeCarrierSource}: each `exchange` POSTs one frame body to the action endpoint and
- * resolves with the response body as the single correlated reply. Hand it to {@link secureTransport} —
- * HTTP then runs the *same* secure session as a duplex carrier (handshake → token → encrypted frames),
- * the request/reply correlation provided for free by the HTTP transaction.
+ * resolves with the response body as the single correlated reply. Pass it as a `carrier` to
+ * `connectChannel` — a secure HTTP transport then runs the *same* secure session as a duplex carrier
+ * (handshake → token → encrypted frames), the request/reply correlation provided for free by the HTTP
+ * transaction.
  *
  * `createRequest` derives the URL/headers per action (keep it simple with `() => ({ url })`). The body is
  * the session's responsibility, so it is never built here.
  */
 declare function httpCarrier(createRequest: (input: ITransportRouteActionParams) => IHttpCarrierRequest, options?: IHttpCarrierOptions): IExchangeCarrierSource;
 //#endregion
-//#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.d.ts
-/**
- * Builds a *stateless* `formatMessage` pipeline for {@link LinkTransport}, packing action
- * payloads into a compact msgpackr binary frame instead of JSON. The `domain`/`id` route collapses to
- * a single integer drawn from a shared dictionary; `form`/`type`, the recomputable
- * `inputHash`/`outputHash`, and the per-frame `context.routing`/`context.timeCreated` are all dropped
- * (see {@link ENVELOPE}).
- *
- * No validation runs here: `incoming` blindly reconstructs the wire JSON shape and hands it back to
- * the connection, which flows into `ActionRuntime` → `domain.hydrateAnyAction()` where the Valibot
- * schemas validate it exactly as they would for a JSON frame.
- *
- * Both ends of the socket MUST construct the adapter with the same domains in the same order — the
- * integer dictionary is positional. Mismatched dictionaries will route to the wrong action.
- *
- * Because `incoming` returns `undefined` for text frames, a binary server can still serve plain-JSON
- * clients on the same runtime (the connection falls back to its built-in JSON parser).
- */
-declare function createBinaryWireAdapter(domains: ActionDomain<any>[]): IActionWireFormat;
-//#endregion
-//#region src/ActionRuntime/Transport/crypto/actionFrameCrypto.d.ts
-/**
- * Async AES-GCM transform for the `encrypted` security level. It wraps the opaque binary frame a
- * session codec produces (it does NOT look inside it), encrypting on the way out and decrypting on the
- * way in with the shared key established by the handshake.
- *
- * It is deliberately separate from the (synchronous) session `formatMessage`: WebCrypto is always
- * Promise-based, so encryption has to happen at the transport's async I/O boundary — the connection
- * encrypts after `session.outgoing()` and decrypts before `session.incoming()`. The `authenticated`
- * and `none` levels use no crypto transform at all (frames go out as the session produced them).
- *
- * Wire shape of an encrypted frame: `pack([nonceBytes, ciphertextBytes])` — msgpack carries the two
- * binary fields with a couple of bytes of overhead, no base64 inflation.
- */
-interface IActionFrameCrypto {
-  /** Encrypt one session frame for sending. */
-  encryptFrame(frame: Uint8Array): Promise<Uint8Array>;
-  /** Decrypt one received frame back to the session frame. Throws on a non-binary / malformed /
-   * tampered frame — the caller (transport) decides how to react (drop / close). */
-  decryptFrame(frame: string | ArrayBuffer | Uint8Array): Promise<Uint8Array>;
-}
-interface IActionFrameCryptoConfig {
-  link: ClientCryptoKeyLink;
-  /** The handshake-established link id for the remote (key + connection-registry id). */
-  linkedClientId: TTypeAndId;
-}
-/**
- * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
- * level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
- */
-declare function createActionFrameCrypto({
-  link,
-  linkedClientId
-}: IActionFrameCryptoConfig): IActionFrameCrypto;
-//#endregion
-//#region src/ActionRuntime/Transport/Exchange/TransportExchange.types.d.ts
-interface IActionTransportReadyData_Exchange extends IActionTransportReadyData_Base {
-  /** The live request/reply carrier this connection drives its session over. */
-  carrier: IExchangeCarrier;
-  /** Optional authenticated/encrypted config; the handshake runs once at bring-up when set. */
-  secureChannel?: ISecureClientConfig;
-}
-interface IActionTransportInitialized_Exchange extends IActionTransportInitialized<ITransportRouteActionParams, IActionTransportReadyData_Exchange> {}
-interface IActionTransportDef_Exchange extends IActionTransportDef<ETransportShape.exchange, IActionTransportInitialized_Exchange> {}
-//#endregion
-//#region src/ActionRuntime/Transport/Exchange/ExchangeConnection.d.ts
-/**
- * Carrier-agnostic live connection for the exchange (request → single reply) shape — the HTTP
- * counterpart to {@link LinkConnection}. It owns only the bring-up (run the secure handshake on first
- * use); the request/reply lifecycle + crypto live in the shared `establishExchangeSession`.
- */
-declare class ExchangeConnection extends TransportConnection<ETransportShape.exchange, ITransportRouteActionParams, IActionTransportReadyData_Exchange, IActionTransportInitialized_Exchange, IActionTransportDef_Exchange> {
-  constructor(def: Omit<IActionTransportDef_Exchange, "type">);
-  protected _getCacheKey(input: ITransportRouteActionParams): string;
-  protected _needsAsyncBringUp(data: IActionTransportReadyData_Exchange): boolean;
-  protected _finalizeReady(data: IActionTransportReadyData_Exchange): IActionTransportReadyData_Methods | Promise<IActionTransportReadyData_Methods>;
-  _finalizeTransportMethods(data: IActionTransportReadyData_Exchange): IActionTransportReadyData_Methods;
-  private _sessionContext;
-}
-//#endregion
-//#region src/ActionRuntime/Transport/Exchange/ExchangeTransport.d.ts
-interface IExchangeTransportOptions {
-  /** Open (or reuse) the exchange carrier for an action — e.g. `httpCarrier(...).open`. */
-  openCarrier: (input: ITransportRouteActionParams) => IExchangeCarrier;
-  /** Secure config; when set (and `securityLevel !== none`) the handshake runs once at bring-up. */
-  security?: ISecureClientConfig;
-  updateRunConfig?: TUpdateActionRunConfig;
-  /** Keys identifying a reusable session, so one carrier is shared across actions to the same peer. */
-  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
-  /**
-   * Optional availability gate. When it returns `false`, the manager skips this transport for that action
-   * (reporting `unsupported`) and falls through to the next — without opening the carrier or computing its
-   * cache key. Re-evaluated per dispatch, so the transport can become available later with no reconnect.
-   */
-  available?: (input: ITransportRouteActionParams) => boolean;
-  /** Short label for the devtools chip (defaults to "exchange"). */
-  label?: string;
-  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
-}
-/**
- * A carrier-agnostic exchange (request → single reply) transport: it drives nice-action's secure session
- * over any {@link IExchangeCarrier} (HTTP being the one built-in). The duplex counterpart is
- * {@link LinkTransport}; this is the no-push half — its reply rides the response to its own request, so it
- * can't deliver an unsolicited frame (the runtime never picks it for the return path).
- */
-declare class ExchangeTransport extends Transport<ETransportShape.exchange> {
-  private readonly options;
-  readonly type = ETransportShape.exchange;
-  constructor(options: IExchangeTransportOptions);
-  static create(options: IExchangeTransportOptions): ExchangeTransport;
-  _createConnection(_ctx: ITransportConnectionContext): ExchangeConnection;
-  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
-}
-//#endregion
 //#region src/ActionRuntime/Transport/err_nice_transport.d.ts
 declare enum EErrId_NiceTransport {
   timeout = "timeout",
@@ -3023,79 +2269,50 @@ declare const err_nice_transport: import("@nice-code/error").NiceErrorDomain<{
   };
 }>;
 //#endregion
-//#region src/ActionRuntime/Transport/Link/TransportLink.types.d.ts
-/** The per-connection codec (positional binary wire / JSON fallback) the carrier's session uses. */
-type TLinkFormatMessage = IActionWireFormat;
-interface IActionTransportReadyData_Link extends IActionTransportReadyData_Base {
-  /** The live carrier this connection drives its session over. */
-  channel: IDuplexCarrier;
-  formatMessage?: TLinkFormatMessage;
-  /** Optional authenticated/encrypted channel; the connection runs the handshake during init. */
-  secureChannel?: ISecureClientConfig;
-}
-interface IActionTransportInitialized_Link extends IActionTransportInitialized<ITransportRouteActionParams, IActionTransportReadyData_Link> {}
-interface IActionTransportDef_Link extends IActionTransportDef<ETransportShape.duplex, IActionTransportInitialized_Link> {}
-//#endregion
-//#region src/ActionRuntime/Transport/Link/LinkConnection.d.ts
-/**
- * Carrier-agnostic live connection. It owns only the *bring-up* (open the carrier, then run the secure
- * session); the session itself — handshake, frame crypto, codec, send/receive — lives in the shared
- * {@link finalizeSecureLinkMethods}/{@link finalizePlainLinkMethods}, so a WebSocket, a WebRTC data
- * channel, a Bluetooth characteristic, and an in-memory pipe all run the identical secure layer.
- */
-declare class LinkConnection extends TransportConnection<ETransportShape.duplex, ITransportRouteActionParams, IActionTransportReadyData_Link, IActionTransportInitialized_Link, IActionTransportDef_Link> {
-  private resolvers;
-  constructor(def: Omit<IActionTransportDef_Link, "type">, resolvers?: IActionTransportResolvers);
-  protected _getCacheKey(input: ITransportRouteActionParams): string;
-  protected _needsAsyncBringUp(): boolean;
-  protected _awaitCarrierReady(data: IActionTransportReadyData_Link): Promise<void>;
-  protected _finalizeReady(data: IActionTransportReadyData_Link): IActionTransportReadyData_Methods | Promise<IActionTransportReadyData_Methods>;
-  private _sessionContext;
-  _finalizeTransportMethods(data: IActionTransportReadyData_Link): IActionTransportReadyData_Methods;
-}
-//#endregion
-//#region src/ActionRuntime/Transport/Link/LinkTransport.d.ts
-interface ILinkTransportOptions {
-  /**
-   * Open (or reuse) the carrier for an action — a WebSocket adapter, a WebRTC data channel, a Bluetooth
-   * characteristic, an in-memory pipe, anything that satisfies {@link IDuplexCarrier}.
-   */
-  openChannel: (input: ITransportRouteActionParams) => IDuplexCarrier;
-  /** Shared codec for every channel (stateless). */
-  formatMessage?: TLinkFormatMessage;
-  /**
-   * Per-channel codec factory — called once per opened channel so stateful codecs (e.g. the binary
-   * session) get their own instance. Takes precedence over `formatMessage`.
-   */
-  createFormatMessage?: () => TLinkFormatMessage;
-  /** Secure-channel config; when set (and `securityLevel !== none`) the handshake runs on init. */
-  security?: ISecureClientConfig;
-  updateRunConfig?: TUpdateActionRunConfig;
-  /** Keys identifying a reusable channel, so one carrier is shared across actions to the same peer. */
-  getTransportCacheKey?: (input: ITransportRouteActionParams) => string[];
-  /**
-   * Optional availability gate. When it returns `false`, the manager skips this transport for that action
-   * (reporting `unsupported`) and falls through to the next — without opening the carrier or computing its
-   * cache key. Re-evaluated per dispatch, so the transport can become available later with no reconnect.
-   */
-  available?: (input: ITransportRouteActionParams) => boolean;
-  /** Short label for the devtools chip (defaults to "link"). */
-  label?: string;
-  getRouteInfo?: (input: ITransportRouteActionParams) => ITransportRouteInfo;
+//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.d.ts
+/** Acceptor secure config for the exchange (HTTP) endpoint — same identity an `AcceptorHandler` uses. */
+interface IExchangeAcceptorSecurity {
+  /** This acceptor's crypto identity (verify + exchange key pairs, optionally persisted). */
+  link: ClientCryptoKeyLink;
+  /** This acceptor's coordinate — its identity to clients during the handshake. */
+  localCoordinate: IRuntimeCoordinate;
+  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
+  dictionaryVersion: string;
+  /** Accepted level(s) — a single level is strict, an array is a negotiable allowed set. */
+  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+}
+interface IExchangeAcceptorConfig {
+  security: IExchangeAcceptorSecurity;
+  /** The runtime that executes an inbound action wire and produces its result. */
+  runtime: ActionRuntime;
 }
 /**
- * A carrier-agnostic transport: it drives nice-action's secure session + action routing over any
- * {@link IDuplexCarrier}. The WebSocket transport is the special case that opens a `WebSocket`;
- * this opens whatever `openChannel` returns, so the identical secure layer works over WebRTC, Bluetooth,
- * or an in-memory pipe. Reported with an overridable carrier label in the devtools (defaults to "link").
+ * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
+ * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
+ * acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
+ * requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
+ * POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
+ * and returns the (encrypted) result inline as the reply.
+ *
+ * Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
+ * Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
+ * same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
  */
-declare class LinkTransport extends Transport<ETransportShape.duplex> {
-  private readonly options;
-  readonly type = ETransportShape.duplex;
-  constructor(options: ILinkTransportOptions);
-  static create(options: ILinkTransportOptions): LinkTransport;
-  _createConnection(ctx: ITransportConnectionContext): LinkConnection;
-  getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
+declare class ExchangeAcceptor {
+  private readonly _security;
+  private readonly _runtime;
+  private readonly _allowedLevels;
+  private readonly _noneAllowed;
+  private readonly _pendingHandshakes;
+  private readonly _sessions;
+  constructor(config: IExchangeAcceptorConfig);
+  /** Process one POST body (an exchange envelope), returning the reply body to send back. */
+  handlePost(body: string): Promise<string>;
+  private _handleHandshake;
+  private _handleAction;
+  private _err;
 }
 //#endregion
 //#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.d.ts
@@ -3372,5 +2589,512 @@ interface IActionPayload_Result_JsonObject<DOM extends IActionDomain = IActionDo
 type TActionPayload_Any_Instance<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = ActionPayload_Request<DOM, ID> | ActionPayload_Result<DOM, ID> | ActionPayload_Progress<DOM, ID>;
 type TActionPayload_Any_JsonObject<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = IActionPayload_Request_JsonObject<DOM, ID> | IActionPayload_Progress_JsonObject<DOM, ID> | IActionPayload_Result_JsonObject<DOM, ID>;
 //#endregion
-export { wsAcceptorCarrier as $, TTransportStatusInfo_GetTransport_Output as $n, TPossibleDomainId as $r, IDuplexCarrier as $t, encodeExchange as A, ITransportDispatchAction as An, ERunningActionUpdateType as Ar, TAcceptorCarrier as At, IActionFrameCrypto as B, IUpdateActionRunConfig_Output as Bn, IRuntimeCoordinateSpecifics as Br, IActionChannel as Bt, decodeActionFrame as C, IActionTransportDef as Cn, RunningAction as Cr, IConnectionContext as Ct, TExchangeRequest as D, IActionTransportReadyData_Methods as Dn, IActionCore_JsonObject as Dr, IAcceptorAttachmentStore as Dt, TExchangeReply as E, IActionTransportReadyData_Base as En, IActionCore as Er, serveChannel as Et, EErrId_NiceTransport as F, ITransportStatusInfo_Base as Fn, TRunningActionUpdate as Fr, ConnectionStateStore as Ft, IHttpCarrierRequest as G, TOnResolveIncomingRequestJson as Gn, IActionDomain as Gr, acceptChannel as Gt, createActionFrameCrypto as H, TOnResolveAnyIncomingActionData as Hn, RuntimeCoordinate as Hr, IConnectTransport as Ht, err_nice_transport as I, ITransportStatusInfo_Failed as In, TRunningActionUpdateFinished as Ir, IConnectionAttachment as It, IHttpAcceptorCarrierOptions as J, TSendActionDataMethod as Jn, TActionDomainChildDef as Jr, defineChannel as Jt, TCarrierFetch as K, TOnResolveIncomingResponse as Kn, IActionDomainChildOptions as Kr, acceptChannelConnections as Kt, ExchangeTransport as L, ITransportStatusInfo_Initializing as Ln, TRunningActionUpdateListener as Lr, IConnectionStateStoreOptions as Lt, LinkTransport as M, ITransportRouteActionParams as Mn, IRunningActionUpdate_Progress as Mr, IDuplexConnectionRouter as Mt, IActionTransportReadyData_Link as N, ITransportRouteClientParams as Nn, IRunningActionUpdate_Started as Nr, IHibernatableWsServerAdapterOptions as Nt, decodeExchangeReply as O, IActionTransportResolvers as On, ERunningActionFinishedType as Or, IDuplexAcceptorCarrier as Ot, TLinkFormatMessage as P, ITransportRouteInfo as Pn, IRunningActionUpdate_Success as Pr, createHibernatableWsServerAdapter as Pt, IWsAcceptorCarrierOptions as Q, TTransportStatusInfo as Qn, TInferOutputFromSchema as Qr, createBinaryWireSessionFactory as Qt, IExchangeTransportOptions as R, ITransportStatusInfo_Ready as Rn, ActionPayload_Result as Rr, createConnectionStateStore as Rt, IActionFrameDecoder as S, ETransportStatus as Sn, MaybePromise as Sr, IChannelServer as St, err_nice_action as T, IActionTransportReady as Tn, ActionPayload_Request as Tr, IServeConnectionStateOptions as Tt, createBinaryWireAdapter as U, TOnResolveAnyIncomingActionData_Json as Un, TRuntimeCoordinateEnvId as Ur, TChannelAcceptorCases as Ut, IActionFrameCryptoConfig as V, TGetTransportFn as Vn, IRuntimeFullCoordinates as Vr, IConnectChannelOptions as Vt, IHttpCarrierOptions as W, TOnResolveIncomingRequest as Wn, TRuntimeCoordinateStringId as Wr, TChannelPushHandlers as Wt, IWsCarrierOptions as X, TTransportCache as Xn, TDomainActionId as Xr, defineSecureChannel as Xt, httpAcceptorCarrier as Y, TSendReturnDataMethod as Yn, TActionDomainSchema as Yr, ISecureChannel as Yt, wsCarrier as Z, TTransportInitializationFinishedInfo as Zn, TInferInputFromSchema as Zr, IBinaryWireSessionOptions as Zt, TActionProgress as _, ActionRootDomain as _n, encodeHandshakeMessage as _r, IExchangeAcceptorConfig as _t, IActionPayload_Data_Base as a, TActionSchemaOptions as ai, AcceptorHandler as an, IClientHandshakeConfig as ar, rtcDataChannelByteChannel as at, isActionPayload_Request_JsonObject as b, createConnectorHandler as bn, ActionLocalHandler as br, TServeHostOptions as bt, IActionPayload_Request_JsonObject as c, TAcceptorCaseFn as cn, IHandshakeEncryptionKeyMaterial as cr, IInMemoryChannelPair as ct, IActionProgress_Custom as d, TActionConnectionEncoding as dn, THandshakeMessage as dr, err_nice_external_client as dt, TPossibleDomainIdList as ei, IDuplexCarrierSource as en, TUpdateActionRunConfig as er, EErrId_NiceTransport_WebSocket as et, IActionProgress_None as f, createAcceptorHandler as fn, createClientHandshake as fr, ISecureAcceptorHandlerOptions as ft, TActionPayload_Any_JsonObject as g, ActionDomain as gn, decodeHandshakeMessage as gr, ExchangeAcceptor as gt, TActionPayload_Any_Instance as h, ActionCore as hn, createStorageTofuVerifyKeyResolver as hr, createActionFetchHandler as ht, IActionPayload_Base_JsonObject as i, actionSchema as ii, TFrame$1 as in, ESecurityLevel as ir, IRtcDataChannelLike as it, ILinkTransportOptions as j, ITransportMethod_SendActionData_Input as jn, IRunningActionUpdate_Abort as jr, isExchangeAcceptorCarrier as jt, decodeExchangeRequest as k, ISecureClientConfig as kn, ERunningActionState as kr, IExchangeAcceptorCarrier as kt, IActionPayload_Result as l, TAcceptorConnectionCaseFn as ln, IHandshakeResult as lr, IInMemoryServerEndpoint as lt, IActionRouteItemHandler as m, createActionRootDomain as mn, createServerHandshake as mr, IActionFetchHandlerOptions as mt, EActionProgressType as n, EActionResponseMode as ni, IExchangeCarrierSource as nn, Transport as nr, IRtcCarrierOptions as nt, IActionPayload_Progress as o, TActionSerializationDefinition as oi, IAcceptorConnectionBinding as on, IClientVerifyKeyResolveInput as or, IInMemoryCarrier as ot, IActionProgress_Percentage as p, IActionWireFormat as pn, createInMemoryTofuVerifyKeyResolver as pr, createSecureAcceptorHandler as pt, httpCarrier as q, TOnResolveIncomingResponseJson as qn, IActionRootDomain as qr, connectChannel as qt, IActionPayload_Base as r, TInferActionError as ri, TCarrier as rn, EHandshakeMessageType as rr, rtcCarrier as rt, IActionPayload_Progress_JsonObject as s, TTransportedValue as si, IAcceptorHandlerOptions as sn, IClientVerifyKeyResolver as sr, inMemoryCarrier as st, EActionPayloadType as t, ActionSchema as ti, IExchangeCarrier as tn, ITransportConnectionContext as tr, err_nice_transport_ws as tt, IActionPayload_Result_JsonObject as u, TActionChannelFormatMessage as un, IServerHandshakeConfig as ur, createInMemoryChannelPair as ut, TActionResultOutcome as v, ActionRuntime as vn, runtimeLinkId as vr, IExchangeAcceptorSecurity as vt, EErrId_NiceAction as w, IActionTransportInitialized as wn, ActionPayload_Progress as wr, IServeChannelOptions as wt, isActionPayload_Any_JsonObject as x, ETransportShape as xn, createLocalHandler as xr, serveHost as xt, isActionPayload_Result_JsonObject as y, ConnectorHandler as yn, PeerLinkHandler as yr, IChannelHostAdapter as yt, IActionTransportReadyData_Exchange as z, ITransportStatusInfo_Unsupported as zn, IRuntimeCoordinate as zr, IAcceptChannelOptions as zt };
-//# sourceMappingURL=ActionPayload.types-B-OSg09t.d.mts.map
+//#region src/ActionRuntime/Handler/ActionHandler.types.d.ts
+declare enum EActionHandlerType {
+  peer = "peer",
+  local = "local"
+}
+interface IActionHandler_Json<T extends EActionHandlerType> {
+  type: T;
+}
+interface IActionHandler_Peer_Json extends IActionHandler_Json<EActionHandlerType.peer> {
+  client: IRuntimeCoordinate;
+}
+interface IActionHandler_Local_Json extends IActionHandler_Json<EActionHandlerType.local> {}
+type TActionHandler_Json = IActionHandler_Local_Json | IActionHandler_Peer_Json;
+interface IHandleActionOptions {
+  timeout?: number;
+  targetPeer?: RuntimeCoordinate;
+  targetLocalRuntime?: ActionRuntime;
+}
+interface IExecuteActionOptions<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends IHandleActionOptions {
+  listeners?: TRunningActionUpdateListener<DOM, ID>[];
+}
+interface IActionHandler_Base<T extends EActionHandlerType> {
+  cuid: string;
+  handlerType: T;
+  getActionRouter: () => ActionRouter<any>;
+}
+/**
+ *
+ *  LOCAL ACTION HANDLER
+ *
+ */
+interface IHandleActionOptions_Local extends IHandleActionOptions {}
+interface IActionHandler_Local extends IActionHandler_Base<EActionHandlerType.local> {
+  handleActionRequest: <DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions_Local) => Promise<RunningAction<DOM, ID>>;
+}
+/**
+ *
+ *  PEER-LINK ACTION HANDLER
+ *
+ */
+interface IHandleActionOptions_Peer extends IHandleActionOptions {}
+interface IActionHandler_Peer extends IActionHandler_Base<EActionHandlerType.peer> {
+  peerClient: RuntimeCoordinate;
+  handleActionRequest: <DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions_Peer) => Promise<RunningAction<DOM, ID>>;
+  _setIncomingActionDataListener(listener: (json: TActionPayload_Any_JsonObject<any>) => void): void;
+}
+/**
+ *
+ *  COMBINED
+ *
+ */
+type TActionHandler = IActionHandler_Local | IActionHandler_Peer;
+//#endregion
+//#region src/ActionDefinition/Action/Payload/ActionPayload_Request.d.ts
+declare class ActionPayload_Request<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionPayload<EActionPayloadType.request, DOM, ID> {
+  readonly input: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"];
+  readonly inputHash: string;
+  _callSite?: string;
+  constructor(params: {
+    context: ActionContext<DOM, ID>;
+  }, input: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"], data: IActionPayload_Data_Base);
+  successResult(...args: [TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]] extends [never] ? [] | [output: TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]] : [output: TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]]): ActionPayload_Result<DOM, ID>;
+  errorResult(err: TInferActionError<DOM["actionSchema"][ID]>): ActionPayload_Result<DOM, ID>;
+  progress(progress: TActionProgress): ActionPayload_Progress<DOM, ID>;
+  toJsonObject(): IActionPayload_Request_JsonObject<DOM, ID>;
+  toJsonString(): string;
+  runToOutput(options?: IExecuteActionOptions<DOM, ID>): Promise<TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"]>;
+  runToResultPayload(options?: IExecuteActionOptions<DOM, ID>): Promise<ActionPayload_Result<DOM, ID>>;
+  run(options?: IExecuteActionOptions<DOM, ID>): Promise<RunningAction<DOM, ID>>;
+}
+//#endregion
+//#region src/ActionDefinition/Action/Core/ActionCore.d.ts
+declare class ActionCore<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends ActionBase<EActionForm.core, DOM, ID> implements IActionCore<DOM, ID> {
+  readonly _domain: ActionDomain<DOM>;
+  readonly form = EActionForm.core;
+  constructor(_domain: ActionDomain<DOM>, id: ID);
+  is<ACT extends IActionBase<any, any, any>>(action: ACT | unknown | null | undefined): action is TNarrowActionType<DOM, ACT, ID>;
+  toJsonObject(): IActionBase_JsonObject<EActionForm.core, DOM, ID>;
+  request(...args: [TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"]] extends [never] ? [input?: never] : [input: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"]]): ActionPayload_Request<DOM, ID>;
+  deserializeInput(serialized: TInferInputFromSchema<DOM["actionSchema"][ID]>["SerdeInput"]): TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"];
+  serializeInput(raw: TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"]): TInferInputFromSchema<DOM["actionSchema"][ID]>["SerdeInput"];
+  validateInput(input: unknown): TInferInputFromSchema<DOM["actionSchema"][ID]>["Input"];
+  validateOutput(output: unknown): TInferOutputFromSchema<DOM["actionSchema"][ID]>["Output"];
+}
+//#endregion
+//#region src/ActionRuntime/ActionRuntime.d.ts
+declare class ActionRuntime {
+  private _coordinate;
+  readonly timeCreated: number;
+  readonly runtimeInfo: IRuntimeMeta;
+  private readonly actionRouter;
+  private readonly _pendingRunningActions;
+  private readonly _registeredPeerHandlers;
+  private _applied;
+  static getDefault(): ActionRuntime;
+  constructor(coordinate: RuntimeCoordinate);
+  get coordinate(): RuntimeCoordinate;
+  specifyRuntimeCoordinate(specifics: IRuntimeCoordinateSpecifics & {
+    envId?: string;
+  }): void;
+  registerRunningAction(ra: RunningAction<any, any>): void;
+  resolveIncomingActionPayload(json: TActionPayload_Any_JsonObject<any, any>): void;
+  /**
+   * Handle an incoming action wire (e.g. from a transport layer), route it to
+   * the correct handler, and return the response. The most specific handler
+   * match is chosen (action-ID-specific beats domain-wildcard).
+   */
+  handleActionPayloadWire<D extends IActionDomain, ID extends keyof D["actionSchema"] & string>(wire: TActionPayload_Any_JsonObject<D, ID>): Promise<RunningAction<D, ID>>;
+  handleActionPayloadWire(wire: unknown): Promise<RunningAction<any, any>>;
+  handleActionPayload<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: TActionPayload_Any_Instance<DOM, ID>, options?: Omit<IHandleActionOptions, "targetLocalRuntime">): Promise<RunningAction<DOM, ID>>;
+  /**
+   * @internal
+   *
+   * Return the first handler registered for the given action, or `undefined`
+   * if none has been registered (action-ID-specific beats domain-wildcard).
+   */
+  _getHandlerForAction<ACT extends TActionPayload_Any_Instance<any, any>>(action: ACT, options?: Omit<IHandleActionOptions, "targetLocalRuntime">): TActionHandler | undefined;
+  getHandlerForActionOrThrow<ACT extends TActionPayload_Any_Instance<any, any>>(action: ACT, options?: Omit<IHandleActionOptions, "localRuntime">): TActionHandler;
+  /**
+   * Register one or more handlers. Each handler's own `actionRouter` defines
+   * which domains/actions it handles — those routing keys are mirrored into
+   * this runtime's router so the same action can be served by multiple handlers.
+   * Duplicate registrations (same handler cuid for the same key) are skipped.
+   */
+  addHandlers(handlers: TActionRuntimeHandler[]): this;
+  /**
+   * @internal Low-level primitive — the public way to open a connection is `connectChannel`, which
+   * derives routing from a channel and binds the crypto identity for you. This stays as the raw building
+   * block it sits on (it restates domain lists by hand) and is not part of the supported surface.
+   *
+   * Declare an external "backend client" in one call: build an
+   * {@link ConnectorHandler} for `externalCoordinate` carrying the given
+   * `transports`, route the listed `domains`/`actions` to it, register it (plus any
+   * `localHandlers` — e.g. server→client push handlers that share the same channel)
+   * on this runtime, and `apply()`. Returns the external handler so the caller can
+   * later `clearTransportCache()` it.
+   */
+  connectTo(externalCoordinate: RuntimeCoordinate, options: {
+    transports: Transport[];
+    domains?: ActionDomain<any>[];
+    actions?: ActionCore<any, any>[];
+    localHandlers?: TActionRuntimeHandler[];
+    defaultTimeout?: number;
+  }): ConnectorHandler;
+  private applyRuntimeForDomain;
+  /**
+   * Register this runtime with all root domains covered by its currently-added handlers,
+   * making it eligible to execute actions dispatched from those domains.
+   * After apply() is called, any subsequent addHandlers() calls also auto-register.
+   */
+  apply(): this;
+  /**
+   * Find the best registered external handler that can reach `originClient` directly.
+   * Used to locate the return-path channel for dispatching results back to the action origin.
+   * Returns `undefined` if no handler matches (score > 0 required, i.e. at least id must match).
+   *
+   * A handler that currently holds the origin's *live* connection always wins, regardless of its
+   * coordinate score — owning the live socket bound to the origin's exact coordinate (set from the
+   * handshake) is a strictly more precise match than any env-level `peerClient` score. This lets one
+   * server accept clients of *several* envs over a single acceptor (a multi-role Durable Object): the
+   * result/push routes back over the carrier the client actually connected on even when the handler's
+   * `clientEnv` is unset or names a different env. Only when no handler owns a live connection do we fall
+   * back to the plain best-coordinate-score pick (the offline-return and connector-only cases).
+   */
+  getReturnHandlerForOrigin(originClient: RuntimeCoordinate): PeerLinkHandler | undefined;
+  resetRuntime(): void;
+  private _trySetupReturnDispatch;
+}
+//#endregion
+//#region src/ActionDefinition/Domain/ActionDomain.d.ts
+type TActionMap<ACT_DOM extends IActionDomain> = { [K in keyof ACT_DOM["actionSchema"] & string]: ActionCore<ACT_DOM, K> };
+declare class ActionDomain<ACT_DOM extends IActionDomain = IActionDomain> extends ActionDomainBase<ACT_DOM> {
+  private _rootDomain;
+  private readonly _actionMap;
+  constructor(definition: ACT_DOM, {
+    rootDomain
+  }: {
+    rootDomain: ActionRootDomain<any>;
+  });
+  get rootDomain(): ActionRootDomain<any>;
+  /**
+   * @internal
+   * All action observers that should see actions on this domain: the root domain's
+   * observers plus this subdomain's own. Mirrors the listener set the local-dispatch
+   * path assembles in `runAction`/`_runAction`, so inbound actions (pushed from a
+   * backend or another client) can be wired up identically and surface in devtools.
+   */
+  _collectActionObservers(): TRunningActionUpdateListener<any, any>[];
+  _registerRuntime(runtime: ActionRuntime): void;
+  createChildDomain<SUB_DOM extends IActionDomainChildOptions>(subDomainDef: SUB_DOM & { [K in Exclude<keyof SUB_DOM, keyof IActionDomainChildOptions>]: never }): ActionDomain<TActionDomainChildDef<ACT_DOM, SUB_DOM>>;
+  get action(): TActionMap<ACT_DOM>;
+  actionsMap(): TActionMap<ACT_DOM>;
+  actionForId<ID extends keyof ACT_DOM["actionSchema"] & string>(id: ID): ActionCore<ACT_DOM, ID>;
+  wrapAsPartialLocalHandler(wrappedActionExecutor: Partial<TWrappableDomainActionHandler<ACT_DOM>>): ActionLocalHandler;
+  wrapAsLocalHandler(wrappedActionExecutor: TWrappableDomainActionHandler<ACT_DOM>): ActionLocalHandler;
+  hydrateContext<ID extends keyof ACT_DOM["actionSchema"] & string>(id: ID, contextData: IActionContext_Data_JsonObject): ActionContext<ACT_DOM, ID>;
+  isDomainAction<ACT extends IActionBase<any, ACT_DOM, any>>(action: ACT | unknown | null | undefined): action is TDistributedDomainActions<ACT_DOM, ACT>;
+  hydrateRequestPayload<ID extends keyof ACT_DOM["actionSchema"] & string, P extends IActionPayload_Request_JsonObject<ACT_DOM, ID>>(serialized: P): TDistributeActionPayload_Request<ACT_DOM, ID>;
+  hydrateResultPayload<ID extends keyof ACT_DOM["actionSchema"] & string, R extends IActionPayload_Result_JsonObject<ACT_DOM, ID>>(serialized: R): TDistributeActionPayload_Result<ACT_DOM, ID>;
+  hydrateAnyAction<ID extends keyof ACT_DOM["actionSchema"] & string, AJ extends TAction_Any_JsonObject<ACT_DOM, ID>>(actionJson: AJ): TNarrowActionJsonTypeToActionInstanceType<ACT_DOM, AJ, ID>;
+  runAction<ID extends keyof ACT_DOM["actionSchema"] & string, ACT extends ActionPayload_Request<ACT_DOM, ID>>(request: ACT, options?: IExecuteActionOptions<ACT_DOM, ID>): Promise<RunningAction<ACT_DOM, ID>>;
+  private createActionMap;
+}
+//#endregion
+//#region src/ActionDefinition/Action/ActionBase.types.d.ts
+declare enum EActionForm {
+  core = "core",
+  context = "context",
+  data = "data"
+}
+interface INiceActionIdAndDomain<DOM extends IActionDomain = IActionDomain> {
+  domain: DOM["domain"];
+  id: keyof DOM["actionSchema"] & string;
+}
+interface IActionBase<FORM extends EActionForm, DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> extends INiceActionIdAndDomain<DOM> {
+  id: ID;
+  form: FORM;
+  _domain: ActionDomain<DOM>;
+  allDomains: DOM["allDomains"];
+  schema: DOM["actionSchema"][ID];
+}
+interface IActionBase_JsonObject<FORM extends EActionForm = EActionForm, DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> {
+  form: FORM;
+  domain: DOM["domain"];
+  allDomains: DOM["allDomains"];
+  id: ID;
+}
+//#endregion
+//#region src/ActionDefinition/Action/Action.combined.types.d.ts
+/**
+ * Distributes a union ID into a proper discriminated union of ActionPayload_Request instances,
+ * so that narrowing on `.id` also narrows `.input`.
+ */
+type TDistributeActionPayload_Request<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string> = ID extends keyof DOM["actionSchema"] & string ? ActionPayload_Request<DOM, ID> : never;
+/**
+ * Distributes a union ID into a proper discriminated union of ActionPayload_Result instances,
+ * so that narrowing on `.id` also narrows `.result`.
+ */
+type TDistributeActionPayload_Result<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string> = ID extends keyof DOM["actionSchema"] & string ? ActionPayload_Result<DOM, ID> : never;
+/**
+ *
+ *  COMBINED JSON TYPES
+ *
+ */
+type TAction_Any_JsonObject<DOM extends IActionDomain = IActionDomain, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = IActionCore_JsonObject<DOM, ID> | TActionPayload_Any_JsonObject<DOM, ID> | IActionContext_JsonObject<DOM, ID>;
+/**
+ *
+ *  UTILITY TYPES
+ *
+ */
+type TDistributedDomainActions<DOM extends IActionDomain, ACT extends IActionBase<any, DOM, any>> = { [ID in keyof DOM["actionSchema"] & string]: TNarrowActionType<DOM, ACT, ID> }[keyof DOM["actionSchema"] & string];
+type TNarrowActionType<DOM extends IActionDomain, ACT extends IActionBase<any, DOM, any>, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = ACT extends ActionPayload_Result<any> ? ActionPayload_Result<DOM, ID> : ACT extends ActionPayload_Request<any> ? ActionPayload_Request<DOM, ID> : ACT extends ActionPayload_Progress<any> ? ActionPayload_Progress<DOM, ID> : ACT extends ActionCore<any> ? ActionCore<DOM, ID> : never;
+type TNarrowActionJsonTypeToActionInstanceType<DOM extends IActionDomain, ACT extends TAction_Any_JsonObject<DOM>, ID extends keyof DOM["actionSchema"] & string = keyof DOM["actionSchema"] & string> = ACT extends IActionPayload_Request_JsonObject<any> ? ActionPayload_Request<DOM, ID> : ACT extends IActionPayload_Result_JsonObject<any> ? ActionPayload_Result<DOM, ID> : ACT extends IActionPayload_Progress_JsonObject<any> ? ActionPayload_Progress<DOM, ID> : ACT extends IActionCore_JsonObject<any> ? ActionCore<DOM, ID> : never;
+//#endregion
+//#region src/ActionRuntime/Handler/PeerLink/Acceptor/AcceptorHandler.d.ts
+/** The codec shape `AcceptorHandler` uses to pack/unpack frames — same as the Link transport's. */
+type TActionChannelFormatMessage = IActionWireFormat;
+/** How a connection encodes its frames, remembered so we answer each client in its own dialect. */
+type TActionConnectionEncoding = "json" | "binary";
+/** A connection's restorable identity — what to persist so a binding survives transport eviction. */
+interface IAcceptorConnectionBinding {
+  /** Full client coordinate, so `originClient` can be re-injected into frames that omit it. */
+  client: IRuntimeCoordinate;
+  encoding: TActionConnectionEncoding;
+  /**
+   * Secure-session state (set once a connection's handshake completes). Persist it alongside the
+   * binding so an authenticated/encrypted connection resumes after eviction without re-handshaking —
+   * the `keyMaterial` lets the server re-derive the shared key from its own persisted identity.
+   */
+  secure?: {
+    securityLevel: ESecurityLevel;
+    linkedClientId: TTypeAndId;
+    keyMaterial?: IHandshakeEncryptionKeyMaterial;
+  };
+}
+/**
+ * Server-side secure-channel config. When set, each connection negotiates a level from
+ * {@link securityLevel}: an `authenticated`/`encrypted` client must complete the handshake (and is then
+ * bound to its *authenticated* coordinate) before any action frame is accepted. A `none` client (only
+ * when `none` is in the allowed set) is accepted as-is with a self-asserted identity. For the
+ * `encrypted` level the codec source should be a session factory (`createFormatMessage`).
+ */
+interface IAcceptorSecurity {
+  /**
+   * Accepted level(s). A single level is strict; an array is a negotiable allowed set — the server
+   * adopts whichever level each client requests (e.g. `[none, authenticated, encrypted]` serves all
+   * three over one endpoint).
+   */
+  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
+  /** This server's crypto identity (verify + exchange key pairs, optionally persisted). */
+  link: ClientCryptoKeyLink;
+  /** This server's coordinate — its identity to clients during the handshake. */
+  localCoordinate: IRuntimeCoordinate;
+  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
+  dictionaryVersion: string;
+  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+}
+interface IAcceptorHandlerBaseOptions<TConn> {
+  /**
+   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
+   * scored against an action's `originClient` to pick this handler when *no* handler holds the client's
+   * live connection (the offline-return fallback). A handler that currently owns the live socket always
+   * wins regardless, so this is optional: omit it for a multi-role server that accepts several client envs
+   * over one acceptor — it then defaults to `RuntimeCoordinate.unknown` (scores 0 against every client).
+   */
+  clientEnv?: RuntimeCoordinate;
+  /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
+  send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
+  /**
+   * The runtime this handler belongs to. When set, {@link AcceptorHandler.broadcast} can be called
+   * without threading a runtime through each call. Optional — `pushToClient` still takes one explicitly.
+   */
+  runtime?: ActionRuntime;
+  /** Timeout (ms) applied to server-initiated actions awaiting a client response. */
+  defaultTimeout?: number;
+  /**
+   * Called once when a connection is first bound to a client identity. Use it to persist the binding
+   * for transports that can resume after eviction — e.g. a Durable Object's hibernatable WebSocket:
+   * `(ws, binding) => ws.serializeAttachment(binding)` — then replay it via {@link AcceptorHandler.rehydrateConnection}
+   * when the channel comes back.
+   */
+  onConnectionBound?: (connection: TConn, binding: IAcceptorConnectionBinding) => void;
+  /**
+   * Enable the authenticated (optionally encrypted) handshake. When omitted, connections are trusted
+   * as-is (identity self-asserted) — fine for dev / trusted networks.
+   */
+  security?: IAcceptorSecurity;
+}
+/**
+ * Provide exactly one codec source:
+ * - `formatMessage` — a single shared codec for every connection (stateless, e.g. `createBinaryWireAdapter`).
+ * - `createFormatMessage` — a per-connection factory for stateful codecs (e.g.
+ *   `createBinaryWireSessionFactory`, whose sessions hold correlation + identity state). Required for the
+ *   leanest binary wire; the handler creates and caches one codec per connection.
+ */
+type IAcceptorHandlerOptions<TConn> = IAcceptorHandlerBaseOptions<TConn> & ({
+  formatMessage: TActionChannelFormatMessage;
+  createFormatMessage?: never;
+} | {
+  createFormatMessage: () => TActionChannelFormatMessage;
+  formatMessage?: never;
+});
+/**
+ * A connection-aware execution case (see {@link AcceptorHandler.forConnectionDomainCases}). It receives
+ * the primed request plus a per-invocation `context` — whatever the wiring's context mapper produces from
+ * the originating connection. The low-level handler passes the raw connection (`TConn | undefined`); the
+ * higher-level `serveChannel` enriches it into an `IConnectionContext` (state + broadcast + pushBack). A
+ * case may return the action's raw output, a result payload, or nothing (auto-wrapped as an empty
+ * success) — exactly like a local handler case.
+ */
+type TAcceptorCaseFn<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string, TCtx> = (action: TDistributeActionPayload_Request<DOM, ID>, context: TCtx) => ReturnType<THandleActionExecutionFn<DOM, ID>> | void;
+/**
+ * The connection-aware case the bare {@link AcceptorHandler} serves: its `context` is the originating
+ * client's live connection (resolved from the request's `originClient`, `undefined` if the socket is
+ * gone). It's {@link TAcceptorCaseFn} fixed to `TConn | undefined` — the un-enriched shape used by
+ * {@link AcceptorHandler.forConnectionDomainCases} and `acceptChannelConnections`.
+ */
+type TAcceptorConnectionCaseFn<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string, TConn> = TAcceptorCaseFn<DOM, ID, TConn | undefined>;
+/**
+ * Server-side handler for backends that accept many client connections over a single open channel
+ * (WebSockets, Durable Objects, …). It is transport-agnostic: you feed it inbound frames with
+ * {@link receive} and tell it how to write outbound frames via the `send` option.
+ *
+ * Add it alongside your local execution handler:
+ * ```ts
+ * const serverHandler = createAcceptorHandler({ clientEnv, formatMessage, send: (ws, f) => ws.send(f) });
+ * runtime.addHandlers([localHandler, serverHandler]);
+ * // per inbound message (e.g. a Durable Object's webSocketMessage):
+ * serverHandler.receive(ws, message);
+ * ```
+ *
+ * Inbound requests route to your local handler; the runtime's return dispatch then calls this
+ * handler back (it is an external handler keyed to `clientEnv`) to send the result to the originating
+ * connection. The handler keeps a per-connection identity registry so each result lands on the right
+ * socket, and remembers each connection's encoding so binary and JSON clients can share the channel.
+ *
+ * It registers an empty action router, so it is never chosen to *execute* an inbound request — only
+ * to ferry results/pushes back out.
+ */
+declare class AcceptorHandler<TConn = unknown> extends PeerLinkHandler {
+  /** Accept-in over a live (duplex) connection registry — it pushes results/broadcasts to bound sockets. */
+  readonly canPush = true;
+  private readonly _formatMessage?;
+  private readonly _createFormatMessage?;
+  private readonly _send;
+  private readonly _runtime?;
+  private readonly _serverTimeout;
+  private _onConnectionBound?;
+  private readonly _security?;
+  /** Normalized accepted levels; whether `none` (plain) is allowed; whether any level needs a handshake. */
+  private readonly _allowedLevels;
+  private readonly _noneAllowed;
+  private readonly _handshakeMode;
+  private readonly _connByClient;
+  private readonly _clientByConn;
+  private readonly _connEncoding;
+  private readonly _codecByConn;
+  private readonly _sessionByConn;
+  constructor(options: IAcceptorHandlerOptions<TConn>);
+  /**
+   * The codec for a connection: a per-connection session (cached) when a factory was provided, else
+   * the single shared `formatMessage`.
+   */
+  private _codecFor;
+  /**
+   * Register (or replace) the connection-bound persistence callback after construction. Used by
+   * lifecycle helpers like {@link createHibernatableWsServerAdapter} so persistence and replay are
+   * owned by one place instead of being split across the constructor options.
+   */
+  setOnConnectionBound(onConnectionBound: (connection: TConn, binding: IAcceptorConnectionBinding) => void): void;
+  /**
+   * Feed one inbound frame from a connection into the runtime. Decodes text or binary, binds the
+   * connection to the requesting client's identity, then routes it (requests execute locally;
+   * results/progress resolve pending server-initiated actions).
+   */
+  receive(connection: TConn, frame: string | ArrayBuffer | Uint8Array): void;
+  private _receivePlain;
+  /**
+   * The secure session for a connection (built lazily on its first secure-mode frame), with the
+   * handler-owned effects — raw send, identity binding + persistence, and inbound routing — wired in as
+   * callbacks. The session owns all crypto/handshake/chain state; the handler keeps only the registry.
+   */
+  private _sessionFor;
+  /** Bind + persist a connection's authenticated identity once its handshake completes. */
+  private _onConnectionAuthenticated;
+  /** Decode a decrypted authenticated frame, inject the *authenticated* identity, and route it. */
+  private _routeAuthedActionBytes;
+  /**
+   * Ensure an inbound request carries the client's identity and that this connection is bound to it,
+   * so its result can be routed back. A session codec omits `originClient` after the first request, so
+   * when it's missing we restore it from the (possibly rehydrated) binding instead. (Plain mode only;
+   * secure mode binds the authenticated coordinate at handshake time.)
+   */
+  private _resolveRequestIdentity;
+  /**
+   * Restore a connection→client binding without an inbound frame — for transports that resume after
+   * eviction. Pair it with the {@link IAcceptorHandlerOptions.onConnectionBound} hook: persist
+   * the binding there, then replay each live connection here when the channel comes back (e.g. a
+   * Durable Object iterating `ctx.getWebSockets()` as it wakes from hibernation).
+   */
+  rehydrateConnection(connection: TConn, binding: IAcceptorConnectionBinding): void;
+  toJsonObject(): IActionHandler_Peer_Json;
+  toHandlerRouteItem(): IActionRouteItemHandler;
+  /** Forget a connection (call on socket close) so stale entries don't misroute later results. */
+  dropConnection(connection: TConn): void;
+  /** Live connection for a client coordinate, if currently registered. */
+  getConnectionForClient(client: RuntimeCoordinate): TConn | undefined;
+  /** This acceptor owns the origin's return path when it currently holds a live connection bound to it. */
+  ownsLiveConnectionFor(origin: RuntimeCoordinate): boolean;
+  /** Whether this acceptor currently tracks `connection` — used to pick the owning handler among several. */
+  hasConnection(connection: TConn): boolean;
+  /**
+   * Send (and optionally await) a server-initiated action to a specific connected client. Pass the
+   * connection token directly (e.g. the `ws`) or a client `RuntimeCoordinate` to look one up.
+   */
+  pushToClient<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(runtime: ActionRuntime, target: TConn | RuntimeCoordinate, request: ActionPayload_Request<DOM, ID>, options?: {
+    timeout?: number;
+  }): RunningAction<DOM, ID>;
+  /**
+   * Build a local handler whose cases are connection-aware: each case receives the primed request and
+   * the originating client's live connection (resolved from `originClient`), so handlers don't repeat
+   * the `getConnectionForClient(action.context.originClient)` lookup. Cases may return raw output or
+   * nothing, just like {@link ActionLocalHandler.forDomainActionCases}. Add the returned handler to the
+   * runtime alongside this server handler:
+   * ```ts
+   * runtime.addHandlers([serverHandler.forConnectionDomainCases(domain, { … }), serverHandler]);
+   * ```
+   */
+  forConnectionDomainCases<FOR_DOM extends IActionDomain>(domain: ActionDomain<FOR_DOM>, cases: { [ID in keyof FOR_DOM["actionSchema"] & string]?: TAcceptorConnectionCaseFn<FOR_DOM, ID, TConn> }): ActionLocalHandler;
+  /**
+   * Like {@link forConnectionDomainCases} but spanning several domains with one merged case map — used
+   * by channel-derived wiring (`acceptChannelConnections` / `serveChannel`) where the channel's
+   * `toAcceptor` domains are served together. Each domain takes only the cases whose ids it owns, so a
+   * single map can cover several domains and unrelated ids are ignored.
+   *
+   * `mapContext` turns the resolved connection into whatever the case's second argument should be: the
+   * raw connection for the low-level helper, or an enriched `IConnectionContext` for `serveChannel`. It's
+   * called once per inbound action, after the originating connection is resolved.
+   */
+  forConnectionDomainCasesMulti<TCtx>(domains: readonly ActionDomain<any>[], cases: Record<string, TAcceptorCaseFn<any, any, TCtx> | undefined>, mapContext: (connection: TConn | undefined, request: ActionPayload_Request<any, any>) => TCtx): ActionLocalHandler;
+  /**
+   * Fan a server-initiated request out to every currently-bound connection. A fresh request is built
+   * per connection (each push mutates its own action context) and dispatched fire-and-forget. Pass
+   * `except` to skip the originating socket and `where` to filter by connection (e.g. read its
+   * attachment for a role). Iterating bound connections (rather than every accepted socket) skips
+   * sockets that are still mid-handshake and so can't yet receive a frame.
+   */
+  broadcast<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(makeRequest: () => ActionPayload_Request<DOM, ID>, options?: {
+    runtime?: ActionRuntime;
+    except?: TConn | null;
+    where?: (connection: TConn) => boolean;
+    timeout?: number;
+    onError?: (error: unknown, connection: TConn) => void;
+  }): void;
+  sendReturnPayload(payload: TActionPayload_Any_Instance<any, any>, config: {
+    targetLocalRuntime: ActionRuntime;
+  }): Promise<boolean>;
+  handleActionRequest<DOM extends IActionDomain, ID extends keyof DOM["actionSchema"] & string>(action: ActionPayload_Request<DOM, ID>, config?: IHandleActionOptions): Promise<RunningAction<DOM, ID>>;
+  private _dispatch;
+  private _sendPayload;
+  private _bindConnection;
+  private _resolveConnection;
+  private _resolveSingleConnection;
+}
+declare const createAcceptorHandler: <TConn = unknown>(options: IAcceptorHandlerOptions<TConn>) => AcceptorHandler<TConn>;
+//#endregion
+export { httpAcceptorCarrier as $, createInMemoryTofuVerifyKeyResolver as $n, TCarrier as $t, TActionResultOutcome as A, TOnResolveIncomingResponseJson as An, IActionCore_JsonObject as Ar, IHibernatableWsServerAdapterOptions as At, decodeExchangeReply as B, Transport as Bn, TPossibleDomainIdList as Br, TChannelAcceptorCases as Bt, IActionProgress_Custom as C, IUpdateActionRunConfig_Output as Cn, IRuntimeCoordinate as Cr, serveChannel as Ct, TActionPayload_Any_Instance as D, TOnResolveIncomingRequest as Dn, TRuntimeCoordinateEnvId as Dr, TAcceptorCarrier as Dt, IActionRouteItemHandler as E, TOnResolveAnyIncomingActionData_Json as En, RuntimeCoordinate as Er, IExchangeAcceptorCarrier as Et, decodeActionFrame as F, TTransportStatusInfo as Fn, TActionDomainSchema as Fr, createConnectionStateStore as Ft, IExchangeAcceptorSecurity as G, IClientHandshakeConfig as Gn, TActionSchemaOptions as Gr, defineChannel as Gt, encodeExchange as H, createSecureAcceptorHandler as Hn, EActionResponseMode as Hr, acceptChannel as Ht, EErrId_NiceAction as I, TTransportStatusInfo_GetTransport_Output as In, TDomainActionId as Ir, IAcceptChannelOptions as It, IHttpCarrierOptions as J, IHandshakeEncryptionKeyMaterial as Jn, IActionWireFormat as Jt, EErrId_NiceTransport as K, IClientVerifyKeyResolveInput as Kn, TActionSerializationDefinition as Kr, IBinaryWireSessionOptions as Kt, err_nice_action as L, TUpdateActionRunConfig as Ln, TInferInputFromSchema as Lr, IActionChannel as Lt, isActionPayload_Request_JsonObject as M, TSendReturnDataMethod as Mn, IActionDomainChildOptions as Mr, ConnectionStateStore as Mt, isActionPayload_Any_JsonObject as N, TTransportCache as Nn, IActionRootDomain as Nr, IConnectionAttachment as Nt, TActionPayload_Any_JsonObject as O, TOnResolveIncomingRequestJson as On, TRuntimeCoordinateStringId as Or, isExchangeAcceptorCarrier as Ot, IActionFrameDecoder as P, TTransportInitializationFinishedInfo as Pn, TActionDomainChildDef as Pr, IConnectionStateStoreOptions as Pt, IHttpAcceptorCarrierOptions as Q, createClientHandshake as Qn, IExchangeCarrierSource as Qt, TExchangeReply as R, TransportConnection as Rn, TInferOutputFromSchema as Rr, IConnectChannelOptions as Rt, IActionPayload_Result_JsonObject as S, ITransportStatusInfo_Unsupported as Sn, ActionPayload_Progress as Sr, IServeConnectionStateOptions as St, IActionProgress_Percentage as T, TOnResolveAnyIncomingActionData as Tn, IRuntimeFullCoordinates as Tr, IDuplexAcceptorCarrier as Tt, ExchangeAcceptor as U, EHandshakeMessageType as Un, TInferActionError as Ur, acceptChannelConnections as Ut, decodeExchangeRequest as V, ISecureAcceptorHandlerOptions as Vn, ActionSchema as Vr, TChannelPushHandlers as Vt, IExchangeAcceptorConfig as W, ESecurityLevel as Wn, actionSchema as Wr, connectChannel as Wt, TCarrierFetch as X, IServerHandshakeConfig as Xn, IDuplexCarrierSource as Xt, IHttpCarrierRequest as Y, IHandshakeResult as Yn, IDuplexCarrier as Yt, httpCarrier as Z, THandshakeMessage as Zn, IExchangeCarrier as Zt, IActionPayload_Data_Base as _, ITransportRouteInfo as _n, IRunningActionUpdate_Success as _r, TServeHostOptions as _t, TAcceptorConnectionCaseFn as a, ETransportStatus as an, ActionLocalHandler as ar, err_nice_transport_ws as at, IActionPayload_Request_JsonObject as b, ITransportStatusInfo_Initializing as bn, TRunningActionUpdateListener as br, IConnectionContext as bt, createAcceptorHandler as c, IActionTransportReady as cn, createActionRootDomain as cr, IRtcDataChannelLike as ct, ActionCore as d, IActionTransportResolvers as dn, ERunningActionFinishedType as dr, inMemoryCarrier as dt, TFrame$1 as en, createServerHandshake as er, IWsCarrierOptions as et, ActionPayload_Request as f, ISecureClientConfig as fn, ERunningActionState as fr, IInMemoryChannelPair as ft, IActionPayload_Base_JsonObject as g, ITransportRouteClientParams as gn, IRunningActionUpdate_Started as gr, IChannelHostAdapter as gt, IActionPayload_Base as h, ITransportRouteActionParams as hn, IRunningActionUpdate_Progress as hr, err_nice_external_client as ht, TAcceptorCaseFn as i, ETransportShape as in, runtimeLinkId as ir, EErrId_NiceTransport_WebSocket as it, isActionPayload_Result_JsonObject as j, TSendActionDataMethod as jn, IActionDomain as jr, createHibernatableWsServerAdapter as jt, TActionProgress as k, TOnResolveIncomingResponse as kn, IActionCore as kr, IDuplexConnectionRouter as kt, ActionDomain as l, IActionTransportReadyData_Base as ln, ActionRootDomain as lr, rtcDataChannelByteChannel as lt, EActionProgressType as m, ITransportMethod_SendActionData_Input as mn, IRunningActionUpdate_Abort as mr, createInMemoryChannelPair as mt, IAcceptorConnectionBinding as n, createConnectorHandler as nn, decodeHandshakeMessage as nr, IWsAcceptorCarrierOptions as nt, TActionChannelFormatMessage as o, IActionTransportDef as on, createLocalHandler as or, IRtcCarrierOptions as ot, EActionPayloadType as p, ITransportDispatchAction as pn, ERunningActionUpdateType as pr, IInMemoryServerEndpoint as pt, err_nice_transport as q, IClientVerifyKeyResolver as qn, TTransportedValue as qr, createBinaryWireSessionFactory as qt, IAcceptorHandlerOptions as r, PeerLinkHandler as rn, encodeHandshakeMessage as rr, wsAcceptorCarrier as rt, TActionConnectionEncoding as s, IActionTransportInitialized as sn, MaybePromise as sr, rtcCarrier as st, AcceptorHandler as t, ConnectorHandler as tn, createStorageTofuVerifyKeyResolver as tr, wsCarrier as tt, ActionRuntime as u, IActionTransportReadyData_Methods as un, RunningAction as ur, IInMemoryCarrier as ut, IActionPayload_Progress as v, ITransportStatusInfo_Base as vn, TRunningActionUpdate as vr, serveHost as vt, IActionProgress_None as w, TGetTransportFn as wn, IRuntimeCoordinateSpecifics as wr, IAcceptorAttachmentStore as wt, IActionPayload_Result as x, ITransportStatusInfo_Ready as xn, ActionPayload_Result as xr, IServeChannelOptions as xt, IActionPayload_Progress_JsonObject as y, ITransportStatusInfo_Failed as yn, TRunningActionUpdateFinished as yr, IChannelServer as yt, TExchangeRequest as z, ITransportConnectionContext as zn, TPossibleDomainId as zr, IConnectTransport as zt };
+//# sourceMappingURL=AcceptorHandler-BizUtq4u.d.mts.map