@nice-code/action 0.25.0 → 0.26.0

package/README.md

@@ -506,6 +506,11 @@ this._server = serveDurableObject(this.ctx, bridgeChannel, { runtime, httpFallba
 The matching connector points its `httpCarrier` at `/bridge/:id/action`. `pickStub` may be async (e.g. to
 resolve an id first) and receives the parsed `URL` alongside the request.
 
+This is for routing to a per-id *durable* instance (one that keeps a live WebSocket or per-instance
+state). If a secure endpoint needs **neither**, skip the DO entirely — a single stateless `serveChannel`
+route serves the exchange directly (see
+[Serving without a Durable Object](#serving-without-a-durable-object--stateless-secure-http-exchange)).
+
 > Need to handle the exchange yourself instead of handing the endpoint to `serveChannel`? The secure
 > exchange acceptor and its plain `{k:"act",w}` envelope codec are exported from the **main** entry:
 > `ExchangeAcceptor` (drive the handshake + token sessions + decrypt over your own `fetch`), and
@@ -578,6 +583,53 @@ plain HTTP fallback by giving the acceptor a `httpAcceptorCarrier({ secure: fals
 
 ---
 
+## Serving without a Durable Object — stateless secure HTTP exchange
+
+The secure HTTP exchange is **stateless**: its handshake and session ride sealed tokens (sealed under
+the server's own crypto identity), so any request can be served by any isolate. You don't need a Durable
+Object — or any sticky instance — just to keep a handshake's two POSTs together. A single secure-exchange
+acceptor is therefore just `serveChannel` over an HTTP carrier, on any backend (a plain Worker route, a
+Node handler):
+
+```ts
+// server.ts — a stateless secure-exchange endpoint (no Durable Object)
+const server = serveChannel(runtime, appChannel, {
+  clientEnv,
+  storage,                          // backs the (read-mostly) crypto identity; sessions never touch it
+  carriers: [httpAcceptorCarrier()],
+  handlers: [appHandler],
+});
+// route any action POST straight to it:
+//   app.post("/action", (req) => server.fetch(req))
+```
+
+The only thing the exchange reads from `storage` is the server's crypto identity. On a **strongly
+consistent** store (Node memory, a DO's storage, D1) the default lazy identity is fork-safe. On an
+**eventually consistent** store (Cloudflare KV) provision the identity once, up front, so a transient
+read-miss can never mint a *second* identity (which trust-on-first-use-pinned clients would then reject):
+
+```ts
+import { ClientCryptoKeyLink } from "@nice-code/util";
+
+// `required` never mints on the request path — an unprovisioned link throws IdentityNotProvisionedError
+// instead of forking a fresh identity on a storage hiccup.
+const link = new ClientCryptoKeyLink({ storageAdapter: storage, identityMode: "required" });
+await link.provisionIdentity();     // once, out-of-band (a deploy step / first boot)
+
+const server = serveChannel(runtime, appChannel, {
+  clientEnv, storage, link,         // pass the provisioned, required-mode identity
+  carriers: [httpAcceptorCarrier()],
+  handlers: [appHandler],
+});
+```
+
+> **On Cloudflare Workers**, build the server lazily on the first request (memoized), not at module
+> scope — the runtime forbids generating random ids and doing I/O in the global scope. A live WebSocket
+> still wants a Durable Object (a hibernatable socket needs a stable instance); this statelessness is for
+> the request/reply HTTP exchange.
+
+---
+
 ## Multiple carriers on one runtime
 
 `serveChannel` accepts **any number of duplex carriers** (e.g. WebSocket + WebRTC) plus at most one

package/build/{AcceptorHandler-BizUtq4u.d.mts → AcceptorHandler-CLbwu2Pa.d.mts}

@@ -781,6 +781,16 @@ declare function createInMemoryTofuVerifyKeyResolver(): IClientVerifyKeyResolver
  * Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
  * (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
  * + pin the first verify key per client identity, reject a different one thereafter.
+ *
+ * Fail-closed by construction: a thrown storage read (`getJson`) or first-pin write (`updateJsonWithDef`)
+ * propagates out of `resolve`, which makes `onProve` reject the handshake — a storage error can never be
+ * mistaken for "first use" and silently trusted. (A genuine `undefined`/absent read is the only path to
+ * a fresh pin; the underlying adapters never coerce a thrown read to `undefined`.) Keep it that way: do
+ * not wrap the storage calls in a `try/catch` that swallows the error.
+ *
+ * On an *eventually-consistent* store a stale "absent" read re-pins the **same** verify key the client
+ * just presented (it is signature-verified before this runs), so the worst case is a harmless re-write,
+ * never a weakened trust decision. Cross-isolate-strong pinning still wants a strongly-consistent store.
  */
 declare function createStorageTofuVerifyKeyResolver(storageAdapter: StorageAdapter): IClientVerifyKeyResolver;
 interface IClientHandshakeConfig {
@@ -808,11 +818,37 @@ interface IServerHandshakeConfig {
   /** Trust decision for a client's verify key. Defaults to in-memory TOFU. */
   verifyKeyResolver?: IClientVerifyKeyResolver;
 }
-declare function createServerHandshake(config: IServerHandshakeConfig): {
+/**
+ * The server handshake's in-flight state between `onHello` and `onProve` — everything `onProve` needs
+ * to verify the client's proof and settle the result. Fully serializable (all JSON / serialized-key
+ * strings), so a stateless server can {@link IServerHandshake.exportPending} it after `hello`, carry it
+ * across requests (e.g. sealed into a continuation token), and {@link IServerHandshake.restorePending}
+ * it on a *different* instance before `prove` — no in-memory handshake to co-locate. The `serverNonce`
+ * is already folded into `challenge`, so it need not be carried separately.
+ */
+interface IServerHandshakePending {
+  client: IRuntimeCoordinate;
+  linkedClientId: TTypeAndId;
+  challenge: string;
+  clientVerifyKey: TSerializedCryptoKeyData_Ed25519_Raw;
+  negotiatedLevel: ESecurityLevel;
+  keyMaterial?: IHandshakeEncryptionKeyMaterial;
+}
+interface IServerHandshake {
   onHello(hello: THsHello): Promise<THsWelcome | THsReject>;
-  onProve(prove: THsProve): Promise<THsAccept | THsReject>; /** The completed handshake result once `onProve` has accepted, else `undefined`. */
+  onProve(prove: THsProve): Promise<THsAccept | THsReject>;
   getResult(): IHandshakeResult | undefined;
-};
+  /** The serializable in-flight state after `onHello` (else `undefined`). See {@link IServerHandshakePending}. */
+  exportPending(): IServerHandshakePending | undefined;
+  /**
+   * Restore exported `pending` onto a *fresh* handshake instance so `onProve` can run without the
+   * `onHello` that produced it (the stateless / cross-instance path). Re-links the client's verify key
+   * — `onHello`'s `linkClient` was in-memory only and won't exist on this instance — so the signature
+   * check in `onProve` succeeds. Build the instance with the same `config` (identity link + coordinate).
+   */
+  restorePending(pending: IServerHandshakePending): Promise<void>;
+}
+declare function createServerHandshake(config: IServerHandshakeConfig): IServerHandshake;
 //#endregion
 //#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.d.ts
 interface ISecureAcceptorHandlerOptions<TConn> {
@@ -1847,6 +1883,14 @@ interface IServeChannelOptions<TO_ACCEPTOR extends readonly ActionDomain<any>[],
    *
    * Required only when at least one carrier is secure (the default). A fully-plain server (every carrier
    * `secure: false`) needs no storage and may omit it.
+   *
+   * The secure HTTP exchange is stateless — its handshake + session ride sealed tokens, so it touches
+   * this store only for the (read-mostly) identity, never per session. That lets a single secure-exchange
+   * server (`carriers: [httpAcceptorCarrier()]`) run on a stateless Worker/Node backend with no Durable
+   * Object. On a *strongly-consistent* store (DO storage, D1, Node memory) the default lazy identity is
+   * fork-safe. On an *eventually-consistent* store (Cloudflare KV) pass an explicit {@link link} built
+   * with `identityMode: "required"` and `provisionIdentity()` it once out-of-band, so a transient read
+   * miss can never fork a second identity (which pinned clients would then permanently reject).
    */
   storage?: StorageAdapter;
   /**
@@ -2287,29 +2331,39 @@ interface IExchangeAcceptorConfig {
   security: IExchangeAcceptorSecurity;
   /** The runtime that executes an inbound action wire and produces its result. */
   runtime: ActionRuntime;
+  /**
+   * How long a minted session ticket stays valid (ms). After it expires the client's next action is
+   * rejected and it must re-handshake. Defaults to 12h — long enough for an ordinary session's life,
+   * since a sealed ticket carries no server state to revoke before then. Keep it shorter for a more
+   * tightly time-boxed session.
+   */
+  sessionTtlMs?: number;
 }
 /**
  * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
  * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
- * acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
- * requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
- * POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
- * and returns the (encrypted) result inline as the reply.
+ * acceptor drives the server handshake over the two `hs` POSTs, mints a session **token** on accept, and
+ * on every later `act` POST resolves the session by token, decrypts the body (at `encrypted`), routes it
+ * through the runtime, and returns the (encrypted) result inline as the reply.
  *
- * Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
- * Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
- * same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+ * **Stateless.** It holds no in-memory handshakes or sessions: the in-flight handshake `pending` is
+ * sealed into the `hsc` continuation token returned on `welcome` and echoed back on `prove`, and the live
+ * session is sealed into the `t` token replayed on every `act`. Both are sealed under the acceptor's own
+ * persisted identity ({@link createExchangeTicketSealer}), so any isolate that loaded the same identity
+ * can serve any POST — no request needs to co-locate with another (no Durable Object required just to
+ * pin a handshake to one instance). A tampered, wrong-key, or expired token opens to "no valid session".
  */
 declare class ExchangeAcceptor {
   private readonly _security;
   private readonly _runtime;
   private readonly _allowedLevels;
   private readonly _noneAllowed;
-  private readonly _pendingHandshakes;
-  private readonly _sessions;
+  private readonly _sealer;
+  private readonly _sessionTtlMs;
   constructor(config: IExchangeAcceptorConfig);
   /** Process one POST body (an exchange envelope), returning the reply body to send back. */
   handlePost(body: string): Promise<string>;
+  private _makeHandshake;
   private _handleHandshake;
   private _handleAction;
   private _err;
@@ -2327,15 +2381,18 @@ declare class ExchangeAcceptor {
  *   the plaintext wire.
  * - `encrypted` — same, but the wire is AES-GCM ciphertext, base64 in the `c` field.
  *
- * The handshake runs as two `hs` exchanges (hello→welcome, prove→accept) correlated by a client-chosen
- * `hsid`, since stateless requests can't rely on channel ordering. The `accept` reply carries the token.
+ * The handshake runs as two `hs` exchanges (hello→welcome, prove→accept). The acceptor keeps **no**
+ * in-flight state between them: the `welcome` reply carries a sealed handshake-continuation token `hsc`
+ * (the acceptor's `pending` state, opaque to the client), which the connector echoes on the `prove`
+ * request. The `accept` reply then carries the (sealed) session `t`oken replayed on every later `act`.
+ * All server-side continuity rides these sealed tokens, so no request needs to co-locate with another.
  */
 type TWireJson = TActionPayload_Any_JsonObject<any, any>;
 /** Connector → acceptor request envelope. */
 type TExchangeRequest = {
   k: "hs";
-  hsid: string;
   m: string;
+  hsc?: string;
 } | {
   k: "act";
   t?: string;
@@ -2349,6 +2406,7 @@ type TExchangeRequest = {
 type TExchangeReply = {
   k: "hs";
   m: string;
+  hsc?: string;
   t?: string;
 } | {
   k: "act";
@@ -3097,4 +3155,4 @@ declare class AcceptorHandler<TConn = unknown> extends PeerLinkHandler {
 declare const createAcceptorHandler: <TConn = unknown>(options: IAcceptorHandlerOptions<TConn>) => AcceptorHandler<TConn>;
 //#endregion
 export { httpAcceptorCarrier as $, createInMemoryTofuVerifyKeyResolver as $n, TCarrier as $t, TActionResultOutcome as A, TOnResolveIncomingResponseJson as An, IActionCore_JsonObject as Ar, IHibernatableWsServerAdapterOptions as At, decodeExchangeReply as B, Transport as Bn, TPossibleDomainIdList as Br, TChannelAcceptorCases as Bt, IActionProgress_Custom as C, IUpdateActionRunConfig_Output as Cn, IRuntimeCoordinate as Cr, serveChannel as Ct, TActionPayload_Any_Instance as D, TOnResolveIncomingRequest as Dn, TRuntimeCoordinateEnvId as Dr, TAcceptorCarrier as Dt, IActionRouteItemHandler as E, TOnResolveAnyIncomingActionData_Json as En, RuntimeCoordinate as Er, IExchangeAcceptorCarrier as Et, decodeActionFrame as F, TTransportStatusInfo as Fn, TActionDomainSchema as Fr, createConnectionStateStore as Ft, IExchangeAcceptorSecurity as G, IClientHandshakeConfig as Gn, TActionSchemaOptions as Gr, defineChannel as Gt, encodeExchange as H, createSecureAcceptorHandler as Hn, EActionResponseMode as Hr, acceptChannel as Ht, EErrId_NiceAction as I, TTransportStatusInfo_GetTransport_Output as In, TDomainActionId as Ir, IAcceptChannelOptions as It, IHttpCarrierOptions as J, IHandshakeEncryptionKeyMaterial as Jn, IActionWireFormat as Jt, EErrId_NiceTransport as K, IClientVerifyKeyResolveInput as Kn, TActionSerializationDefinition as Kr, IBinaryWireSessionOptions as Kt, err_nice_action as L, TUpdateActionRunConfig as Ln, TInferInputFromSchema as Lr, IActionChannel as Lt, isActionPayload_Request_JsonObject as M, TSendReturnDataMethod as Mn, IActionDomainChildOptions as Mr, ConnectionStateStore as Mt, isActionPayload_Any_JsonObject as N, TTransportCache as Nn, IActionRootDomain as Nr, IConnectionAttachment as Nt, TActionPayload_Any_JsonObject as O, TOnResolveIncomingRequestJson as On, TRuntimeCoordinateStringId as Or, isExchangeAcceptorCarrier as Ot, IActionFrameDecoder as P, TTransportInitializationFinishedInfo as Pn, TActionDomainChildDef as Pr, IConnectionStateStoreOptions as Pt, IHttpAcceptorCarrierOptions as Q, createClientHandshake as Qn, IExchangeCarrierSource as Qt, TExchangeReply as R, TransportConnection as Rn, TInferOutputFromSchema as Rr, IConnectChannelOptions as Rt, IActionPayload_Result_JsonObject as S, ITransportStatusInfo_Unsupported as Sn, ActionPayload_Progress as Sr, IServeConnectionStateOptions as St, IActionProgress_Percentage as T, TOnResolveAnyIncomingActionData as Tn, IRuntimeFullCoordinates as Tr, IDuplexAcceptorCarrier as Tt, ExchangeAcceptor as U, EHandshakeMessageType as Un, TInferActionError as Ur, acceptChannelConnections as Ut, decodeExchangeRequest as V, ISecureAcceptorHandlerOptions as Vn, ActionSchema as Vr, TChannelPushHandlers as Vt, IExchangeAcceptorConfig as W, ESecurityLevel as Wn, actionSchema as Wr, connectChannel as Wt, TCarrierFetch as X, IServerHandshakeConfig as Xn, IDuplexCarrierSource as Xt, IHttpCarrierRequest as Y, IHandshakeResult as Yn, IDuplexCarrier as Yt, httpCarrier as Z, THandshakeMessage as Zn, IExchangeCarrier as Zt, IActionPayload_Data_Base as _, ITransportRouteInfo as _n, IRunningActionUpdate_Success as _r, TServeHostOptions as _t, TAcceptorConnectionCaseFn as a, ETransportStatus as an, ActionLocalHandler as ar, err_nice_transport_ws as at, IActionPayload_Request_JsonObject as b, ITransportStatusInfo_Initializing as bn, TRunningActionUpdateListener as br, IConnectionContext as bt, createAcceptorHandler as c, IActionTransportReady as cn, createActionRootDomain as cr, IRtcDataChannelLike as ct, ActionCore as d, IActionTransportResolvers as dn, ERunningActionFinishedType as dr, inMemoryCarrier as dt, TFrame$1 as en, createServerHandshake as er, IWsCarrierOptions as et, ActionPayload_Request as f, ISecureClientConfig as fn, ERunningActionState as fr, IInMemoryChannelPair as ft, IActionPayload_Base_JsonObject as g, ITransportRouteClientParams as gn, IRunningActionUpdate_Started as gr, IChannelHostAdapter as gt, IActionPayload_Base as h, ITransportRouteActionParams as hn, IRunningActionUpdate_Progress as hr, err_nice_external_client as ht, TAcceptorCaseFn as i, ETransportShape as in, runtimeLinkId as ir, EErrId_NiceTransport_WebSocket as it, isActionPayload_Result_JsonObject as j, TSendActionDataMethod as jn, IActionDomain as jr, createHibernatableWsServerAdapter as jt, TActionProgress as k, TOnResolveIncomingResponse as kn, IActionCore as kr, IDuplexConnectionRouter as kt, ActionDomain as l, IActionTransportReadyData_Base as ln, ActionRootDomain as lr, rtcDataChannelByteChannel as lt, EActionProgressType as m, ITransportMethod_SendActionData_Input as mn, IRunningActionUpdate_Abort as mr, createInMemoryChannelPair as mt, IAcceptorConnectionBinding as n, createConnectorHandler as nn, decodeHandshakeMessage as nr, IWsAcceptorCarrierOptions as nt, TActionChannelFormatMessage as o, IActionTransportDef as on, createLocalHandler as or, IRtcCarrierOptions as ot, EActionPayloadType as p, ITransportDispatchAction as pn, ERunningActionUpdateType as pr, IInMemoryServerEndpoint as pt, err_nice_transport as q, IClientVerifyKeyResolver as qn, TTransportedValue as qr, createBinaryWireSessionFactory as qt, IAcceptorHandlerOptions as r, PeerLinkHandler as rn, encodeHandshakeMessage as rr, wsAcceptorCarrier as rt, TActionConnectionEncoding as s, IActionTransportInitialized as sn, MaybePromise as sr, rtcCarrier as st, AcceptorHandler as t, ConnectorHandler as tn, createStorageTofuVerifyKeyResolver as tr, wsCarrier as tt, ActionRuntime as u, IActionTransportReadyData_Methods as un, RunningAction as ur, IInMemoryCarrier as ut, IActionPayload_Progress as v, ITransportStatusInfo_Base as vn, TRunningActionUpdate as vr, serveHost as vt, IActionProgress_None as w, TGetTransportFn as wn, IRuntimeCoordinateSpecifics as wr, IAcceptorAttachmentStore as wt, IActionPayload_Result as x, ITransportStatusInfo_Ready as xn, ActionPayload_Result as xr, IServeChannelOptions as xt, IActionPayload_Progress_JsonObject as y, ITransportStatusInfo_Failed as yn, TRunningActionUpdateFinished as yr, IChannelServer as yt, TExchangeRequest as z, ITransportConnectionContext as zn, TPossibleDomainId as zr, IConnectTransport as zt };
-//# sourceMappingURL=AcceptorHandler-BizUtq4u.d.mts.map
+//# sourceMappingURL=AcceptorHandler-CLbwu2Pa.d.mts.map

package/build/{AcceptorHandler-CxPfZtIl.d.cts → AcceptorHandler-Du292dpC.d.cts}

@@ -781,6 +781,16 @@ declare function createInMemoryTofuVerifyKeyResolver(): IClientVerifyKeyResolver
  * Storage-backed trust-on-first-use resolver: pins survive process restarts / Durable Object eviction
  * (e.g. back it with `createDurableObjectStorageAdapter`). Same policy as the in-memory variant — trust
  * + pin the first verify key per client identity, reject a different one thereafter.
+ *
+ * Fail-closed by construction: a thrown storage read (`getJson`) or first-pin write (`updateJsonWithDef`)
+ * propagates out of `resolve`, which makes `onProve` reject the handshake — a storage error can never be
+ * mistaken for "first use" and silently trusted. (A genuine `undefined`/absent read is the only path to
+ * a fresh pin; the underlying adapters never coerce a thrown read to `undefined`.) Keep it that way: do
+ * not wrap the storage calls in a `try/catch` that swallows the error.
+ *
+ * On an *eventually-consistent* store a stale "absent" read re-pins the **same** verify key the client
+ * just presented (it is signature-verified before this runs), so the worst case is a harmless re-write,
+ * never a weakened trust decision. Cross-isolate-strong pinning still wants a strongly-consistent store.
  */
 declare function createStorageTofuVerifyKeyResolver(storageAdapter: StorageAdapter): IClientVerifyKeyResolver;
 interface IClientHandshakeConfig {
@@ -808,11 +818,37 @@ interface IServerHandshakeConfig {
   /** Trust decision for a client's verify key. Defaults to in-memory TOFU. */
   verifyKeyResolver?: IClientVerifyKeyResolver;
 }
-declare function createServerHandshake(config: IServerHandshakeConfig): {
+/**
+ * The server handshake's in-flight state between `onHello` and `onProve` — everything `onProve` needs
+ * to verify the client's proof and settle the result. Fully serializable (all JSON / serialized-key
+ * strings), so a stateless server can {@link IServerHandshake.exportPending} it after `hello`, carry it
+ * across requests (e.g. sealed into a continuation token), and {@link IServerHandshake.restorePending}
+ * it on a *different* instance before `prove` — no in-memory handshake to co-locate. The `serverNonce`
+ * is already folded into `challenge`, so it need not be carried separately.
+ */
+interface IServerHandshakePending {
+  client: IRuntimeCoordinate;
+  linkedClientId: TTypeAndId;
+  challenge: string;
+  clientVerifyKey: TSerializedCryptoKeyData_Ed25519_Raw;
+  negotiatedLevel: ESecurityLevel;
+  keyMaterial?: IHandshakeEncryptionKeyMaterial;
+}
+interface IServerHandshake {
   onHello(hello: THsHello): Promise<THsWelcome | THsReject>;
-  onProve(prove: THsProve): Promise<THsAccept | THsReject>; /** The completed handshake result once `onProve` has accepted, else `undefined`. */
+  onProve(prove: THsProve): Promise<THsAccept | THsReject>;
   getResult(): IHandshakeResult | undefined;
-};
+  /** The serializable in-flight state after `onHello` (else `undefined`). See {@link IServerHandshakePending}. */
+  exportPending(): IServerHandshakePending | undefined;
+  /**
+   * Restore exported `pending` onto a *fresh* handshake instance so `onProve` can run without the
+   * `onHello` that produced it (the stateless / cross-instance path). Re-links the client's verify key
+   * — `onHello`'s `linkClient` was in-memory only and won't exist on this instance — so the signature
+   * check in `onProve` succeeds. Build the instance with the same `config` (identity link + coordinate).
+   */
+  restorePending(pending: IServerHandshakePending): Promise<void>;
+}
+declare function createServerHandshake(config: IServerHandshakeConfig): IServerHandshake;
 //#endregion
 //#region src/ActionRuntime/Handler/PeerLink/Acceptor/createSecureActionServer.d.ts
 interface ISecureAcceptorHandlerOptions<TConn> {
@@ -1847,6 +1883,14 @@ interface IServeChannelOptions<TO_ACCEPTOR extends readonly ActionDomain<any>[],
    *
    * Required only when at least one carrier is secure (the default). A fully-plain server (every carrier
    * `secure: false`) needs no storage and may omit it.
+   *
+   * The secure HTTP exchange is stateless — its handshake + session ride sealed tokens, so it touches
+   * this store only for the (read-mostly) identity, never per session. That lets a single secure-exchange
+   * server (`carriers: [httpAcceptorCarrier()]`) run on a stateless Worker/Node backend with no Durable
+   * Object. On a *strongly-consistent* store (DO storage, D1, Node memory) the default lazy identity is
+   * fork-safe. On an *eventually-consistent* store (Cloudflare KV) pass an explicit {@link link} built
+   * with `identityMode: "required"` and `provisionIdentity()` it once out-of-band, so a transient read
+   * miss can never fork a second identity (which pinned clients would then permanently reject).
    */
   storage?: StorageAdapter;
   /**
@@ -2287,29 +2331,39 @@ interface IExchangeAcceptorConfig {
   security: IExchangeAcceptorSecurity;
   /** The runtime that executes an inbound action wire and produces its result. */
   runtime: ActionRuntime;
+  /**
+   * How long a minted session ticket stays valid (ms). After it expires the client's next action is
+   * rejected and it must re-handshake. Defaults to 12h — long enough for an ordinary session's life,
+   * since a sealed ticket carries no server state to revoke before then. Keep it shorter for a more
+   * tightly time-boxed session.
+   */
+  sessionTtlMs?: number;
 }
 /**
  * Acceptor (accept-in) side of the secure exchange protocol — the HTTP counterpart to
  * {@link AcceptorSecureSession}. Each POST body is one {@link decodeExchangeRequest} envelope; the
- * acceptor drives the server handshake over the two `hs` POSTs (correlated by `hsid`, since stateless
- * requests can't rely on channel ordering), mints a session **token** on accept, and on every later `act`
- * POST resolves the session by token, decrypts the body (at `encrypted`), routes it through the runtime,
- * and returns the (encrypted) result inline as the reply.
+ * acceptor drives the server handshake over the two `hs` POSTs, mints a session **token** on accept, and
+ * on every later `act` POST resolves the session by token, decrypts the body (at `encrypted`), routes it
+ * through the runtime, and returns the (encrypted) result inline as the reply.
  *
- * Sessions and in-flight handshakes are held in memory — fine for a single-instance server. (Surviving a
- * Durable-Object eviction would persist each token's `keyMaterial` and re-derive the key on a miss, the
- * same primitive `AcceptorSecureSession.rehydrate` uses; left as a follow-up.)
+ * **Stateless.** It holds no in-memory handshakes or sessions: the in-flight handshake `pending` is
+ * sealed into the `hsc` continuation token returned on `welcome` and echoed back on `prove`, and the live
+ * session is sealed into the `t` token replayed on every `act`. Both are sealed under the acceptor's own
+ * persisted identity ({@link createExchangeTicketSealer}), so any isolate that loaded the same identity
+ * can serve any POST — no request needs to co-locate with another (no Durable Object required just to
+ * pin a handshake to one instance). A tampered, wrong-key, or expired token opens to "no valid session".
  */
 declare class ExchangeAcceptor {
   private readonly _security;
   private readonly _runtime;
   private readonly _allowedLevels;
   private readonly _noneAllowed;
-  private readonly _pendingHandshakes;
-  private readonly _sessions;
+  private readonly _sealer;
+  private readonly _sessionTtlMs;
   constructor(config: IExchangeAcceptorConfig);
   /** Process one POST body (an exchange envelope), returning the reply body to send back. */
   handlePost(body: string): Promise<string>;
+  private _makeHandshake;
   private _handleHandshake;
   private _handleAction;
   private _err;
@@ -2327,15 +2381,18 @@ declare class ExchangeAcceptor {
  *   the plaintext wire.
  * - `encrypted` — same, but the wire is AES-GCM ciphertext, base64 in the `c` field.
  *
- * The handshake runs as two `hs` exchanges (hello→welcome, prove→accept) correlated by a client-chosen
- * `hsid`, since stateless requests can't rely on channel ordering. The `accept` reply carries the token.
+ * The handshake runs as two `hs` exchanges (hello→welcome, prove→accept). The acceptor keeps **no**
+ * in-flight state between them: the `welcome` reply carries a sealed handshake-continuation token `hsc`
+ * (the acceptor's `pending` state, opaque to the client), which the connector echoes on the `prove`
+ * request. The `accept` reply then carries the (sealed) session `t`oken replayed on every later `act`.
+ * All server-side continuity rides these sealed tokens, so no request needs to co-locate with another.
  */
 type TWireJson = TActionPayload_Any_JsonObject<any, any>;
 /** Connector → acceptor request envelope. */
 type TExchangeRequest = {
   k: "hs";
-  hsid: string;
   m: string;
+  hsc?: string;
 } | {
   k: "act";
   t?: string;
@@ -2349,6 +2406,7 @@ type TExchangeRequest = {
 type TExchangeReply = {
   k: "hs";
   m: string;
+  hsc?: string;
   t?: string;
 } | {
   k: "act";
@@ -3097,4 +3155,4 @@ declare class AcceptorHandler<TConn = unknown> extends PeerLinkHandler {
 declare const createAcceptorHandler: <TConn = unknown>(options: IAcceptorHandlerOptions<TConn>) => AcceptorHandler<TConn>;
 //#endregion
 export { httpAcceptorCarrier as $, createInMemoryTofuVerifyKeyResolver as $n, TCarrier as $t, TActionResultOutcome as A, TOnResolveIncomingResponseJson as An, IActionCore_JsonObject as Ar, IHibernatableWsServerAdapterOptions as At, decodeExchangeReply as B, Transport as Bn, TPossibleDomainIdList as Br, TChannelAcceptorCases as Bt, IActionProgress_Custom as C, IUpdateActionRunConfig_Output as Cn, IRuntimeCoordinate as Cr, serveChannel as Ct, TActionPayload_Any_Instance as D, TOnResolveIncomingRequest as Dn, TRuntimeCoordinateEnvId as Dr, TAcceptorCarrier as Dt, IActionRouteItemHandler as E, TOnResolveAnyIncomingActionData_Json as En, RuntimeCoordinate as Er, IExchangeAcceptorCarrier as Et, decodeActionFrame as F, TTransportStatusInfo as Fn, TActionDomainSchema as Fr, createConnectionStateStore as Ft, IExchangeAcceptorSecurity as G, IClientHandshakeConfig as Gn, TActionSchemaOptions as Gr, defineChannel as Gt, encodeExchange as H, createSecureAcceptorHandler as Hn, EActionResponseMode as Hr, acceptChannel as Ht, EErrId_NiceAction as I, TTransportStatusInfo_GetTransport_Output as In, TDomainActionId as Ir, IAcceptChannelOptions as It, IHttpCarrierOptions as J, IHandshakeEncryptionKeyMaterial as Jn, IActionWireFormat as Jt, EErrId_NiceTransport as K, IClientVerifyKeyResolveInput as Kn, TActionSerializationDefinition as Kr, IBinaryWireSessionOptions as Kt, err_nice_action as L, TUpdateActionRunConfig as Ln, TInferInputFromSchema as Lr, IActionChannel as Lt, isActionPayload_Request_JsonObject as M, TSendReturnDataMethod as Mn, IActionDomainChildOptions as Mr, ConnectionStateStore as Mt, isActionPayload_Any_JsonObject as N, TTransportCache as Nn, IActionRootDomain as Nr, IConnectionAttachment as Nt, TActionPayload_Any_JsonObject as O, TOnResolveIncomingRequestJson as On, TRuntimeCoordinateStringId as Or, isExchangeAcceptorCarrier as Ot, IActionFrameDecoder as P, TTransportInitializationFinishedInfo as Pn, TActionDomainChildDef as Pr, IConnectionStateStoreOptions as Pt, IHttpAcceptorCarrierOptions as Q, createClientHandshake as Qn, IExchangeCarrierSource as Qt, TExchangeReply as R, TransportConnection as Rn, TInferOutputFromSchema as Rr, IConnectChannelOptions as Rt, IActionPayload_Result_JsonObject as S, ITransportStatusInfo_Unsupported as Sn, ActionPayload_Progress as Sr, IServeConnectionStateOptions as St, IActionProgress_Percentage as T, TOnResolveAnyIncomingActionData as Tn, IRuntimeFullCoordinates as Tr, IDuplexAcceptorCarrier as Tt, ExchangeAcceptor as U, EHandshakeMessageType as Un, TInferActionError as Ur, acceptChannelConnections as Ut, decodeExchangeRequest as V, ISecureAcceptorHandlerOptions as Vn, ActionSchema as Vr, TChannelPushHandlers as Vt, IExchangeAcceptorConfig as W, ESecurityLevel as Wn, actionSchema as Wr, connectChannel as Wt, TCarrierFetch as X, IServerHandshakeConfig as Xn, IDuplexCarrierSource as Xt, IHttpCarrierRequest as Y, IHandshakeResult as Yn, IDuplexCarrier as Yt, httpCarrier as Z, THandshakeMessage as Zn, IExchangeCarrier as Zt, IActionPayload_Data_Base as _, ITransportRouteInfo as _n, IRunningActionUpdate_Success as _r, TServeHostOptions as _t, TAcceptorConnectionCaseFn as a, ETransportStatus as an, ActionLocalHandler as ar, err_nice_transport_ws as at, IActionPayload_Request_JsonObject as b, ITransportStatusInfo_Initializing as bn, TRunningActionUpdateListener as br, IConnectionContext as bt, createAcceptorHandler as c, IActionTransportReady as cn, createActionRootDomain as cr, IRtcDataChannelLike as ct, ActionCore as d, IActionTransportResolvers as dn, ERunningActionFinishedType as dr, inMemoryCarrier as dt, TFrame$1 as en, createServerHandshake as er, IWsCarrierOptions as et, ActionPayload_Request as f, ISecureClientConfig as fn, ERunningActionState as fr, IInMemoryChannelPair as ft, IActionPayload_Base_JsonObject as g, ITransportRouteClientParams as gn, IRunningActionUpdate_Started as gr, IChannelHostAdapter as gt, IActionPayload_Base as h, ITransportRouteActionParams as hn, IRunningActionUpdate_Progress as hr, err_nice_external_client as ht, TAcceptorCaseFn as i, ETransportShape as in, runtimeLinkId as ir, EErrId_NiceTransport_WebSocket as it, isActionPayload_Result_JsonObject as j, TSendActionDataMethod as jn, IActionDomain as jr, createHibernatableWsServerAdapter as jt, TActionProgress as k, TOnResolveIncomingResponse as kn, IActionCore as kr, IDuplexConnectionRouter as kt, ActionDomain as l, IActionTransportReadyData_Base as ln, ActionRootDomain as lr, rtcDataChannelByteChannel as lt, EActionProgressType as m, ITransportMethod_SendActionData_Input as mn, IRunningActionUpdate_Abort as mr, createInMemoryChannelPair as mt, IAcceptorConnectionBinding as n, createConnectorHandler as nn, decodeHandshakeMessage as nr, IWsAcceptorCarrierOptions as nt, TActionChannelFormatMessage as o, IActionTransportDef as on, createLocalHandler as or, IRtcCarrierOptions as ot, EActionPayloadType as p, ITransportDispatchAction as pn, ERunningActionUpdateType as pr, IInMemoryServerEndpoint as pt, err_nice_transport as q, IClientVerifyKeyResolver as qn, TTransportedValue as qr, createBinaryWireSessionFactory as qt, IAcceptorHandlerOptions as r, PeerLinkHandler as rn, encodeHandshakeMessage as rr, wsAcceptorCarrier as rt, TActionConnectionEncoding as s, IActionTransportInitialized as sn, MaybePromise as sr, rtcCarrier as st, AcceptorHandler as t, ConnectorHandler as tn, createStorageTofuVerifyKeyResolver as tr, wsCarrier as tt, ActionRuntime as u, IActionTransportReadyData_Methods as un, RunningAction as ur, IInMemoryCarrier as ut, IActionPayload_Progress as v, ITransportStatusInfo_Base as vn, TRunningActionUpdate as vr, serveHost as vt, IActionProgress_None as w, TGetTransportFn as wn, IRuntimeCoordinateSpecifics as wr, IAcceptorAttachmentStore as wt, IActionPayload_Result as x, ITransportStatusInfo_Ready as xn, ActionPayload_Result as xr, IServeChannelOptions as xt, IActionPayload_Progress_JsonObject as y, ITransportStatusInfo_Failed as yn, TRunningActionUpdateFinished as yr, IChannelServer as yt, TExchangeRequest as z, ITransportConnectionContext as zn, TPossibleDomainId as zr, IConnectTransport as zt };
-//# sourceMappingURL=AcceptorHandler-CxPfZtIl.d.cts.map
+//# sourceMappingURL=AcceptorHandler-Du292dpC.d.cts.map

package/build/{ActionDevtoolsCore-D9KBBI2V.d.cts → ActionDevtoolsCore-DGwzONZT.d.mts}

@@ -1,4 +1,4 @@
-import { Cr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-CxPfZtIl.cjs";
+import { Cr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-CLbwu2Pa.mjs";
 //#region ../nice-devtools-shared/src/components/PanelChrome.d.ts
 /** Where a devtools panel is docked. */
 type TDevtoolsPosition = "dock-bottom" | "dock-top" | "dock-left" | "dock-right";
@@ -76,4 +76,4 @@ declare class ActionDevtoolsCore {
 }
 //#endregion
 export { TDevtoolsActionStatus as a, IDevtoolsObservableDomain as i, IActionDevtoolsCoreOptions as n, TDevtoolsListener as o, IDevtoolsActionEntry as r, TDevtoolsPosition as s, ActionDevtoolsCore as t };
-//# sourceMappingURL=ActionDevtoolsCore-D9KBBI2V.d.cts.map
+//# sourceMappingURL=ActionDevtoolsCore-DGwzONZT.d.mts.map

package/build/{ActionDevtoolsCore-xZjAtB4H.d.mts → ActionDevtoolsCore-dH4K4w3B.d.cts}

@@ -1,4 +1,4 @@
-import { Cr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-BizUtq4u.mjs";
+import { Cr as IRuntimeCoordinate, k as TActionProgress } from "./AcceptorHandler-Du292dpC.cjs";
 //#region ../nice-devtools-shared/src/components/PanelChrome.d.ts
 /** Where a devtools panel is docked. */
 type TDevtoolsPosition = "dock-bottom" | "dock-top" | "dock-left" | "dock-right";
@@ -76,4 +76,4 @@ declare class ActionDevtoolsCore {
 }
 //#endregion
 export { TDevtoolsActionStatus as a, IDevtoolsObservableDomain as i, IActionDevtoolsCoreOptions as n, TDevtoolsListener as o, IDevtoolsActionEntry as r, TDevtoolsPosition as s, ActionDevtoolsCore as t };
-//# sourceMappingURL=ActionDevtoolsCore-xZjAtB4H.d.mts.map
+//# sourceMappingURL=ActionDevtoolsCore-dH4K4w3B.d.cts.map

package/build/advanced/index.cjs

@@ -1,5 +1,5 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const require_createHibernatableWsServerAdapter = require("../createHibernatableWsServerAdapter-FSDWrxoF.cjs");
+const require_createHibernatableWsServerAdapter = require("../createHibernatableWsServerAdapter-j96U9vgo.cjs");
 let msgpackr = require("msgpackr");
 //#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.ts
 /**

package/build/advanced/index.d.cts

@@ -1,5 +1,5 @@
-import { An as TOnResolveIncomingResponseJson, At as IHibernatableWsServerAdapterOptions, B as decodeExchangeReply, Bn as Transport, Cn as IUpdateActionRunConfig_Output, Dn as TOnResolveIncomingRequest, En as TOnResolveAnyIncomingActionData_Json, Fn as TTransportStatusInfo, Ft as createConnectionStateStore, G as IExchangeAcceptorSecurity, Gn as IClientHandshakeConfig, H as encodeExchange, Hn as createSecureAcceptorHandler, In as TTransportStatusInfo_GetTransport_Output, Jn as IHandshakeEncryptionKeyMaterial, Jt as IActionWireFormat, Kt as IBinaryWireSessionOptions, Ln as TUpdateActionRunConfig, Mn as TSendReturnDataMethod, Mt as ConnectionStateStore, Nn as TTransportCache, Nt as IConnectionAttachment, On as TOnResolveIncomingRequestJson, Pn as TTransportInitializationFinishedInfo, Pt as IConnectionStateStoreOptions, Qn as createClientHandshake, R as TExchangeReply, Rn as TransportConnection, Sn as ITransportStatusInfo_Unsupported, Tn as TOnResolveAnyIncomingActionData, U as ExchangeAcceptor, Un as EHandshakeMessageType, V as decodeExchangeRequest, Vn as ISecureAcceptorHandlerOptions, W as IExchangeAcceptorConfig, Xn as IServerHandshakeConfig, Yn as IHandshakeResult, Yt as IDuplexCarrier, Zn as THandshakeMessage, Zt as IExchangeCarrier, _n as ITransportRouteInfo, a as TAcceptorConnectionCaseFn, an as ETransportStatus, bn as ITransportStatusInfo_Initializing, c as createAcceptorHandler, cn as IActionTransportReady, dn as IActionTransportResolvers, er as createServerHandshake, fn as ISecureClientConfig, gn as ITransportRouteClientParams, hn as ITransportRouteActionParams, i as TAcceptorCaseFn, in as ETransportShape, jn as TSendActionDataMethod, jt as createHibernatableWsServerAdapter, kn as TOnResolveIncomingResponse, kt as IDuplexConnectionRouter, l as ActionDomain, ln as IActionTransportReadyData_Base, mn as ITransportMethod_SendActionData_Input, n as IAcceptorConnectionBinding, nn as createConnectorHandler, nr as decodeHandshakeMessage, o as TActionChannelFormatMessage, on as IActionTransportDef, pn as ITransportDispatchAction, qt as createBinaryWireSessionFactory, r as IAcceptorHandlerOptions, rn as PeerLinkHandler, rr as encodeHandshakeMessage, s as TActionConnectionEncoding, sn as IActionTransportInitialized, t as AcceptorHandler, tn as ConnectorHandler, u as ActionRuntime, un as IActionTransportReadyData_Methods, vn as ITransportStatusInfo_Base, wn as TGetTransportFn, xn as ITransportStatusInfo_Ready, yn as ITransportStatusInfo_Failed, z as TExchangeRequest, zn as ITransportConnectionContext } from "../AcceptorHandler-CxPfZtIl.cjs";
-import { ClientCryptoKeyLink, TTypeAndId } from "@nice-code/util";
+import { An as TOnResolveIncomingResponseJson, At as IHibernatableWsServerAdapterOptions, B as decodeExchangeReply, Bn as Transport, Cn as IUpdateActionRunConfig_Output, Dn as TOnResolveIncomingRequest, En as TOnResolveAnyIncomingActionData_Json, Fn as TTransportStatusInfo, Ft as createConnectionStateStore, G as IExchangeAcceptorSecurity, Gn as IClientHandshakeConfig, H as encodeExchange, Hn as createSecureAcceptorHandler, In as TTransportStatusInfo_GetTransport_Output, Jn as IHandshakeEncryptionKeyMaterial, Jt as IActionWireFormat, Kt as IBinaryWireSessionOptions, Ln as TUpdateActionRunConfig, Mn as TSendReturnDataMethod, Mt as ConnectionStateStore, Nn as TTransportCache, Nt as IConnectionAttachment, On as TOnResolveIncomingRequestJson, Pn as TTransportInitializationFinishedInfo, Pt as IConnectionStateStoreOptions, Qn as createClientHandshake, R as TExchangeReply, Rn as TransportConnection, Sn as ITransportStatusInfo_Unsupported, Tn as TOnResolveAnyIncomingActionData, U as ExchangeAcceptor, Un as EHandshakeMessageType, V as decodeExchangeRequest, Vn as ISecureAcceptorHandlerOptions, W as IExchangeAcceptorConfig, Xn as IServerHandshakeConfig, Yn as IHandshakeResult, Yt as IDuplexCarrier, Zn as THandshakeMessage, Zt as IExchangeCarrier, _n as ITransportRouteInfo, a as TAcceptorConnectionCaseFn, an as ETransportStatus, bn as ITransportStatusInfo_Initializing, c as createAcceptorHandler, cn as IActionTransportReady, dn as IActionTransportResolvers, er as createServerHandshake, fn as ISecureClientConfig, gn as ITransportRouteClientParams, hn as ITransportRouteActionParams, i as TAcceptorCaseFn, in as ETransportShape, jn as TSendActionDataMethod, jt as createHibernatableWsServerAdapter, kn as TOnResolveIncomingResponse, kt as IDuplexConnectionRouter, l as ActionDomain, ln as IActionTransportReadyData_Base, mn as ITransportMethod_SendActionData_Input, n as IAcceptorConnectionBinding, nn as createConnectorHandler, nr as decodeHandshakeMessage, o as TActionChannelFormatMessage, on as IActionTransportDef, pn as ITransportDispatchAction, qt as createBinaryWireSessionFactory, r as IAcceptorHandlerOptions, rn as PeerLinkHandler, rr as encodeHandshakeMessage, s as TActionConnectionEncoding, sn as IActionTransportInitialized, t as AcceptorHandler, tn as ConnectorHandler, u as ActionRuntime, un as IActionTransportReadyData_Methods, vn as ITransportStatusInfo_Base, wn as TGetTransportFn, xn as ITransportStatusInfo_Ready, yn as ITransportStatusInfo_Failed, z as TExchangeRequest, zn as ITransportConnectionContext } from "../AcceptorHandler-Du292dpC.cjs";
+import { ClientCryptoKeyLink } from "@nice-code/util";
 
 //#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.d.ts
 interface IActionFetchHandlerOptions {
@@ -99,16 +99,22 @@ interface IActionFrameCrypto {
 }
 interface IActionFrameCryptoConfig {
   link: ClientCryptoKeyLink;
-  /** The handshake-established link id for the remote (key + connection-registry id). */
-  linkedClientId: TTypeAndId;
+  /**
+   * This session's handshake key material. The shared AES-GCM key is derived from it **once** and held
+   * for the life of the connection — it is NOT re-read per frame from the link's per-`linkedClientId`
+   * cache, so a second secure session to the same peer (e.g. a secure HTTP exchange beside a secure
+   * WebSocket, both sharing one DO crypto identity) can't overwrite this connection's key.
+   */
+  keyMaterial: IHandshakeEncryptionKeyMaterial;
 }
 /**
  * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
- * level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+ * level. The shared key is derived once from {@link IActionFrameCryptoConfig.keyMaterial} and captured
+ * for this connection alone, decoupling it from the link's shared key cache.
  */
 declare function createActionFrameCrypto({
   link,
-  linkedClientId
+  keyMaterial
 }: IActionFrameCryptoConfig): IActionFrameCrypto;
 //#endregion
 //#region src/ActionRuntime/Transport/Exchange/TransportExchange.types.d.ts

package/build/advanced/index.d.mts

@@ -1,5 +1,5 @@
-import { An as TOnResolveIncomingResponseJson, At as IHibernatableWsServerAdapterOptions, B as decodeExchangeReply, Bn as Transport, Cn as IUpdateActionRunConfig_Output, Dn as TOnResolveIncomingRequest, En as TOnResolveAnyIncomingActionData_Json, Fn as TTransportStatusInfo, Ft as createConnectionStateStore, G as IExchangeAcceptorSecurity, Gn as IClientHandshakeConfig, H as encodeExchange, Hn as createSecureAcceptorHandler, In as TTransportStatusInfo_GetTransport_Output, Jn as IHandshakeEncryptionKeyMaterial, Jt as IActionWireFormat, Kt as IBinaryWireSessionOptions, Ln as TUpdateActionRunConfig, Mn as TSendReturnDataMethod, Mt as ConnectionStateStore, Nn as TTransportCache, Nt as IConnectionAttachment, On as TOnResolveIncomingRequestJson, Pn as TTransportInitializationFinishedInfo, Pt as IConnectionStateStoreOptions, Qn as createClientHandshake, R as TExchangeReply, Rn as TransportConnection, Sn as ITransportStatusInfo_Unsupported, Tn as TOnResolveAnyIncomingActionData, U as ExchangeAcceptor, Un as EHandshakeMessageType, V as decodeExchangeRequest, Vn as ISecureAcceptorHandlerOptions, W as IExchangeAcceptorConfig, Xn as IServerHandshakeConfig, Yn as IHandshakeResult, Yt as IDuplexCarrier, Zn as THandshakeMessage, Zt as IExchangeCarrier, _n as ITransportRouteInfo, a as TAcceptorConnectionCaseFn, an as ETransportStatus, bn as ITransportStatusInfo_Initializing, c as createAcceptorHandler, cn as IActionTransportReady, dn as IActionTransportResolvers, er as createServerHandshake, fn as ISecureClientConfig, gn as ITransportRouteClientParams, hn as ITransportRouteActionParams, i as TAcceptorCaseFn, in as ETransportShape, jn as TSendActionDataMethod, jt as createHibernatableWsServerAdapter, kn as TOnResolveIncomingResponse, kt as IDuplexConnectionRouter, l as ActionDomain, ln as IActionTransportReadyData_Base, mn as ITransportMethod_SendActionData_Input, n as IAcceptorConnectionBinding, nn as createConnectorHandler, nr as decodeHandshakeMessage, o as TActionChannelFormatMessage, on as IActionTransportDef, pn as ITransportDispatchAction, qt as createBinaryWireSessionFactory, r as IAcceptorHandlerOptions, rn as PeerLinkHandler, rr as encodeHandshakeMessage, s as TActionConnectionEncoding, sn as IActionTransportInitialized, t as AcceptorHandler, tn as ConnectorHandler, u as ActionRuntime, un as IActionTransportReadyData_Methods, vn as ITransportStatusInfo_Base, wn as TGetTransportFn, xn as ITransportStatusInfo_Ready, yn as ITransportStatusInfo_Failed, z as TExchangeRequest, zn as ITransportConnectionContext } from "../AcceptorHandler-BizUtq4u.mjs";
-import { ClientCryptoKeyLink, TTypeAndId } from "@nice-code/util";
+import { An as TOnResolveIncomingResponseJson, At as IHibernatableWsServerAdapterOptions, B as decodeExchangeReply, Bn as Transport, Cn as IUpdateActionRunConfig_Output, Dn as TOnResolveIncomingRequest, En as TOnResolveAnyIncomingActionData_Json, Fn as TTransportStatusInfo, Ft as createConnectionStateStore, G as IExchangeAcceptorSecurity, Gn as IClientHandshakeConfig, H as encodeExchange, Hn as createSecureAcceptorHandler, In as TTransportStatusInfo_GetTransport_Output, Jn as IHandshakeEncryptionKeyMaterial, Jt as IActionWireFormat, Kt as IBinaryWireSessionOptions, Ln as TUpdateActionRunConfig, Mn as TSendReturnDataMethod, Mt as ConnectionStateStore, Nn as TTransportCache, Nt as IConnectionAttachment, On as TOnResolveIncomingRequestJson, Pn as TTransportInitializationFinishedInfo, Pt as IConnectionStateStoreOptions, Qn as createClientHandshake, R as TExchangeReply, Rn as TransportConnection, Sn as ITransportStatusInfo_Unsupported, Tn as TOnResolveAnyIncomingActionData, U as ExchangeAcceptor, Un as EHandshakeMessageType, V as decodeExchangeRequest, Vn as ISecureAcceptorHandlerOptions, W as IExchangeAcceptorConfig, Xn as IServerHandshakeConfig, Yn as IHandshakeResult, Yt as IDuplexCarrier, Zn as THandshakeMessage, Zt as IExchangeCarrier, _n as ITransportRouteInfo, a as TAcceptorConnectionCaseFn, an as ETransportStatus, bn as ITransportStatusInfo_Initializing, c as createAcceptorHandler, cn as IActionTransportReady, dn as IActionTransportResolvers, er as createServerHandshake, fn as ISecureClientConfig, gn as ITransportRouteClientParams, hn as ITransportRouteActionParams, i as TAcceptorCaseFn, in as ETransportShape, jn as TSendActionDataMethod, jt as createHibernatableWsServerAdapter, kn as TOnResolveIncomingResponse, kt as IDuplexConnectionRouter, l as ActionDomain, ln as IActionTransportReadyData_Base, mn as ITransportMethod_SendActionData_Input, n as IAcceptorConnectionBinding, nn as createConnectorHandler, nr as decodeHandshakeMessage, o as TActionChannelFormatMessage, on as IActionTransportDef, pn as ITransportDispatchAction, qt as createBinaryWireSessionFactory, r as IAcceptorHandlerOptions, rn as PeerLinkHandler, rr as encodeHandshakeMessage, s as TActionConnectionEncoding, sn as IActionTransportInitialized, t as AcceptorHandler, tn as ConnectorHandler, u as ActionRuntime, un as IActionTransportReadyData_Methods, vn as ITransportStatusInfo_Base, wn as TGetTransportFn, xn as ITransportStatusInfo_Ready, yn as ITransportStatusInfo_Failed, z as TExchangeRequest, zn as ITransportConnectionContext } from "../AcceptorHandler-CLbwu2Pa.mjs";
+import { ClientCryptoKeyLink } from "@nice-code/util";
 
 //#region src/ActionRuntime/Handler/PeerLink/Acceptor/createActionFetchHandler.d.ts
 interface IActionFetchHandlerOptions {
@@ -99,16 +99,22 @@ interface IActionFrameCrypto {
 }
 interface IActionFrameCryptoConfig {
   link: ClientCryptoKeyLink;
-  /** The handshake-established link id for the remote (key + connection-registry id). */
-  linkedClientId: TTypeAndId;
+  /**
+   * This session's handshake key material. The shared AES-GCM key is derived from it **once** and held
+   * for the life of the connection — it is NOT re-read per frame from the link's per-`linkedClientId`
+   * cache, so a second secure session to the same peer (e.g. a secure HTTP exchange beside a secure
+   * WebSocket, both sharing one DO crypto identity) can't overwrite this connection's key.
+   */
+  keyMaterial: IHandshakeEncryptionKeyMaterial;
 }
 /**
  * Build the encrypt/decrypt transform for a connection whose handshake settled on the `encrypted`
- * level. Keyed by the link + `linkedClientId`, so it reuses the cached shared AES-GCM key.
+ * level. The shared key is derived once from {@link IActionFrameCryptoConfig.keyMaterial} and captured
+ * for this connection alone, decoupling it from the link's shared key cache.
  */
 declare function createActionFrameCrypto({
   link,
-  linkedClientId
+  keyMaterial
 }: IActionFrameCryptoConfig): IActionFrameCrypto;
 //#endregion
 //#region src/ActionRuntime/Transport/Exchange/TransportExchange.types.d.ts

package/build/advanced/index.mjs

@@ -1,4 +1,4 @@
-import { A as encodeHandshakeMessage, C as EHandshakeMessageType, D as createServerHandshake, F as ConnectorHandler, I as createConnectorHandler, L as PeerLinkHandler, R as ETransportShape, T as createClientHandshake, _ as extractWirePayload, a as ExchangeAcceptor, b as createAcceptorHandler, c as decodeExchangeReply, d as Transport, f as createBinaryWireSessionFactory, g as buildActionRouteDictionary, h as assembleWireJson, i as createActionFetchHandler, k as decodeHandshakeMessage, l as decodeExchangeRequest, m as ReversePayloadType, n as ConnectionStateStore, o as LinkTransport, p as PayloadTypeToInt, r as createConnectionStateStore, s as ExchangeTransport, t as createHibernatableWsServerAdapter, u as encodeExchange, v as createSecureAcceptorHandler, x as createActionFrameCrypto, y as AcceptorHandler, z as ETransportStatus } from "../createHibernatableWsServerAdapter-BkjESd01.mjs";
+import { A as encodeHandshakeMessage, C as EHandshakeMessageType, D as createServerHandshake, F as ConnectorHandler, I as createConnectorHandler, L as PeerLinkHandler, R as ETransportShape, T as createClientHandshake, _ as extractWirePayload, a as ExchangeAcceptor, b as createAcceptorHandler, c as decodeExchangeReply, d as Transport, f as createBinaryWireSessionFactory, g as buildActionRouteDictionary, h as assembleWireJson, i as createActionFetchHandler, k as decodeHandshakeMessage, l as decodeExchangeRequest, m as ReversePayloadType, n as ConnectionStateStore, o as LinkTransport, p as PayloadTypeToInt, r as createConnectionStateStore, s as ExchangeTransport, t as createHibernatableWsServerAdapter, u as encodeExchange, v as createSecureAcceptorHandler, x as createActionFrameCrypto, y as AcceptorHandler, z as ETransportStatus } from "../createHibernatableWsServerAdapter-BD5n-Ev9.mjs";
 import { pack, unpack } from "msgpackr";
 //#region src/ActionRuntime/Transport/codec/createBinaryWireAdapter.ts
 /**