@nice-code/action 0.24.0 → 0.26.0

package/build/{AcceptorHandler-CxD0c1BE.d.cts → AcceptorHandler-Du292dpC.d.cts}

@@ -781,6 +781,16 @@ declare function createInMemoryTofuVerifyKeyResolver(): IClientVerifyKeyResolver
  * Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
  * (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
  * + pin the first verify key per client identity, reject a different one thereafter.
+ *
+ * Fail-closed by construction: a thrown storage read (`getJson`) or first-pin write (`updateJsonWithDef`)
+ * propagates out of `resolve`, which makes `onProve` reject the handshake — a storage error can never be
+ * mistaken for "first use" and silently trusted. (A genuine `undefined`/absent read is the only path to
+ * a fresh pin; the underlying adapters never coerce a thrown read to `undefined`.) Keep it that way: do
+ * not wrap the storage calls in a `try/catch` that swallows the error.
+ *
+ * On an *eventually-consistent* store a stale "absent" read re-pins the **same** verify key the client
+ * just presented (it is signature-verified before this runs), so the worst case is a harmless re-write,
+ * never a weakened trust decision. Cross-isolate-strong pinning still wants a strongly-consistent store.
  */
 declare function createStorageTofuVerifyKeyResolver(storageAdapter: StorageAdapter): IClientVerifyKeyResolver;
 interface IClientHandshakeConfig {
@@ -808,11 +818,37 @@ interface IServerHandshakeConfig {
   /** Trust decision for a client's verify key. Defaults to in-memory TOFU. */
   verifyKeyResolver?: IClientVerifyKeyResolver;
 }
-declare function createServerHandshake(config: IServerHandshakeConfig): {
+/**
+ * The server handshake's in-flight state between `onHello` and `onProve` — everything `onProve` needs
+ * to verify the client's proof and settle the result. Fully serializable (all JSON / serialized-key
+ * strings), so a stateless server can {@link IServerHandshake.exportPending} it after `hello`, carry it
+ * across requests (e.g. sealed into a continuation token), and {@link IServerHandshake.restorePending}
+ * it on a *different* instance before `prove` — no in-memory handshake to co-locate. The `serverNonce`
+ * is already folded into `challenge`, so it need not be carried separately.
+ */
+interface IServerHandshakePending {
+  client: IRuntimeCoordinate;
+  linkedClientId: TTypeAndId;
+  challenge: string;
+  clientVerifyKey: TSerializedCryptoKeyData_Ed25519_Raw;
+  negotiatedLevel: ESecurityLevel;
+  keyMaterial?: IHandshakeEncryptionKeyMaterial;
+}
+interface IServerHandshake {
   onHello(hello: THsHello): Promise<THsWelcome | THsReject>;
-  onProve(prove: THsProve): Promise<THsAccept | THsReject>; /** The completed handshake result once `onProve` has accepted, else `undefined`. */
+  onProve(prove: THsProve): Promise<THsAccept | THsReject>;
   getResult(): IHandshakeResult | undefined;
-};
+  /** The serializable in-flight state after `onHello` (else `undefined`). See {@link IServerHandshakePending}. */
+  exportPending(): IServerHandshakePending | undefined;
+  /**
+   * Restore exported `pending` onto a *fresh* handshake instance so `onProve` can run without the
+   * `onHello` that produced it (the stateless / cross-instance path). Re-links the client's verify key
+   * — `onHello`'s `linkClient` was in-memory only and won't exist on this instance — so the signature
+   * check in `onProve` succeeds. Build the instance with the same `config` (identity link + coordinate).
+   */
+  restorePending(pending: IServerHandshakePending): Promise<void>;
+}
+declare function createServerHandshake(config: IServerHandshakeConfig): IServerHandshake;
 //#endregion
 //#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.d.ts
 interface ISecureAcceptorHandlerOptions<TConn> {
@@ -820,9 +856,10 @@ interface ISecureAcceptorHandlerOptions<TConn> {
   channel: IActionChannel;
   /**
    * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
-   * used to route results/pushes back over this handler.
+   * used as the offline-return scoring fallback (a live connection always wins regardless). Optional —
+   * omit it for a multi-role server accepting several client envs over one acceptor.
    */
-  clientEnv: RuntimeCoordinate;
+  clientEnv?: RuntimeCoordinate;
   /** This server's runtime — its coordinate is the server identity presented in the handshake. */
   runtime: ActionRuntime;
   /**
@@ -1832,9 +1869,12 @@ interface IConnectionContext<TConn, TApp = unknown> {
 interface IServeChannelOptions<TO_ACCEPTOR extends readonly ActionDomain<any>[], TConn, TApp = unknown> {
   /**
    * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
-   * used to score return-path dispatch back to the right connection.
+   * used only as the offline-return scoring fallback — a result/push to a live client always routes over
+   * the carrier it connected on regardless of this. Optional: omit it for a multi-role server that accepts
+   * clients of several envs over one acceptor (it then scores 0 against every client, so the live
+   * connection always decides).
    */
-  clientEnv: RuntimeCoordinate;
+  clientEnv?: RuntimeCoordinate;
   /**
    * One backing store for the server's crypto identity *and* its trust-on-first-use verify-key pins
    * (their keys don't collide). It is built once and shared across every carrier, so the WebSocket and the
@@ -1843,6 +1883,14 @@ interface IServeChannelOptions<TO_ACCEPTOR extends readonly ActionDomain<any>[],
    *
    * Required only when at least one carrier is secure (the default). A fully-plain server (every carrier
    * `secure: false`) needs no storage and may omit it.
+   *
+   * The secure HTTP exchange is stateless — its handshake + session ride sealed tokens, so it touches
+   * this store only for the (read-mostly) identity, never per session. That lets a single secure-exchange
+   * server (`carriers: [httpAcceptorCarrier()]`) run on a stateless Worker/Node backend with no Durable
+   * Object. On a *strongly-consistent* store (DO storage, D1, Node memory) the default lazy identity is
+   * fork-safe. On an *eventually-consistent* store (Cloudflare KV) pass an explicit {@link link} built
+   * with `identityMode: "required"` and `provisionIdentity()` it once out-of-band, so a transient read
+   * miss can never fork a second identity (which pinned clients would then permanently reject).
    */
   storage?: StorageAdapter;
   /**
@@ -2265,6 +2313,115 @@ declare const err_nice_transport: import("@nice-code/error").NiceErrorDomain<{
   };
 }>;
 //#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.d.ts
+/** Acceptor secure config for the exchange (HTTP) endpoint — same identity an `AcceptorHandler` uses. */
+interface IExchangeAcceptorSecurity {
+  /** This acceptor's crypto identity (verify + exchange key pairs, optionally persisted). */
+  link: ClientCryptoKeyLink;
+  /** This acceptor's coordinate — its identity to clients during the handshake. */
+  localCoordinate: IRuntimeCoordinate;
+  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
+  dictionaryVersion: string;
+  /** Accepted level(s) — a single level is strict, an array is a negotiable allowed set. */
+  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
+  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
+  verifyKeyResolver?: IClientVerifyKeyResolver;
+}
+interface IExchangeAcceptorConfig {
+  security: IExchangeAcceptorSecurity;
+  /** The runtime that executes an inbound action wire and produces its result. */
+  runtime: ActionRuntime;
+  /**
+   * How long a minted session ticket stays valid (ms). After it expires the client's next action is
+   * rejected and it must re-handshake. Defaults to 12h — long enough for an ordinary session's life,
+   * since a sealed ticket carries no server state to revoke before then. Keep it shorter for a more
+   * tightly time-boxed session.
+   */
+  sessionTtlMs?: number;
+}
+/**
+ * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
+ * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
+ * acceptor drives the server handshake over the two `hs` POSTs, mints a session **token** on accept, and
+ * on every later `act` POST resolves the session by token, decrypts the body (at `encrypted`), routes it
+ * through the runtime, and returns the (encrypted) result inline as the reply.
+ *
+ * **Stateless.** It holds no in-memory handshakes or sessions: the in-flight handshake `pending` is
+ * sealed into the `hsc` continuation token returned on `welcome` and echoed back on `prove`, and the live
+ * session is sealed into the `t` token replayed on every `act`. Both are sealed under the acceptor's own
+ * persisted identity ({@link createExchangeTicketSealer}), so any isolate that loaded the same identity
+ * can serve any POST — no request needs to co-locate with another (no Durable Object required just to
+ * pin a handshake to one instance). A tampered, wrong-key, or expired token opens to "no valid session".
+ */
+declare class ExchangeAcceptor {
+  private readonly _security;
+  private readonly _runtime;
+  private readonly _allowedLevels;
+  private readonly _noneAllowed;
+  private readonly _sealer;
+  private readonly _sessionTtlMs;
+  constructor(config: IExchangeAcceptorConfig);
+  /** Process one POST body (an exchange envelope), returning the reply body to send back. */
+  handlePost(body: string): Promise<string>;
+  private _makeHandshake;
+  private _handleHandshake;
+  private _handleAction;
+  private _err;
+}
+//#endregion
+//#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.d.ts
+/**
+ * The application-level envelope for secure action traffic over an {@link IExchangeCarrier} (HTTP). An
+ * exchange carrier only moves one request frame → one reply frame with no unsolicited push, so the
+ * handshake and the per-action token + crypto all ride in this envelope (a JSON string body) rather than
+ * on a persistent channel. The three security levels share it:
+ *
+ * - `none` — no handshake, no token: an `act` envelope carries the plaintext wire both ways.
+ * - `authenticated` — a one-time handshake yields a session `token`; each later `act` carries it +
+ *   the plaintext wire.
+ * - `encrypted` — same, but the wire is AES-GCM ciphertext, base64 in the `c` field.
+ *
+ * The handshake runs as two `hs` exchanges (hello→welcome, prove→accept). The acceptor keeps **no**
+ * in-flight state between them: the `welcome` reply carries a sealed handshake-continuation token `hsc`
+ * (the acceptor's `pending` state, opaque to the client), which the connector echoes on the `prove`
+ * request. The `accept` reply then carries the (sealed) session `t`oken replayed on every later `act`.
+ * All server-side continuity rides these sealed tokens, so no request needs to co-locate with another.
+ */
+type TWireJson = TActionPayload_Any_JsonObject<any, any>;
+/** Connector → acceptor request envelope. */
+type TExchangeRequest = {
+  k: "hs";
+  m: string;
+  hsc?: string;
+} | {
+  k: "act";
+  t?: string;
+  w: TWireJson;
+} | {
+  k: "act";
+  t?: string;
+  c: string;
+};
+/** Acceptor → connector reply envelope. */
+type TExchangeReply = {
+  k: "hs";
+  m: string;
+  hsc?: string;
+  t?: string;
+} | {
+  k: "act";
+  w: TWireJson;
+} | {
+  k: "act";
+  c: string;
+} | {
+  k: "err";
+  message: string;
+};
+declare function encodeExchange(envelope: TExchangeRequest | TExchangeReply): string;
+declare function decodeExchangeRequest(raw: string): TExchangeRequest | undefined;
+declare function decodeExchangeReply(raw: string): TExchangeReply | undefined;
+//#endregion
 //#region src/errors/err_nice_action.d.ts
 declare enum EErrId_NiceAction {
   not_implemented = "not_implemented",
@@ -2646,11 +2803,13 @@ declare class ActionRuntime {
    * Used to locate the return-path channel for dispatching results back to the action origin.
    * Returns `undefined` if no handler matches (score > 0 required, i.e. at least id must match).
    *
-   * A handler that currently holds the origin's *live* connection always wins over a mere coordinate
-   * match — so with several duplex acceptors (e.g. WS + WebRTC) a result/push routes back over the carrier
-   * the client actually connected on, never a same-coordinate sibling that lacks the socket. Only when no
-   * handler owns a live connection do we fall back to the plain best-coordinate-score pick (the
-   * single-acceptor and connector-only cases, unchanged).
+   * A handler that currently holds the origin's *live* connection always wins, regardless of its
+   * coordinate score — owning the live socket bound to the origin's exact coordinate (set from the
+   * handshake) is a strictly more precise match than any env-level `peerClient` score. This lets one
+   * server accept clients of *several* envs over a single acceptor (a multi-role Durable Object): the
+   * result/push routes back over the carrier the client actually connected on even when the handler's
+   * `clientEnv` is unset or names a different env. Only when no handler owns a live connection do we fall
+   * back to the plain best-coordinate-score pick (the offline-return and connector-only cases).
    */
   getReturnHandlerForOrigin(originClient: RuntimeCoordinate): PeerLinkHandler | undefined;
   resetRuntime(): void;
@@ -2788,11 +2947,13 @@ interface IAcceptorSecurity {
 }
 interface IAcceptorHandlerBaseOptions<TConn> {
   /**
-   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`).
-   * The runtime's return-path dispatch scores incoming actions' `originClient` against this to pick
-   * this handler for sending results/pushes back over the right channel.
+   * Coordinate of the *connecting clients* (typically env-only, e.g. `RuntimeCoordinate.env("web_app")`),
+   * scored against an action's `originClient` to pick this handler when *no* handler holds the client's
+   * live connection (the offline-return fallback). A handler that currently owns the live socket always
+   * wins regardless, so this is optional: omit it for a multi-role server that accepts several client envs
+   * over one acceptor — it then defaults to `RuntimeCoordinate.unknown` (scores 0 against every client).
    */
-  clientEnv: RuntimeCoordinate;
+  clientEnv?: RuntimeCoordinate;
   /** Write an encoded frame to a specific live connection (e.g. `(ws, frame) => ws.send(frame)`). */
   send: (connection: TConn, frame: string | Uint8Array | ArrayBuffer) => void;
   /**
@@ -2993,5 +3154,5 @@ declare class AcceptorHandler<TConn = unknown> extends PeerLinkHandler {
 }
 declare const createAcceptorHandler: <TConn = unknown>(options: IAcceptorHandlerOptions<TConn>) => AcceptorHandler<TConn>;
 //#endregion
-export { rtcCarrier as $, MaybePromise as $n, IActionTransportInitialized as $t, TActionResultOutcome as A, TransportConnection as An, TInferOutputFromSchema as Ar, IConnectChannelOptions as At, IHttpCarrierOptions as B, IHandshakeEncryptionKeyMaterial as Bn, IActionWireFormat as Bt, IActionProgress_Custom as C, TSendActionDataMethod as Cn, IActionDomain as Cr, createHibernatableWsServerAdapter as Ct, TActionPayload_Any_Instance as D, TTransportStatusInfo as Dn, TActionDomainSchema as Dr, createConnectionStateStore as Dt, IActionRouteItemHandler as E, TTransportInitializationFinishedInfo as En, TActionDomainChildDef as Er, IConnectionStateStoreOptions as Et, decodeActionFrame as F, EHandshakeMessageType as Fn, TInferActionError as Fr, acceptChannelConnections as Ft, httpAcceptorCarrier as G, createInMemoryTofuVerifyKeyResolver as Gn, TCarrier as Gt, TCarrierFetch as H, IServerHandshakeConfig as Hn, IDuplexCarrierSource as Ht, EErrId_NiceAction as I, ESecurityLevel as In, actionSchema as Ir, connectChannel as It, IWsAcceptorCarrierOptions as J, decodeHandshakeMessage as Jn, createConnectorHandler as Jt, IWsCarrierOptions as K, createServerHandshake as Kn, TFrame$1 as Kt, err_nice_action as L, IClientHandshakeConfig as Ln, TActionSchemaOptions as Lr, defineChannel as Lt, isActionPayload_Request_JsonObject as M, Transport as Mn, TPossibleDomainIdList as Mr, TChannelAcceptorCases as Mt, isActionPayload_Any_JsonObject as N, ISecureAcceptorHandlerOptions as Nn, ActionSchema as Nr, TChannelPushHandlers as Nt, TActionPayload_Any_JsonObject as O, TTransportStatusInfo_GetTransport_Output as On, TDomainActionId as Or, IAcceptChannelOptions as Ot, IActionFrameDecoder as P, createSecureAcceptorHandler as Pn, EActionResponseMode as Pr, acceptChannel as Pt, IRtcCarrierOptions as Q, createLocalHandler as Qn, IActionTransportDef as Qt, EErrId_NiceTransport as R, IClientVerifyKeyResolveInput as Rn, TActionSerializationDefinition as Rr, IBinaryWireSessionOptions as Rt, IActionPayload_Result_JsonObject as S, TOnResolveIncomingResponseJson as Sn, IActionCore_JsonObject as Sr, IHibernatableWsServerAdapterOptions as St, IActionProgress_Percentage as T, TTransportCache as Tn, IActionRootDomain as Tr, IConnectionAttachment as Tt, httpCarrier as U, THandshakeMessage as Un, IExchangeCarrier as Ut, IHttpCarrierRequest as V, IHandshakeResult as Vn, IDuplexCarrier as Vt, IHttpAcceptorCarrierOptions as W, createClientHandshake as Wn, IExchangeCarrierSource as Wt, EErrId_NiceTransport_WebSocket as X, runtimeLinkId as Xn, ETransportShape as Xt, wsAcceptorCarrier as Y, encodeHandshakeMessage as Yn, PeerLinkHandler as Yt, err_nice_transport_ws as Z, ActionLocalHandler as Zn, ETransportStatus as Zt, IActionPayload_Data_Base as _, TOnResolveAnyIncomingActionData as _n, IRuntimeFullCoordinates as _r, IDuplexAcceptorCarrier as _t, TAcceptorConnectionCaseFn as a, ITransportDispatchAction as an, ERunningActionUpdateType as ar, IInMemoryServerEndpoint as at, IActionPayload_Request_JsonObject as b, TOnResolveIncomingRequestJson as bn, TRuntimeCoordinateStringId as br, isExchangeAcceptorCarrier as bt, createAcceptorHandler as c, ITransportRouteClientParams as cn, IRunningActionUpdate_Started as cr, IChannelHostAdapter as ct, ActionCore as d, ITransportStatusInfo_Failed as dn, TRunningActionUpdateFinished as dr, IChannelServer as dt, IActionTransportReady as en, createActionRootDomain as er, IRtcDataChannelLike as et, ActionPayload_Request as f, ITransportStatusInfo_Initializing as fn, TRunningActionUpdateListener as fr, IConnectionContext as ft, IActionPayload_Base_JsonObject as g, TGetTransportFn as gn, IRuntimeCoordinateSpecifics as gr, IAcceptorAttachmentStore as gt, IActionPayload_Base as h, IUpdateActionRunConfig_Output as hn, IRuntimeCoordinate as hr, serveChannel as ht, TAcceptorCaseFn as i, ISecureClientConfig as in, ERunningActionState as ir, IInMemoryChannelPair as it, isActionPayload_Result_JsonObject as j, ITransportConnectionContext as jn, TPossibleDomainId as jr, IConnectTransport as jt, TActionProgress as k, TUpdateActionRunConfig as kn, TInferInputFromSchema as kr, IActionChannel as kt, ActionDomain as l, ITransportRouteInfo as ln, IRunningActionUpdate_Success as lr, TServeHostOptions as lt, EActionProgressType as m, ITransportStatusInfo_Unsupported as mn, ActionPayload_Progress as mr, IServeConnectionStateOptions as mt, IAcceptorConnectionBinding as n, IActionTransportReadyData_Methods as nn, RunningAction as nr, IInMemoryCarrier as nt, TActionChannelFormatMessage as o, ITransportMethod_SendActionData_Input as on, IRunningActionUpdate_Abort as or, createInMemoryChannelPair as ot, EActionPayloadType as p, ITransportStatusInfo_Ready as pn, ActionPayload_Result as pr, IServeChannelOptions as pt, wsCarrier as q, createStorageTofuVerifyKeyResolver as qn, ConnectorHandler as qt, IAcceptorHandlerOptions as r, IActionTransportResolvers as rn, ERunningActionFinishedType as rr, inMemoryCarrier as rt, TActionConnectionEncoding as s, ITransportRouteActionParams as sn, IRunningActionUpdate_Progress as sr, err_nice_external_client as st, AcceptorHandler as t, IActionTransportReadyData_Base as tn, ActionRootDomain as tr, rtcDataChannelByteChannel as tt, ActionRuntime as u, ITransportStatusInfo_Base as un, TRunningActionUpdate as ur, serveHost as ut, IActionPayload_Progress as v, TOnResolveAnyIncomingActionData_Json as vn, RuntimeCoordinate as vr, IExchangeAcceptorCarrier as vt, IActionProgress_None as w, TSendReturnDataMethod as wn, IActionDomainChildOptions as wr, ConnectionStateStore as wt, IActionPayload_Result as x, TOnResolveIncomingResponse as xn, IActionCore as xr, IDuplexConnectionRouter as xt, IActionPayload_Progress_JsonObject as y, TOnResolveIncomingRequest as yn, TRuntimeCoordinateEnvId as yr, TAcceptorCarrier as yt, err_nice_transport as z, IClientVerifyKeyResolver as zn, TTransportedValue as zr, createBinaryWireSessionFactory as zt };
-//# sourceMappingURL=AcceptorHandler-CxD0c1BE.d.cts.map
+export { httpAcceptorCarrier as $, createInMemoryTofuVerifyKeyResolver as $n, TCarrier as $t, TActionResultOutcome as A, TOnResolveIncomingResponseJson as An, IActionCore_JsonObject as Ar, IHibernatableWsServerAdapterOptions as At, decodeExchangeReply as B, Transport as Bn, TPossibleDomainIdList as Br, TChannelAcceptorCases as Bt, IActionProgress_Custom as C, IUpdateActionRunConfig_Output as Cn, IRuntimeCoordinate as Cr, serveChannel as Ct, TActionPayload_Any_Instance as D, TOnResolveIncomingRequest as Dn, TRuntimeCoordinateEnvId as Dr, TAcceptorCarrier as Dt, IActionRouteItemHandler as E, TOnResolveAnyIncomingActionData_Json as En, RuntimeCoordinate as Er, IExchangeAcceptorCarrier as Et, decodeActionFrame as F, TTransportStatusInfo as Fn, TActionDomainSchema as Fr, createConnectionStateStore as Ft, IExchangeAcceptorSecurity as G, IClientHandshakeConfig as Gn, TActionSchemaOptions as Gr, defineChannel as Gt, encodeExchange as H, createSecureAcceptorHandler as Hn, EActionResponseMode as Hr, acceptChannel as Ht, EErrId_NiceAction as I, TTransportStatusInfo_GetTransport_Output as In, TDomainActionId as Ir, IAcceptChannelOptions as It, IHttpCarrierOptions as J, IHandshakeEncryptionKeyMaterial as Jn, IActionWireFormat as Jt, EErrId_NiceTransport as K, IClientVerifyKeyResolveInput as Kn, TActionSerializationDefinition as Kr, IBinaryWireSessionOptions as Kt, err_nice_action as L, TUpdateActionRunConfig as Ln, TInferInputFromSchema as Lr, IActionChannel as Lt, isActionPayload_Request_JsonObject as M, TSendReturnDataMethod as Mn, IActionDomainChildOptions as Mr, ConnectionStateStore as Mt, isActionPayload_Any_JsonObject as N, TTransportCache as Nn, IActionRootDomain as Nr, IConnectionAttachment as Nt, TActionPayload_Any_JsonObject as O, TOnResolveIncomingRequestJson as On, TRuntimeCoordinateStringId as Or, isExchangeAcceptorCarrier as Ot, IActionFrameDecoder as P, TTransportInitializationFinishedInfo as Pn, TActionDomainChildDef as Pr, IConnectionStateStoreOptions as Pt, IHttpAcceptorCarrierOptions as Q, createClientHandshake as Qn, IExchangeCarrierSource as Qt, TExchangeReply as R, TransportConnection as Rn, TInferOutputFromSchema as Rr, IConnectChannelOptions as Rt, IActionPayload_Result_JsonObject as S, ITransportStatusInfo_Unsupported as Sn, ActionPayload_Progress as Sr, IServeConnectionStateOptions as St, IActionProgress_Percentage as T, TOnResolveAnyIncomingActionData as Tn, IRuntimeFullCoordinates as Tr, IDuplexAcceptorCarrier as Tt, ExchangeAcceptor as U, EHandshakeMessageType as Un, TInferActionError as Ur, acceptChannelConnections as Ut, decodeExchangeRequest as V, ISecureAcceptorHandlerOptions as Vn, ActionSchema as Vr, TChannelPushHandlers as Vt, IExchangeAcceptorConfig as W, ESecurityLevel as Wn, actionSchema as Wr, connectChannel as Wt, TCarrierFetch as X, IServerHandshakeConfig as Xn, IDuplexCarrierSource as Xt, IHttpCarrierRequest as Y, IHandshakeResult as Yn, IDuplexCarrier as Yt, httpCarrier as Z, THandshakeMessage as Zn, IExchangeCarrier as Zt, IActionPayload_Data_Base as _, ITransportRouteInfo as _n, IRunningActionUpdate_Success as _r, TServeHostOptions as _t, TAcceptorConnectionCaseFn as a, ETransportStatus as an, ActionLocalHandler as ar, err_nice_transport_ws as at, IActionPayload_Request_JsonObject as b, ITransportStatusInfo_Initializing as bn, TRunningActionUpdateListener as br, IConnectionContext as bt, createAcceptorHandler as c, IActionTransportReady as cn, createActionRootDomain as cr, IRtcDataChannelLike as ct, ActionCore as d, IActionTransportResolvers as dn, ERunningActionFinishedType as dr, inMemoryCarrier as dt, TFrame$1 as en, createServerHandshake as er, IWsCarrierOptions as et, ActionPayload_Request as f, ISecureClientConfig as fn, ERunningActionState as fr, IInMemoryChannelPair as ft, IActionPayload_Base_JsonObject as g, ITransportRouteClientParams as gn, IRunningActionUpdate_Started as gr, IChannelHostAdapter as gt, IActionPayload_Base as h, ITransportRouteActionParams as hn, IRunningActionUpdate_Progress as hr, err_nice_external_client as ht, TAcceptorCaseFn as i, ETransportShape as in, runtimeLinkId as ir, EErrId_NiceTransport_WebSocket as it, isActionPayload_Result_JsonObject as j, TSendActionDataMethod as jn, IActionDomain as jr, createHibernatableWsServerAdapter as jt, TActionProgress as k, TOnResolveIncomingResponse as kn, IActionCore as kr, IDuplexConnectionRouter as kt, ActionDomain as l, IActionTransportReadyData_Base as ln, ActionRootDomain as lr, rtcDataChannelByteChannel as lt, EActionProgressType as m, ITransportMethod_SendActionData_Input as mn, IRunningActionUpdate_Abort as mr, createInMemoryChannelPair as mt, IAcceptorConnectionBinding as n, createConnectorHandler as nn, decodeHandshakeMessage as nr, IWsAcceptorCarrierOptions as nt, TActionChannelFormatMessage as o, IActionTransportDef as on, createLocalHandler as or, IRtcCarrierOptions as ot, EActionPayloadType as p, ITransportDispatchAction as pn, ERunningActionUpdateType as pr, IInMemoryServerEndpoint as pt, err_nice_transport as q, IClientVerifyKeyResolver as qn, TTransportedValue as qr, createBinaryWireSessionFactory as qt, IAcceptorHandlerOptions as r, PeerLinkHandler as rn, encodeHandshakeMessage as rr, wsAcceptorCarrier as rt, TActionConnectionEncoding as s, IActionTransportInitialized as sn, MaybePromise as sr, rtcCarrier as st, AcceptorHandler as t, ConnectorHandler as tn, createStorageTofuVerifyKeyResolver as tr, wsCarrier as tt, ActionRuntime as u, IActionTransportReadyData_Methods as un, RunningAction as ur, IInMemoryCarrier as ut, IActionPayload_Progress as v, ITransportStatusInfo_Base as vn, TRunningActionUpdate as vr, serveHost as vt, IActionProgress_None as w, TGetTransportFn as wn, IRuntimeCoordinateSpecifics as wr, IAcceptorAttachmentStore as wt, IActionPayload_Result as x, ITransportStatusInfo_Ready as xn, ActionPayload_Result as xr, IServeChannelOptions as xt, IActionPayload_Progress_JsonObject as y, ITransportStatusInfo_Failed as yn, TRunningActionUpdateFinished as yr, IChannelServer as yt, TExchangeRequest as z, ITransportConnectionContext as zn, TPossibleDomainId as zr, IConnectTransport as zt };
+//# sourceMappingURL=AcceptorHandler-Du292dpC.d.cts.map

package/build/{ActionDevtoolsCore-37JP4bOG.d.cts → ActionDevtoolsCore-DGwzONZT.d.mts}

@@ -1,4 +1,4 @@
-import { hr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-CxD0c1BE.cjs";
+import { Cr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-CLbwu2Pa.mjs";
 //#region ../nice-devtools-shared/src/components/PanelChrome.d.ts
 /** Where a devtools panel is docked. */
 type TDevtoolsPosition = "dock-bottom" | "dock-top" | "dock-left" | "dock-right";
@@ -76,4 +76,4 @@ declare class ActionDevtoolsCore {
 }
 //#endregion
 export { TDevtoolsActionStatus as a, IDevtoolsObservableDomain as i, IActionDevtoolsCoreOptions as n, TDevtoolsListener as o, IDevtoolsActionEntry as r, TDevtoolsPosition as s, ActionDevtoolsCore as t };
-//# sourceMappingURL=ActionDevtoolsCore-37JP4bOG.d.cts.map
+//# sourceMappingURL=ActionDevtoolsCore-DGwzONZT.d.mts.map

package/build/{ActionDevtoolsCore-Cgq-go1R.d.mts → ActionDevtoolsCore-dH4K4w3B.d.cts}

@@ -1,4 +1,4 @@
-import { hr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-11-QMdx2.mjs";
+import { Cr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-Du292dpC.cjs";
 //#region ../nice-devtools-shared/src/components/PanelChrome.d.ts
 /** Where a devtools panel is docked. */
 type TDevtoolsPosition = "dock-bottom" | "dock-top" | "dock-left" | "dock-right";
@@ -76,4 +76,4 @@ declare class ActionDevtoolsCore {
 }
 //#endregion
 export { TDevtoolsActionStatus as a, IDevtoolsObservableDomain as i, IActionDevtoolsCoreOptions as n, TDevtoolsListener as o, IDevtoolsActionEntry as r, TDevtoolsPosition as s, ActionDevtoolsCore as t };
-//# sourceMappingURL=ActionDevtoolsCore-Cgq-go1R.d.mts.map
+//# sourceMappingURL=ActionDevtoolsCore-dH4K4w3B.d.cts.map

package/build/advanced/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_createHibernatableWsServerAdapter = require("../createHibernatableWsServerAdapter-BNi4k9j3.cjs");
+const require_createHibernatableWsServerAdapter = require("../createHibernatableWsServerAdapter-j96U9vgo.cjs");
 let msgpackr = require("msgpackr");
 //#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.ts
 /**

package/build/advanced/index.d.cts

@@ -1,52 +1,6 @@
-import { $t as IActionTransportInitialized, An as TransportConnection, Bn as IHandshakeEncryptionKeyMaterial, Bt as IActionWireFormat, Cn as TSendActionDataMethod, Ct as createHibernatableWsServerAdapter, Dn as TTransportStatusInfo, Dt as createConnectionStateStore, En as TTransportInitializationFinishedInfo, Et as IConnectionStateStoreOptions, Fn as EHandshakeMessageType, Hn as IServerHandshakeConfig, In as ESecurityLevel, Jn as decodeHandshakeMessage, Jt as createConnectorHandler, Kn as createServerHandshake, Ln as IClientHandshakeConfig, Mn as Transport, Nn as ISecureAcceptorHandlerOptions, O as TActionPayload_Any_JsonObject, On as TTransportStatusInfo_GetTransport_Output, Pn as createSecureAcceptorHandler, Qt as IActionTransportDef, Rt as IBinaryWireSessionOptions, Sn as TOnResolveIncomingResponseJson, St as IHibernatableWsServerAdapterOptions, Tn as TTransportCache, Tt as IConnectionAttachment, Un as THandshakeMessage, Ut as IExchangeCarrier, Vn as IHandshakeResult, Vt as IDuplexCarrier, Wn as createClientHandshake, Xt as ETransportShape, Yn as encodeHandshakeMessage, Yt as PeerLinkHandler, Zt as ETransportStatus, _n as TOnResolveAnyIncomingActionData, a as TAcceptorConnectionCaseFn, an as ITransportDispatchAction, bn as TOnResolveIncomingRequestJson, c as createAcceptorHandler, cn as ITransportRouteClientParams, dn as ITransportStatusInfo_Failed, en as IActionTransportReady, fn as ITransportStatusInfo_Initializing, gn as TGetTransportFn, hn as IUpdateActionRunConfig_Output, hr as IRuntimeCoordinate, i as TAcceptorCaseFn, in as ISecureClientConfig, jn as ITransportConnectionContext, kn as TUpdateActionRunConfig, l as ActionDomain, ln as ITransportRouteInfo, mn as ITransportStatusInfo_Unsupported, n as IAcceptorConnectionBinding, nn as IActionTransportReadyData_Methods, o as TActionChannelFormatMessage, on as ITransportMethod_SendActionData_Input, pn as ITransportStatusInfo_Ready, qt as ConnectorHandler, r as IAcceptorHandlerOptions, rn as IActionTransportResolvers, s as TActionConnectionEncoding, sn as ITransportRouteActionParams, t as AcceptorHandler, tn as IActionTransportReadyData_Base, u as ActionRuntime, un as ITransportStatusInfo_Base, vn as TOnResolveAnyIncomingActionData_Json, wn as TSendReturnDataMethod, wt as ConnectionStateStore, xn as TOnResolveIncomingResponse, xt as IDuplexConnectionRouter, yn as TOnResolveIncomingRequest, zn as IClientVerifyKeyResolver, zt as createBinaryWireSessionFactory } from "../AcceptorHandler-CxD0c1BE.cjs";
-import { ClientCryptoKeyLink, TTypeAndId } from "@nice-code/util";
+import { An as TOnResolveIncomingResponseJson, At as IHibernatableWsServerAdapterOptions, B as decodeExchangeReply, Bn as Transport, Cn as IUpdateActionRunConfig_Output, Dn as TOnResolveIncomingRequest, En as TOnResolveAnyIncomingActionData_Json, Fn as TTransportStatusInfo, Ft as createConnectionStateStore, G as IExchangeAcceptorSecurity, Gn as IClientHandshakeConfig, H as encodeExchange, Hn as createSecureAcceptorHandler, In as TTransportStatusInfo_GetTransport_Output, Jn as IHandshakeEncryptionKeyMaterial, Jt as IActionWireFormat, Kt as IBinaryWireSessionOptions, Ln as TUpdateActionRunConfig, Mn as TSendReturnDataMethod, Mt as ConnectionStateStore, Nn as TTransportCache, Nt as IConnectionAttachment, On as TOnResolveIncomingRequestJson, Pn as TTransportInitializationFinishedInfo, Pt as IConnectionStateStoreOptions, Qn as createClientHandshake, R as TExchangeReply, Rn as TransportConnection, Sn as ITransportStatusInfo_Unsupported, Tn as TOnResolveAnyIncomingActionData, U as ExchangeAcceptor, Un as EHandshakeMessageType, V as decodeExchangeRequest, Vn as ISecureAcceptorHandlerOptions, W as IExchangeAcceptorConfig, Xn as IServerHandshakeConfig, Yn as IHandshakeResult, Yt as IDuplexCarrier, Zn as THandshakeMessage, Zt as IExchangeCarrier, _n as ITransportRouteInfo, a as TAcceptorConnectionCaseFn, an as ETransportStatus, bn as ITransportStatusInfo_Initializing, c as createAcceptorHandler, cn as IActionTransportReady, dn as IActionTransportResolvers, er as createServerHandshake, fn as ISecureClientConfig, gn as ITransportRouteClientParams, hn as ITransportRouteActionParams, i as TAcceptorCaseFn, in as ETransportShape, jn as TSendActionDataMethod, jt as createHibernatableWsServerAdapter, kn as TOnResolveIncomingResponse, kt as IDuplexConnectionRouter, l as ActionDomain, ln as IActionTransportReadyData_Base, mn as ITransportMethod_SendActionData_Input, n as IAcceptorConnectionBinding, nn as createConnectorHandler, nr as decodeHandshakeMessage, o as TActionChannelFormatMessage, on as IActionTransportDef, pn as ITransportDispatchAction, qt as createBinaryWireSessionFactory, r as IAcceptorHandlerOptions, rn as PeerLinkHandler, rr as encodeHandshakeMessage, s as TActionConnectionEncoding, sn as IActionTransportInitialized, t as AcceptorHandler, tn as ConnectorHandler, u as ActionRuntime, un as IActionTransportReadyData_Methods, vn as ITransportStatusInfo_Base, wn as TGetTransportFn, xn as ITransportStatusInfo_Ready, yn as ITransportStatusInfo_Failed, z as TExchangeRequest, zn as ITransportConnectionContext } from "../AcceptorHandler-Du292dpC.cjs";
+import { ClientCryptoKeyLink } from "@nice-code/util";
 
-//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.d.ts
-/** Acceptor secure config for the exchange (HTTP) endpoint — same identity an `AcceptorHandler` uses. */
-interface IExchangeAcceptorSecurity {
-  /** This acceptor's crypto identity (verify + exchange key pairs, optionally persisted). */
-  link: ClientCryptoKeyLink;
-  /** This acceptor's coordinate — its identity to clients during the handshake. */
-  localCoordinate: IRuntimeCoordinate;
-  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
-  dictionaryVersion: string;
-  /** Accepted level(s) — a single level is strict, an array is a negotiable allowed set. */
-  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
-  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
-}
-interface IExchangeAcceptorConfig {
-  security: IExchangeAcceptorSecurity;
-  /** The runtime that executes an inbound action wire and produces its result. */
-  runtime: ActionRuntime;
-}
-/**
- * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
- * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
- * acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
- * requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
- * POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
- * and returns the (encrypted) result inline as the reply.
- *
- * Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
- * Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
- * same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
- */
-declare class ExchangeAcceptor {
-  private readonly _security;
-  private readonly _runtime;
-  private readonly _allowedLevels;
-  private readonly _noneAllowed;
-  private readonly _pendingHandshakes;
-  private readonly _sessions;
-  constructor(config: IExchangeAcceptorConfig);
-  /** Process one POST body (an exchange envelope), returning the reply body to send back. */
-  handlePost(body: string): Promise<string>;
-  private _handleHandshake;
-  private _handleAction;
-  private _err;
-}
-//#endregion
 //#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.d.ts
 interface IActionFetchHandlerOptions {
   /**
@@ -145,16 +99,22 @@ interface IActionFrameCrypto {
 }
 interface IActionFrameCryptoConfig {
   link: ClientCryptoKeyLink;
-  /** The handshake-established link id for the remote (key + connection-registry id). */
-  linkedClientId: TTypeAndId;
+  /**
+   * This session's handshake key material. The shared AES-GCM key is derived from it **once** and held
+   * for the life of the connection — it is NOT re-read per frame from the link's per-`linkedClientId`
+   * cache, so a second secure session to the same peer (e.g. a secure HTTP exchange beside a secure
+   * WebSocket, both sharing one DO crypto identity) can't overwrite this connection's key.
+   */
+  keyMaterial: IHandshakeEncryptionKeyMaterial;
 }
 /**
  * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
- * level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+ * level. The shared key is derived once from {@link IActionFrameCryptoConfig.keyMaterial} and captured
+ * for this connection alone, decoupling it from the link's shared key cache.
  */
 declare function createActionFrameCrypto({
   link,
-  linkedClientId
+  keyMaterial
 }: IActionFrameCryptoConfig): IActionFrameCrypto;
 //#endregion
 //#region src/ActionRuntime/Transport/Exchange/TransportExchange.types.d.ts
@@ -291,54 +251,5 @@ declare class LinkTransport extends Transport<ETransportShape.duplex> {
   getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
 }
 //#endregion
-//#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.d.ts
-/**
- * The application-level envelope for secure action traffic over an {@link IExchangeCarrier} (HTTP). An
- * exchange carrier only moves one request frame → one reply frame with no unsolicited push, so the
- * handshake and the per-action token + crypto all ride in this envelope (a JSON string body) rather than
- * on a persistent channel. The three security levels share it:
- *
- * - `none` — no handshake, no token: an `act` envelope carries the plaintext wire both ways.
- * - `authenticated` — a one-time handshake yields a session `token`; each later `act` carries it +
- *   the plaintext wire.
- * - `encrypted` — same, but the wire is AES-GCM ciphertext, base64 in the `c` field.
- *
- * The handshake runs as two `hs` exchanges (hello→welcome, prove→accept) correlated by a client-chosen
- * `hsid`, since stateless requests can't rely on channel ordering. The `accept` reply carries the token.
- */
-type TWireJson = TActionPayload_Any_JsonObject<any, any>;
-/** Connector → acceptor request envelope. */
-type TExchangeRequest = {
-  k: "hs";
-  hsid: string;
-  m: string;
-} | {
-  k: "act";
-  t?: string;
-  w: TWireJson;
-} | {
-  k: "act";
-  t?: string;
-  c: string;
-};
-/** Acceptor → connector reply envelope. */
-type TExchangeReply = {
-  k: "hs";
-  m: string;
-  t?: string;
-} | {
-  k: "act";
-  w: TWireJson;
-} | {
-  k: "act";
-  c: string;
-} | {
-  k: "err";
-  message: string;
-};
-declare function encodeExchange(envelope: TExchangeRequest | TExchangeReply): string;
-declare function decodeExchangeRequest(raw: string): TExchangeRequest | undefined;
-declare function decodeExchangeReply(raw: string): TExchangeReply | undefined;
-//#endregion
 export { AcceptorHandler, ConnectionStateStore, ConnectorHandler, EHandshakeMessageType, ETransportShape, ETransportStatus, ExchangeAcceptor, ExchangeTransport, type IAcceptorConnectionBinding, type IAcceptorHandlerOptions, type IActionFetchHandlerOptions, type IActionFrameCrypto, type IActionFrameCryptoConfig, IActionTransportDef, IActionTransportInitialized, IActionTransportReady, IActionTransportReadyData_Base, type IActionTransportReadyData_Exchange, type IActionTransportReadyData_Link, IActionTransportReadyData_Methods, IActionTransportResolvers, type IActionWireFormat, type IBinaryWireSessionOptions, type IClientHandshakeConfig, type IConnectionAttachment, type IConnectionStateStoreOptions, type IDuplexConnectionRouter, type IExchangeAcceptorConfig, type IExchangeAcceptorSecurity, type IExchangeTransportOptions, type IHandshakeEncryptionKeyMaterial, type IHandshakeResult, type IHibernatableWsServerAdapterOptions, type ILinkTransportOptions, type ISecureAcceptorHandlerOptions, ISecureClientConfig, type IServerHandshakeConfig, type ITransportConnectionContext, ITransportDispatchAction, ITransportMethod_SendActionData_Input, ITransportRouteActionParams, ITransportRouteClientParams, ITransportRouteInfo, ITransportStatusInfo_Base, ITransportStatusInfo_Failed, ITransportStatusInfo_Initializing, ITransportStatusInfo_Ready, ITransportStatusInfo_Unsupported, IUpdateActionRunConfig_Output, LinkTransport, PeerLinkHandler, type TAcceptorCaseFn, type TAcceptorConnectionCaseFn, type TActionChannelFormatMessage, type TActionConnectionEncoding, type TExchangeReply, type TExchangeRequest, TGetTransportFn, type THandshakeMessage, type TLinkFormatMessage, TOnResolveAnyIncomingActionData, TOnResolveAnyIncomingActionData_Json, TOnResolveIncomingRequest, TOnResolveIncomingRequestJson, TOnResolveIncomingResponse, TOnResolveIncomingResponseJson, TSendActionDataMethod, TSendReturnDataMethod, TTransportCache, TTransportInitializationFinishedInfo, TTransportStatusInfo, TTransportStatusInfo_GetTransport_Output, TUpdateActionRunConfig, Transport, createAcceptorHandler, createActionFetchHandler, createActionFrameCrypto, createBinaryWireAdapter, createBinaryWireSessionFactory, createClientHandshake, createConnectionStateStore, createConnectorHandler, createHibernatableWsServerAdapter, createSecureAcceptorHandler, createServerHandshake, decodeExchangeReply, decodeExchangeRequest, decodeHandshakeMessage, encodeExchange, encodeHandshakeMessage };
 //# sourceMappingURL=index.d.cts.map

package/build/advanced/index.d.mts

@@ -1,52 +1,6 @@
-import { $t as IActionTransportInitialized, An as TransportConnection, Bn as IHandshakeEncryptionKeyMaterial, Bt as IActionWireFormat, Cn as TSendActionDataMethod, Ct as createHibernatableWsServerAdapter, Dn as TTransportStatusInfo, Dt as createConnectionStateStore, En as TTransportInitializationFinishedInfo, Et as IConnectionStateStoreOptions, Fn as EHandshakeMessageType, Hn as IServerHandshakeConfig, In as ESecurityLevel, Jn as decodeHandshakeMessage, Jt as createConnectorHandler, Kn as createServerHandshake, Ln as IClientHandshakeConfig, Mn as Transport, Nn as ISecureAcceptorHandlerOptions, O as TActionPayload_Any_JsonObject, On as TTransportStatusInfo_GetTransport_Output, Pn as createSecureAcceptorHandler, Qt as IActionTransportDef, Rt as IBinaryWireSessionOptions, Sn as TOnResolveIncomingResponseJson, St as IHibernatableWsServerAdapterOptions, Tn as TTransportCache, Tt as IConnectionAttachment, Un as THandshakeMessage, Ut as IExchangeCarrier, Vn as IHandshakeResult, Vt as IDuplexCarrier, Wn as createClientHandshake, Xt as ETransportShape, Yn as encodeHandshakeMessage, Yt as PeerLinkHandler, Zt as ETransportStatus, _n as TOnResolveAnyIncomingActionData, a as TAcceptorConnectionCaseFn, an as ITransportDispatchAction, bn as TOnResolveIncomingRequestJson, c as createAcceptorHandler, cn as ITransportRouteClientParams, dn as ITransportStatusInfo_Failed, en as IActionTransportReady, fn as ITransportStatusInfo_Initializing, gn as TGetTransportFn, hn as IUpdateActionRunConfig_Output, hr as IRuntimeCoordinate, i as TAcceptorCaseFn, in as ISecureClientConfig, jn as ITransportConnectionContext, kn as TUpdateActionRunConfig, l as ActionDomain, ln as ITransportRouteInfo, mn as ITransportStatusInfo_Unsupported, n as IAcceptorConnectionBinding, nn as IActionTransportReadyData_Methods, o as TActionChannelFormatMessage, on as ITransportMethod_SendActionData_Input, pn as ITransportStatusInfo_Ready, qt as ConnectorHandler, r as IAcceptorHandlerOptions, rn as IActionTransportResolvers, s as TActionConnectionEncoding, sn as ITransportRouteActionParams, t as AcceptorHandler, tn as IActionTransportReadyData_Base, u as ActionRuntime, un as ITransportStatusInfo_Base, vn as TOnResolveAnyIncomingActionData_Json, wn as TSendReturnDataMethod, wt as ConnectionStateStore, xn as TOnResolveIncomingResponse, xt as IDuplexConnectionRouter, yn as TOnResolveIncomingRequest, zn as IClientVerifyKeyResolver, zt as createBinaryWireSessionFactory } from "../AcceptorHandler-11-QMdx2.mjs";
-import { ClientCryptoKeyLink, TTypeAndId } from "@nice-code/util";
+import { An as TOnResolveIncomingResponseJson, At as IHibernatableWsServerAdapterOptions, B as decodeExchangeReply, Bn as Transport, Cn as IUpdateActionRunConfig_Output, Dn as TOnResolveIncomingRequest, En as TOnResolveAnyIncomingActionData_Json, Fn as TTransportStatusInfo, Ft as createConnectionStateStore, G as IExchangeAcceptorSecurity, Gn as IClientHandshakeConfig, H as encodeExchange, Hn as createSecureAcceptorHandler, In as TTransportStatusInfo_GetTransport_Output, Jn as IHandshakeEncryptionKeyMaterial, Jt as IActionWireFormat, Kt as IBinaryWireSessionOptions, Ln as TUpdateActionRunConfig, Mn as TSendReturnDataMethod, Mt as ConnectionStateStore, Nn as TTransportCache, Nt as IConnectionAttachment, On as TOnResolveIncomingRequestJson, Pn as TTransportInitializationFinishedInfo, Pt as IConnectionStateStoreOptions, Qn as createClientHandshake, R as TExchangeReply, Rn as TransportConnection, Sn as ITransportStatusInfo_Unsupported, Tn as TOnResolveAnyIncomingActionData, U as ExchangeAcceptor, Un as EHandshakeMessageType, V as decodeExchangeRequest, Vn as ISecureAcceptorHandlerOptions, W as IExchangeAcceptorConfig, Xn as IServerHandshakeConfig, Yn as IHandshakeResult, Yt as IDuplexCarrier, Zn as THandshakeMessage, Zt as IExchangeCarrier, _n as ITransportRouteInfo, a as TAcceptorConnectionCaseFn, an as ETransportStatus, bn as ITransportStatusInfo_Initializing, c as createAcceptorHandler, cn as IActionTransportReady, dn as IActionTransportResolvers, er as createServerHandshake, fn as ISecureClientConfig, gn as ITransportRouteClientParams, hn as ITransportRouteActionParams, i as TAcceptorCaseFn, in as ETransportShape, jn as TSendActionDataMethod, jt as createHibernatableWsServerAdapter, kn as TOnResolveIncomingResponse, kt as IDuplexConnectionRouter, l as ActionDomain, ln as IActionTransportReadyData_Base, mn as ITransportMethod_SendActionData_Input, n as IAcceptorConnectionBinding, nn as createConnectorHandler, nr as decodeHandshakeMessage, o as TActionChannelFormatMessage, on as IActionTransportDef, pn as ITransportDispatchAction, qt as createBinaryWireSessionFactory, r as IAcceptorHandlerOptions, rn as PeerLinkHandler, rr as encodeHandshakeMessage, s as TActionConnectionEncoding, sn as IActionTransportInitialized, t as AcceptorHandler, tn as ConnectorHandler, u as ActionRuntime, un as IActionTransportReadyData_Methods, vn as ITransportStatusInfo_Base, wn as TGetTransportFn, xn as ITransportStatusInfo_Ready, yn as ITransportStatusInfo_Failed, z as TExchangeRequest, zn as ITransportConnectionContext } from "../AcceptorHandler-CLbwu2Pa.mjs";
+import { ClientCryptoKeyLink } from "@nice-code/util";
 
-//#region src/ActionRuntime/Transport/SecureSession/exchangeAcceptor.d.ts
-/** Acceptor secure config for the exchange (HTTP) endpoint — same identity an `AcceptorHandler` uses. */
-interface IExchangeAcceptorSecurity {
-  /** This acceptor's crypto identity (verify + exchange key pairs, optionally persisted). */
-  link: ClientCryptoKeyLink;
-  /** This acceptor's coordinate — its identity to clients during the handshake. */
-  localCoordinate: IRuntimeCoordinate;
-  /** Wire dictionary version; the handshake rejects a client on a mismatch. */
-  dictionaryVersion: string;
-  /** Accepted level(s) — a single level is strict, an array is a negotiable allowed set. */
-  securityLevel: ESecurityLevel | readonly ESecurityLevel[];
-  /** Trust decision for a client's verify key (defaults to in-memory TOFU inside the handshake). */
-  verifyKeyResolver?: IClientVerifyKeyResolver;
-}
-interface IExchangeAcceptorConfig {
-  security: IExchangeAcceptorSecurity;
-  /** The runtime that executes an inbound action wire and produces its result. */
-  runtime: ActionRuntime;
-}
-/**
- * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
- * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
- * acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
- * requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
- * POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
- * and returns the (encrypted) result inline as the reply.
- *
- * Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
- * Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
- * same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
- */
-declare class ExchangeAcceptor {
-  private readonly _security;
-  private readonly _runtime;
-  private readonly _allowedLevels;
-  private readonly _noneAllowed;
-  private readonly _pendingHandshakes;
-  private readonly _sessions;
-  constructor(config: IExchangeAcceptorConfig);
-  /** Process one POST body (an exchange envelope), returning the reply body to send back. */
-  handlePost(body: string): Promise<string>;
-  private _handleHandshake;
-  private _handleAction;
-  private _err;
-}
-//#endregion
 //#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.d.ts
 interface IActionFetchHandlerOptions {
   /**
@@ -145,16 +99,22 @@ interface IActionFrameCrypto {
 }
 interface IActionFrameCryptoConfig {
   link: ClientCryptoKeyLink;
-  /** The handshake-established link id for the remote (key + connection-registry id). */
-  linkedClientId: TTypeAndId;
+  /**
+   * This session's handshake key material. The shared AES-GCM key is derived from it **once** and held
+   * for the life of the connection — it is NOT re-read per frame from the link's per-`linkedClientId`
+   * cache, so a second secure session to the same peer (e.g. a secure HTTP exchange beside a secure
+   * WebSocket, both sharing one DO crypto identity) can't overwrite this connection's key.
+   */
+  keyMaterial: IHandshakeEncryptionKeyMaterial;
 }
 /**
  * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
- * level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+ * level. The shared key is derived once from {@link IActionFrameCryptoConfig.keyMaterial} and captured
+ * for this connection alone, decoupling it from the link's shared key cache.
  */
 declare function createActionFrameCrypto({
   link,
-  linkedClientId
+  keyMaterial
 }: IActionFrameCryptoConfig): IActionFrameCrypto;
 //#endregion
 //#region src/ActionRuntime/Transport/Exchange/TransportExchange.types.d.ts
@@ -291,54 +251,5 @@ declare class LinkTransport extends Transport<ETransportShape.duplex> {
   getRouteInfo(input: ITransportRouteActionParams): ITransportRouteInfo;
 }
 //#endregion
-//#region src/ActionRuntime/Transport/SecureSession/exchangeProtocol.d.ts
-/**
- * The application-level envelope for secure action traffic over an {@link IExchangeCarrier} (HTTP). An
- * exchange carrier only moves one request frame → one reply frame with no unsolicited push, so the
- * handshake and the per-action token + crypto all ride in this envelope (a JSON string body) rather than
- * on a persistent channel. The three security levels share it:
- *
- * - `none` — no handshake, no token: an `act` envelope carries the plaintext wire both ways.
- * - `authenticated` — a one-time handshake yields a session `token`; each later `act` carries it +
- *   the plaintext wire.
- * - `encrypted` — same, but the wire is AES-GCM ciphertext, base64 in the `c` field.
- *
- * The handshake runs as two `hs` exchanges (hello→welcome, prove→accept) correlated by a client-chosen
- * `hsid`, since stateless requests can't rely on channel ordering. The `accept` reply carries the token.
- */
-type TWireJson = TActionPayload_Any_JsonObject<any, any>;
-/** Connector → acceptor request envelope. */
-type TExchangeRequest = {
-  k: "hs";
-  hsid: string;
-  m: string;
-} | {
-  k: "act";
-  t?: string;
-  w: TWireJson;
-} | {
-  k: "act";
-  t?: string;
-  c: string;
-};
-/** Acceptor → connector reply envelope. */
-type TExchangeReply = {
-  k: "hs";
-  m: string;
-  t?: string;
-} | {
-  k: "act";
-  w: TWireJson;
-} | {
-  k: "act";
-  c: string;
-} | {
-  k: "err";
-  message: string;
-};
-declare function encodeExchange(envelope: TExchangeRequest | TExchangeReply): string;
-declare function decodeExchangeRequest(raw: string): TExchangeRequest | undefined;
-declare function decodeExchangeReply(raw: string): TExchangeReply | undefined;
-//#endregion
 export { AcceptorHandler, ConnectionStateStore, ConnectorHandler, EHandshakeMessageType, ETransportShape, ETransportStatus, ExchangeAcceptor, ExchangeTransport, type IAcceptorConnectionBinding, type IAcceptorHandlerOptions, type IActionFetchHandlerOptions, type IActionFrameCrypto, type IActionFrameCryptoConfig, IActionTransportDef, IActionTransportInitialized, IActionTransportReady, IActionTransportReadyData_Base, type IActionTransportReadyData_Exchange, type IActionTransportReadyData_Link, IActionTransportReadyData_Methods, IActionTransportResolvers, type IActionWireFormat, type IBinaryWireSessionOptions, type IClientHandshakeConfig, type IConnectionAttachment, type IConnectionStateStoreOptions, type IDuplexConnectionRouter, type IExchangeAcceptorConfig, type IExchangeAcceptorSecurity, type IExchangeTransportOptions, type IHandshakeEncryptionKeyMaterial, type IHandshakeResult, type IHibernatableWsServerAdapterOptions, type ILinkTransportOptions, type ISecureAcceptorHandlerOptions, ISecureClientConfig, type IServerHandshakeConfig, type ITransportConnectionContext, ITransportDispatchAction, ITransportMethod_SendActionData_Input, ITransportRouteActionParams, ITransportRouteClientParams, ITransportRouteInfo, ITransportStatusInfo_Base, ITransportStatusInfo_Failed, ITransportStatusInfo_Initializing, ITransportStatusInfo_Ready, ITransportStatusInfo_Unsupported, IUpdateActionRunConfig_Output, LinkTransport, PeerLinkHandler, type TAcceptorCaseFn, type TAcceptorConnectionCaseFn, type TActionChannelFormatMessage, type TActionConnectionEncoding, type TExchangeReply, type TExchangeRequest, TGetTransportFn, type THandshakeMessage, type TLinkFormatMessage, TOnResolveAnyIncomingActionData, TOnResolveAnyIncomingActionData_Json, TOnResolveIncomingRequest, TOnResolveIncomingRequestJson, TOnResolveIncomingResponse, TOnResolveIncomingResponseJson, TSendActionDataMethod, TSendReturnDataMethod, TTransportCache, TTransportInitializationFinishedInfo, TTransportStatusInfo, TTransportStatusInfo_GetTransport_Output, TUpdateActionRunConfig, Transport, createAcceptorHandler, createActionFetchHandler, createActionFrameCrypto, createBinaryWireAdapter, createBinaryWireSessionFactory, createClientHandshake, createConnectionStateStore, createConnectorHandler, createHibernatableWsServerAdapter, createSecureAcceptorHandler, createServerHandshake, decodeExchangeReply, decodeExchangeRequest, decodeHandshakeMessage, encodeExchange, encodeHandshakeMessage };
 //# sourceMappingURL=index.d.mts.map