npm - @nice-code/action - Versions diffs - 0.6.0 → 0.6.1 - Mend

@nice-code/action 0.6.0 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/build/index.js CHANGED Viewed

@@ -1975,7 +1975,7 @@ class ActionExternalClientHandler extends ActionHandler {
       });
       if (methods.sendReturnData == null)
         return false;
-      methods.sendReturnData(payload);
+      methods.sendReturnData(payload, { localClient, externalClient: this.externalClient });
       return true;
     } catch {
       return false;
@@ -2339,6 +2339,606 @@ class HttpTransport extends Transport {
     };
   }
 }
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionFrameCrypto.ts
+import { pack, unpack } from "msgpackr";
+var ENCRYPTED_ENVELOPE_LENGTH = 2;
+function createActionFrameCrypto({
+  link,
+  linkedClientId
+}) {
+  return {
+    async encryptFrame(frame) {
+      const { nonce, ciphertext } = await link.encryptBytesForLinkedClient({
+        linkedClientId,
+        dataToEncrypt: frame
+      });
+      return pack([nonce, ciphertext]);
+    },
+    async decryptFrame(frame) {
+      if (typeof frame === "string") {
+        throw new Error("[ws-crypto] expected an encrypted binary frame, received text");
+      }
+      const buffer = frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame;
+      const envelope = unpack(buffer);
+      if (!Array.isArray(envelope) || envelope.length !== ENCRYPTED_ENVELOPE_LENGTH) {
+        throw new Error("[ws-crypto] malformed encrypted frame envelope");
+      }
+      const [nonce, ciphertext] = envelope;
+      if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) {
+        throw new Error("[ws-crypto] malformed encrypted frame fields");
+      }
+      return await link.decryptBytesFromLinkedClient({
+        linkedClientId,
+        dataToDecrypt: { nonce, ciphertext }
+      });
+    }
+  };
+}
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionWsHandshake.ts
+import {
+  createTypedStorage
+} from "@nice-code/util";
+import { nanoid as nanoid5 } from "nanoid";
+import * as v from "valibot";
+var HANDSHAKE_PROTOCOL = "nice-ws-hs/1";
+var ESecurityLevel;
+((ESecurityLevel2) => {
+  ESecurityLevel2["none"] = "none";
+  ESecurityLevel2["authenticated"] = "authenticated";
+  ESecurityLevel2["encrypted"] = "encrypted";
+})(ESecurityLevel ||= {});
+var EHandshakeMessageType;
+((EHandshakeMessageType2) => {
+  EHandshakeMessageType2["hello"] = "hello";
+  EHandshakeMessageType2["welcome"] = "welcome";
+  EHandshakeMessageType2["prove"] = "prove";
+  EHandshakeMessageType2["accept"] = "accept";
+  EHandshakeMessageType2["reject"] = "reject";
+})(EHandshakeMessageType ||= {});
+var vEd25519Raw = v.custom((val) => typeof val === "string" && val.startsWith("ed25519::raw_base64::"));
+var vX25519Raw = v.custom((val) => typeof val === "string" && val.startsWith("x25519::raw_base64::"));
+var vCoordinate = v.object({
+  envId: v.string(),
+  perId: v.optional(v.string()),
+  insId: v.optional(v.string())
+});
+var vSecurityLevel = v.picklist([
+  "none" /* none */,
+  "authenticated" /* authenticated */,
+  "encrypted" /* encrypted */
+]);
+var vHsHello = v.object({
+  t: v.literal("hello" /* hello */),
+  protocol: v.string(),
+  securityLevel: vSecurityLevel,
+  dictionaryVersion: v.string(),
+  client: vCoordinate,
+  clientNonce: v.string(),
+  verifyPublicKey: vEd25519Raw,
+  exchangePublicKey: v.optional(vX25519Raw)
+});
+var vHsWelcome = v.object({
+  t: v.literal("welcome" /* welcome */),
+  securityLevel: vSecurityLevel,
+  dictionaryVersion: v.string(),
+  server: vCoordinate,
+  serverNonce: v.string(),
+  verifyPublicKey: vEd25519Raw,
+  exchangePublicKey: v.optional(vX25519Raw)
+});
+var vHsProve = v.object({
+  t: v.literal("prove" /* prove */),
+  signatureBase64: v.string()
+});
+var vHsAccept = v.object({
+  t: v.literal("accept" /* accept */),
+  signatureBase64: v.optional(v.string())
+});
+var vHsReject = v.object({
+  t: v.literal("reject" /* reject */),
+  reason: v.string()
+});
+var vHandshakeMessage = v.variant("t", [vHsHello, vHsWelcome, vHsProve, vHsAccept, vHsReject]);
+function encodeHandshakeMessage(message) {
+  return JSON.stringify(message);
+}
+function decodeHandshakeMessage(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return;
+  }
+  const result = v.safeParse(vHandshakeMessage, parsed);
+  return result.success ? result.output : undefined;
+}
+function runtimeLinkId(coordinate) {
+  return `runtime::${new RuntimeCoordinate(coordinate).stringId}`;
+}
+function coordId(coordinate) {
+  return new RuntimeCoordinate(coordinate).stringId;
+}
+function sessionSalt(clientNonce, serverNonce) {
+  return `${clientNonce}::${serverNonce}`;
+}
+function handshakeInfo(dictionaryVersion) {
+  return `${HANDSHAKE_PROTOCOL}::${dictionaryVersion}`;
+}
+function buildHandshakeChallenge(parts) {
+  return JSON.stringify([
+    HANDSHAKE_PROTOCOL,
+    parts.securityLevel,
+    parts.dictionaryVersion,
+    parts.clientCoordId,
+    parts.serverCoordId,
+    parts.clientNonce,
+    parts.serverNonce,
+    parts.clientVerifyKey,
+    parts.serverVerifyKey,
+    parts.clientExchangeKey ?? "_",
+    parts.serverExchangeKey ?? "_"
+  ]);
+}
+function reject(reason) {
+  return { t: "reject" /* reject */, reason };
+}
+function tofuPinKey(client) {
+  return `${client.envId}::${client.perId ?? client.insId ?? "_"}`;
+}
+function createInMemoryTofuVerifyKeyResolver() {
+  const pinned = new Map;
+  return {
+    async resolve({ client, verifyPublicKey }) {
+      const key = tofuPinKey(client);
+      const existing = pinned.get(key);
+      if (existing == null) {
+        pinned.set(key, verifyPublicKey);
+        return { trusted: true };
+      }
+      if (existing === verifyPublicKey)
+        return { trusted: true };
+      return { trusted: false, reason: "verify key changed for client identity (pin mismatch)" };
+    }
+  };
+}
+function createStorageTofuVerifyKeyResolver(storageAdapter) {
+  const storage = createTypedStorage({ storageAdapter });
+  return {
+    async resolve({ client, verifyPublicKey }) {
+      const key = tofuPinKey(client);
+      const existing = (await storage.getJson("pins"))?.[key];
+      if (existing == null) {
+        await storage.updateJsonWithDef("pins", {}, (current) => ({
+          ...current,
+          [key]: verifyPublicKey
+        }));
+        return { trusted: true };
+      }
+      if (existing === verifyPublicKey)
+        return { trusted: true };
+      return { trusted: false, reason: "verify key changed for client identity (pin mismatch)" };
+    }
+  };
+}
+function createClientHandshake(config) {
+  const { link, localCoordinate, dictionaryVersion, securityLevel } = config;
+  const wantsEncryption = securityLevel === "encrypted" /* encrypted */;
+  const clientNonce = nanoid5();
+  let pending;
+  return {
+    async createHello() {
+      return {
+        t: "hello" /* hello */,
+        protocol: HANDSHAKE_PROTOCOL,
+        securityLevel,
+        dictionaryVersion,
+        client: localCoordinate,
+        clientNonce,
+        verifyPublicKey: await link.getLocalVerifyPublicKey(),
+        exchangePublicKey: wantsEncryption ? await link.getLocalExchangePublicKey() : undefined
+      };
+    },
+    async onWelcome(welcome) {
+      if (welcome.dictionaryVersion !== dictionaryVersion) {
+        throw new Error("[ws-handshake] server dictionary version mismatch");
+      }
+      if (welcome.securityLevel !== securityLevel) {
+        throw new Error("[ws-handshake] server security level mismatch");
+      }
+      if (wantsEncryption && welcome.exchangePublicKey == null) {
+        throw new Error("[ws-handshake] server did not provide an exchange key for encryption");
+      }
+      const linkedServerId = runtimeLinkId(welcome.server);
+      await link.linkClient({
+        linkedClientId: linkedServerId,
+        verifyPublicKey: welcome.verifyPublicKey,
+        ...wantsEncryption ? {
+          exchangePublicKey: welcome.exchangePublicKey,
+          saltString: sessionSalt(clientNonce, welcome.serverNonce),
+          infoString: handshakeInfo(dictionaryVersion),
+          bindVerifyKeysIntoDerivation: true
+        } : {}
+      });
+      const challenge = buildHandshakeChallenge({
+        securityLevel,
+        dictionaryVersion,
+        clientCoordId: coordId(localCoordinate),
+        serverCoordId: coordId(welcome.server),
+        clientNonce,
+        serverNonce: welcome.serverNonce,
+        clientVerifyKey: await link.getLocalVerifyPublicKey(),
+        serverVerifyKey: welcome.verifyPublicKey,
+        clientExchangeKey: wantsEncryption ? await link.getLocalExchangePublicKey() : undefined,
+        serverExchangeKey: welcome.exchangePublicKey
+      });
+      pending = { linkedServerId, server: welcome.server, challenge };
+      return {
+        t: "prove" /* prove */,
+        signatureBase64: (await link.signChallenge([challenge])).signatureBase64
+      };
+    },
+    async onAccept(accept) {
+      if (pending == null)
+        throw new Error("[ws-handshake] accept before welcome");
+      if (accept.signatureBase64 != null) {
+        const valid = await link.verifyChallengeFromLinkedClient({
+          linkedClientId: pending.linkedServerId,
+          challenge: pending.challenge,
+          signatureBase64: accept.signatureBase64
+        });
+        if (!valid)
+          throw new Error("[ws-handshake] server signature invalid");
+      }
+      return { linkedClientId: pending.linkedServerId, remote: pending.server, securityLevel };
+    }
+  };
+}
+function createServerHandshake(config) {
+  const { link, localCoordinate, dictionaryVersion } = config;
+  const allowedLevels = Array.isArray(config.securityLevel) ? config.securityLevel : [config.securityLevel];
+  const verifyKeyResolver = config.verifyKeyResolver ?? createInMemoryTofuVerifyKeyResolver();
+  const serverNonce = nanoid5();
+  let pending;
+  let result;
+  return {
+    async onHello(hello) {
+      if (hello.protocol !== HANDSHAKE_PROTOCOL)
+        return reject("unsupported handshake protocol");
+      if (hello.dictionaryVersion !== dictionaryVersion)
+        return reject("dictionary version mismatch");
+      const negotiatedLevel = hello.securityLevel;
+      if (negotiatedLevel === "none" /* none */ || !allowedLevels.includes(negotiatedLevel)) {
+        return reject("security level not allowed");
+      }
+      const wantsEncryption = negotiatedLevel === "encrypted" /* encrypted */;
+      if (wantsEncryption && hello.exchangePublicKey == null) {
+        return reject("missing exchange key for encryption");
+      }
+      const linkedClientId = runtimeLinkId(hello.client);
+      await link.linkClient({
+        linkedClientId,
+        verifyPublicKey: hello.verifyPublicKey,
+        ...wantsEncryption ? {
+          exchangePublicKey: hello.exchangePublicKey,
+          saltString: sessionSalt(hello.clientNonce, serverNonce),
+          infoString: handshakeInfo(dictionaryVersion),
+          bindVerifyKeysIntoDerivation: true
+        } : {}
+      });
+      const serverVerifyKey = await link.getLocalVerifyPublicKey();
+      const serverExchangeKey = wantsEncryption ? await link.getLocalExchangePublicKey() : undefined;
+      const keyMaterial = wantsEncryption && hello.exchangePublicKey != null ? {
+        verifyPublicKey: hello.verifyPublicKey,
+        exchangePublicKey: hello.exchangePublicKey,
+        saltString: sessionSalt(hello.clientNonce, serverNonce),
+        infoString: handshakeInfo(dictionaryVersion),
+        bindVerifyKeysIntoDerivation: true
+      } : undefined;
+      pending = {
+        client: hello.client,
+        linkedClientId,
+        clientVerifyKey: hello.verifyPublicKey,
+        negotiatedLevel,
+        keyMaterial,
+        challenge: buildHandshakeChallenge({
+          securityLevel: negotiatedLevel,
+          dictionaryVersion,
+          clientCoordId: coordId(hello.client),
+          serverCoordId: coordId(localCoordinate),
+          clientNonce: hello.clientNonce,
+          serverNonce,
+          clientVerifyKey: hello.verifyPublicKey,
+          serverVerifyKey,
+          clientExchangeKey: hello.exchangePublicKey,
+          serverExchangeKey
+        })
+      };
+      return {
+        t: "welcome" /* welcome */,
+        securityLevel: negotiatedLevel,
+        dictionaryVersion,
+        server: localCoordinate,
+        serverNonce,
+        verifyPublicKey: serverVerifyKey,
+        exchangePublicKey: serverExchangeKey
+      };
+    },
+    async onProve(prove) {
+      if (pending == null)
+        return reject("prove before hello");
+      const signatureValid = await link.verifyChallengeFromLinkedClient({
+        linkedClientId: pending.linkedClientId,
+        challenge: pending.challenge,
+        signatureBase64: prove.signatureBase64
+      });
+      if (!signatureValid)
+        return reject("invalid client signature");
+      const trust = await verifyKeyResolver.resolve({
+        client: pending.client,
+        verifyPublicKey: pending.clientVerifyKey
+      });
+      if (!trust.trusted)
+        return reject(trust.reason ?? "client verify key not trusted");
+      result = {
+        linkedClientId: pending.linkedClientId,
+        remote: pending.client,
+        securityLevel: pending.negotiatedLevel,
+        encryptionKeyMaterial: pending.keyMaterial
+      };
+      return {
+        t: "accept" /* accept */,
+        signatureBase64: (await link.signChallenge([pending.challenge])).signatureBase64
+      };
+    },
+    getResult() {
+      return result;
+    }
+  };
+}
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsAdapter.ts
+import { pack as pack2, unpack as unpack2 } from "msgpackr";
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionWireCodec.ts
+var PayloadTypeToInt = {
+  ["request" /* request */]: 0,
+  ["result" /* result */]: 1,
+  ["progress" /* progress */]: 2
+};
+var ReversePayloadType = [
+  "request" /* request */,
+  "result" /* result */,
+  "progress" /* progress */
+];
+function buildActionRouteDictionary(domains) {
+  const routeToInt = new Map;
+  const intToRoute = [];
+  for (const dom of domains) {
+    for (const actionId of Object.keys(dom.actionSchema)) {
+      const routeKey = `${dom.domain}:${actionId}`;
+      if (routeToInt.has(routeKey))
+        continue;
+      routeToInt.set(routeKey, intToRoute.length);
+      intToRoute.push({ domain: dom.domain, id: actionId, allDomains: dom.allDomains });
+    }
+  }
+  return { routeToInt, intToRoute };
+}
+function extractWirePayload(json) {
+  if (json.type === "request" /* request */)
+    return json.input;
+  if (json.type === "result" /* result */)
+    return json.result;
+  if (json.type === "progress" /* progress */)
+    return json.progress;
+  return;
+}
+function assembleWireJson(routeMeta, payloadType, time, context, payloadData) {
+  const base = {
+    form: "data" /* data */,
+    domain: routeMeta.domain,
+    id: routeMeta.id,
+    allDomains: routeMeta.allDomains,
+    time,
+    context
+  };
+  if (payloadType === "request" /* request */) {
+    return { ...base, type: "request" /* request */, input: payloadData, inputHash: "" };
+  }
+  if (payloadType === "result" /* result */) {
+    return { ...base, type: "result" /* result */, result: payloadData, outputHash: "" };
+  }
+  return { ...base, type: "progress" /* progress */, progress: payloadData };
+}
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsAdapter.ts
+var ENVELOPE = {
+  route: 0,
+  type: 1,
+  time: 2,
+  cuid: 3,
+  originClient: 4,
+  payload: 5
+};
+var ENVELOPE_LENGTH = 6;
+function createBinaryWsAdapter(domains) {
+  const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
+  return {
+    outgoing: (input) => {
+      const json = input.action.toJsonObject();
+      const routeKey = `${json.domain}:${json.id}`;
+      const routeInt = routeToInt.get(routeKey);
+      if (routeInt == null) {
+        throw new Error(`[binary-ws] Cannot pack unregistered action route: ${routeKey}`);
+      }
+      const envelope = new Array(ENVELOPE_LENGTH);
+      envelope[ENVELOPE.route] = routeInt;
+      envelope[ENVELOPE.type] = PayloadTypeToInt[json.type];
+      envelope[ENVELOPE.time] = json.time;
+      envelope[ENVELOPE.cuid] = json.context.cuid;
+      envelope[ENVELOPE.originClient] = json.context.originClient;
+      envelope[ENVELOPE.payload] = extractWirePayload(json);
+      return pack2(envelope);
+    },
+    incoming: (frame) => {
+      let buffer;
+      if (frame instanceof ArrayBuffer) {
+        buffer = new Uint8Array(frame);
+      } else if (frame instanceof Uint8Array) {
+        buffer = frame;
+      } else {
+        return;
+      }
+      try {
+        const envelope = unpack2(buffer);
+        if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH)
+          return;
+        const routeMeta = intToRoute[envelope[ENVELOPE.route]];
+        const payloadType = ReversePayloadType[envelope[ENVELOPE.type]];
+        if (routeMeta == null || payloadType == null)
+          return;
+        const time = envelope[ENVELOPE.time];
+        const context = {
+          cuid: envelope[ENVELOPE.cuid],
+          timeCreated: time,
+          routing: [],
+          originClient: envelope[ENVELOPE.originClient]
+        };
+        return assembleWireJson(routeMeta, payloadType, time, context, envelope[ENVELOPE.payload]);
+      } catch (e) {
+        console.error("[binary-ws] Failed to unpack binary action frame", e);
+        return;
+      }
+    }
+  };
+}
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsSessionFactory.ts
+import { pack as pack3, unpack as unpack3 } from "msgpackr";
+import { nanoid as nanoid6 } from "nanoid";
+var ENVELOPE2 = {
+  route: 0,
+  type: 1,
+  corr: 2,
+  time: 3,
+  originClient: 4,
+  payload: 5
+};
+var ENVELOPE_LENGTH2 = 6;
+var DEFAULT_CORRELATION_TTL_MS = 5 * 60000;
+function isKnownIdentity(coordinate) {
+  return coordinate != null && coordinate.envId !== UNSET_RUNTIME_ENV_ID;
+}
+function pruneExpired(map, now, ttlMs) {
+  for (const [key, entry] of map) {
+    if (now - entry.time <= ttlMs)
+      break;
+    map.delete(key);
+  }
+}
+function createBinaryWsSessionFactory(domains, options) {
+  const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
+  const unknownIdentity = RuntimeCoordinate.unknown.toJsonObject();
+  const ttlMs = options?.correlationTtlMs ?? DEFAULT_CORRELATION_TTL_MS;
+  return () => {
+    let outCounter = 0;
+    const corrToCuid = new Map;
+    const cuidToCorr = new Map;
+    let selfIdentity;
+    let peerIdentity;
+    return {
+      outgoing: (input) => {
+        const json = input.action.toJsonObject();
+        const routeKey = `${json.domain}:${json.id}`;
+        const routeInt = routeToInt.get(routeKey);
+        if (routeInt == null) {
+          throw new Error(`[binary-ws] Cannot pack unregistered action route: ${routeKey}`);
+        }
+        const now = Date.now();
+        pruneExpired(corrToCuid, now, ttlMs);
+        pruneExpired(cuidToCorr, now, ttlMs);
+        let corr;
+        let wireIdentity;
+        if (json.type === "request" /* request */) {
+          corr = outCounter++;
+          corrToCuid.set(corr, { value: json.context.cuid, time: now });
+          if (selfIdentity == null && isKnownIdentity(json.context.originClient)) {
+            selfIdentity = json.context.originClient;
+            wireIdentity = json.context.originClient;
+          }
+        } else {
+          corr = cuidToCorr.get(json.context.cuid)?.value ?? -1;
+          if (json.type === "result" /* result */)
+            cuidToCorr.delete(json.context.cuid);
+        }
+        const envelope = new Array(ENVELOPE_LENGTH2);
+        envelope[ENVELOPE2.route] = routeInt;
+        envelope[ENVELOPE2.type] = PayloadTypeToInt[json.type];
+        envelope[ENVELOPE2.corr] = corr;
+        envelope[ENVELOPE2.time] = json.time;
+        envelope[ENVELOPE2.originClient] = wireIdentity;
+        envelope[ENVELOPE2.payload] = extractWirePayload(json);
+        return pack3(envelope);
+      },
+      incoming: (frame) => {
+        let buffer;
+        if (frame instanceof ArrayBuffer) {
+          buffer = new Uint8Array(frame);
+        } else if (frame instanceof Uint8Array) {
+          buffer = frame;
+        } else {
+          return;
+        }
+        try {
+          const envelope = unpack3(buffer);
+          if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH2)
+            return;
+          const routeMeta = intToRoute[envelope[ENVELOPE2.route]];
+          const payloadType = ReversePayloadType[envelope[ENVELOPE2.type]];
+          if (routeMeta == null || payloadType == null)
+            return;
+          const now = Date.now();
+          pruneExpired(corrToCuid, now, ttlMs);
+          pruneExpired(cuidToCorr, now, ttlMs);
+          const corr = envelope[ENVELOPE2.corr];
+          const time = envelope[ENVELOPE2.time];
+          const wireIdentity = envelope[ENVELOPE2.originClient];
+          let cuid;
+          let originClient;
+          if (payloadType === "request" /* request */) {
+            cuid = nanoid6();
+            cuidToCorr.set(cuid, { value: corr, time: now });
+            if (isKnownIdentity(wireIdentity))
+              peerIdentity = wireIdentity;
+            originClient = peerIdentity ?? unknownIdentity;
+          } else {
+            cuid = corrToCuid.get(corr)?.value ?? nanoid6();
+            if (payloadType === "result" /* result */)
+              corrToCuid.delete(corr);
+            originClient = selfIdentity ?? unknownIdentity;
+          }
+          const context = { cuid, timeCreated: time, routing: [], originClient };
+          return assembleWireJson(routeMeta, payloadType, time, context, envelope[ENVELOPE2.payload]);
+        } catch (e) {
+          console.error("[binary-ws] Failed to unpack binary action session frame", e);
+          return;
+        }
+      }
+    };
+  };
+}
+// src/utils/decodeActionFrame.ts
+function decodeActionFrame(frame, decoder) {
+  const decoded = decoder?.incoming?.(frame) ?? (typeof frame === "string" ? parseJsonActionFrame(frame) : undefined);
+  return decoded != null && isActionPayload_Any_JsonObject(decoded) ? decoded : undefined;
+}
+function parseJsonActionFrame(message) {
+  try {
+    const json = JSON.parse(message);
+    return isActionPayload_Any_JsonObject(json) ? json : undefined;
+  } catch {
+    return;
+  }
+}
 // src/ActionRuntime/Handler/ExternalClient/Transport/helpers/createUnsetTransportResolvers.ts
 var createUnsetTransportResolvers = (type) => ({
   onIncomingActionDataJson: (json) => {
@@ -2347,6 +2947,20 @@ var createUnsetTransportResolvers = (type) => ({
 });
 // src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/ws_util.ts
+function sendFrame(ws, data) {
+  if (typeof data === "string" || data instanceof ArrayBuffer) {
+    ws.send(data);
+    return;
+  }
+  ws.send(new Uint8Array(data));
+}
+function toFrameBytes(frame) {
+  if (typeof frame === "string")
+    return new TextEncoder().encode(frame);
+  if (frame instanceof ArrayBuffer)
+    return new Uint8Array(frame);
+  return frame;
+}
 function shortWs(url) {
   try {
     const u = new URL(url);
@@ -2357,6 +2971,8 @@ function shortWs(url) {
 }
 // src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/WebSocketConnection.ts
+var HANDSHAKE_TIMEOUT_MS = 15000;
 class WebSocketConnection extends TransportConnection {
   resolvers;
   _abortSet = new Set;
@@ -2375,16 +2991,13 @@ class WebSocketConnection extends TransportConnection {
     }
     if (transportStatusInfo.status === "ready" /* ready */) {
       const ws = transportStatusInfo.readyData.ws;
-      if (ws.readyState !== WebSocket.OPEN) {
+      if (ws.readyState !== WebSocket.OPEN || this._isSecure(transportStatusInfo.readyData)) {
+        const readyData = transportStatusInfo.readyData;
         const initialization = async () => {
-          await new Promise((resolve, reject) => {
-            ws.addEventListener("open", () => resolve(), { once: true });
-            ws.addEventListener("error", (event) => reject(event), { once: true });
-            ws.addEventListener("close", (event) => reject(new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
-          });
+          await this._awaitOpen(ws);
           return {
             status: "ready" /* ready */,
-            readyData: this._finalizeTransportMethods(transportStatusInfo.readyData)
+            readyData: await this._finalize(readyData)
           };
         };
         return {
@@ -2397,15 +3010,10 @@ class WebSocketConnection extends TransportConnection {
     if (transportStatusInfo.status === "initializing" /* initializing */) {
       const promiseForReadyData = transportStatusInfo.initializationPromise.then(async (result) => {
         if (result.status === "ready" /* ready */) {
-          const ws = result.readyData.ws;
-          await new Promise((resolve, reject) => {
-            ws.addEventListener("open", () => resolve(), { once: true });
-            ws.addEventListener("error", (event) => reject(event), { once: true });
-            ws.addEventListener("close", (event) => reject(new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
-          });
+          await this._awaitOpen(result.readyData.ws);
           return {
             status: "ready" /* ready */,
-            readyData: this._finalizeTransportMethods(result.readyData)
+            readyData: await this._finalize(result.readyData)
           };
         }
         return result;
@@ -2432,11 +3040,120 @@ class WebSocketConnection extends TransportConnection {
       summary: `ws ${shortWs(this._liveSocketUrl)}`
     };
   }
+  _isSecure(wsData) {
+    return wsData.secureChannel != null && wsData.secureChannel.securityLevel !== "none" /* none */;
+  }
+  _awaitOpen(ws) {
+    if (ws.readyState === WebSocket.OPEN)
+      return Promise.resolve();
+    return new Promise((resolve, reject2) => {
+      ws.addEventListener("open", () => resolve(), { once: true });
+      ws.addEventListener("error", (event) => reject2(event), { once: true });
+      ws.addEventListener("close", (event) => reject2(new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
+    });
+  }
+  _finalize(wsData) {
+    return this._isSecure(wsData) ? this._finalizeSecureMethods(wsData) : this._finalizeTransportMethods(wsData);
+  }
   _finalizeTransportMethods(wsData) {
     const ws = wsData.ws;
     const disconnectListeners = [];
-    if (ws.url != null && ws.url !== "")
-      this._liveSocketUrl = ws.url;
+    this._captureSocketUrl(ws);
+    this._attachLifecycle(ws, disconnectListeners);
+    ws.addEventListener("message", async (event) => {
+      const frame = await this._normalizeFrame(event.data);
+      if (frame !== undefined)
+        await this._handleIncomingActionFrame(frame, wsData, undefined);
+    });
+    return this._buildSendMethods(ws, wsData, undefined, disconnectListeners);
+  }
+  async _finalizeSecureMethods(wsData) {
+    const ws = wsData.ws;
+    const disconnectListeners = [];
+    this._captureSocketUrl(ws);
+    this._attachLifecycle(ws, disconnectListeners);
+    let active = false;
+    let crypto;
+    const handshakeQueue = [];
+    const handshakeWaiters = [];
+    const pendingActionFrames = [];
+    ws.addEventListener("message", async (event) => {
+      const frame = await this._normalizeFrame(event.data);
+      if (frame === undefined)
+        return;
+      if (active) {
+        await this._handleIncomingActionFrame(frame, wsData, crypto);
+        return;
+      }
+      if (typeof frame === "string") {
+        const message = decodeHandshakeMessage(frame);
+        if (message != null) {
+          const waiter = handshakeWaiters.shift();
+          if (waiter != null)
+            waiter(message);
+          else
+            handshakeQueue.push(message);
+          return;
+        }
+      }
+      pendingActionFrames.push(frame);
+    });
+    const nextHandshakeMessage = () => {
+      const queued = handshakeQueue.shift();
+      if (queued != null)
+        return Promise.resolve(queued);
+      return new Promise((resolve, reject2) => {
+        const timeout = setTimeout(() => reject2(new Error("[ws-handshake] timed out waiting for server reply")), HANDSHAKE_TIMEOUT_MS);
+        handshakeWaiters.push((message) => {
+          clearTimeout(timeout);
+          resolve(message);
+        });
+      });
+    };
+    crypto = await this._runClientHandshake(ws, wsData.secureChannel, nextHandshakeMessage);
+    active = true;
+    for (const frame of pendingActionFrames)
+      await this._handleIncomingActionFrame(frame, wsData, crypto);
+    pendingActionFrames.length = 0;
+    return this._buildSendMethods(ws, wsData, crypto, disconnectListeners);
+  }
+  async _runClientHandshake(ws, secure, nextHandshakeMessage) {
+    await secure.link.initialize();
+    const handshake = createClientHandshake({
+      link: secure.link,
+      localCoordinate: secure.localCoordinate,
+      dictionaryVersion: secure.dictionaryVersion,
+      securityLevel: secure.securityLevel
+    });
+    sendFrame(ws, encodeHandshakeMessage(await handshake.createHello()));
+    const welcome = await nextHandshakeMessage();
+    if (welcome.t === "reject" /* reject */) {
+      throw new Error(`[ws-handshake] rejected by server: ${welcome.reason}`);
+    }
+    if (welcome.t !== "welcome" /* welcome */) {
+      throw new Error(`[ws-handshake] expected welcome, got ${welcome.t}`);
+    }
+    sendFrame(ws, encodeHandshakeMessage(await handshake.onWelcome(welcome)));
+    const accept = await nextHandshakeMessage();
+    if (accept.t === "reject" /* reject */) {
+      throw new Error(`[ws-handshake] rejected by server: ${accept.reason}`);
+    }
+    if (accept.t !== "accept" /* accept */) {
+      throw new Error(`[ws-handshake] expected accept, got ${accept.t}`);
+    }
+    const result = await handshake.onAccept(accept);
+    return result.securityLevel === "encrypted" /* encrypted */ ? createActionFrameCrypto({ link: secure.link, linkedClientId: result.linkedClientId }) : undefined;
+  }
+  _buildSendMethods(ws, wsData, crypto, disconnectListeners) {
+    let sendChain = Promise.resolve();
+    const enqueueSend = (frame) => {
+      if (crypto == null) {
+        sendFrame(ws, frame);
+        return;
+      }
+      const bytes = toFrameBytes(frame);
+      sendChain = sendChain.then(() => crypto.encryptFrame(bytes)).then((encrypted) => sendFrame(ws, encrypted)).catch((err4) => console.error("[ws] failed to encrypt/send frame", err4));
+    };
     const sendActionData = (inputs) => {
       const { action, runningAction, timeout } = inputs;
       if (action.type === "request" /* request */) {
@@ -2453,16 +3170,49 @@ class WebSocketConnection extends TransportConnection {
           }
         ]);
       }
-      ws.send(wsData.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
+      enqueueSend(wsData.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
     };
-    ws.addEventListener("message", (event) => {
-      if (typeof event.data === "string") {
-        const rawJson = wsData.formatMessage?.incoming?.(event.data) ?? this._parseActionMessage(event.data);
-        if (rawJson != null && isActionPayload_Any_JsonObject(rawJson)) {
-          this.resolvers.onIncomingActionDataJson(rawJson);
-        }
+    return {
+      sendActionData,
+      updateRunConfig: wsData.updateRunConfig,
+      addOnDisconnectListener: (cb) => {
+        disconnectListeners.push(cb);
+      },
+      sendReturnData: (payload, clients) => {
+        const formatted = clients != null ? wsData.formatMessage?.outgoing({ action: payload, ...clients }) : undefined;
+        enqueueSend(formatted ?? JSON.stringify(payload.toJsonObject()));
       }
-    });
+    };
+  }
+  async _handleIncomingActionFrame(frame, wsData, crypto) {
+    let decoded = frame;
+    if (crypto != null) {
+      try {
+        decoded = await crypto.decryptFrame(frame);
+      } catch (err4) {
+        console.error("[ws] failed to decrypt incoming frame", err4);
+        return;
+      }
+    }
+    const rawJson = decodeActionFrame(decoded, wsData.formatMessage);
+    if (rawJson != null) {
+      this.resolvers.onIncomingActionDataJson(rawJson);
+    }
+  }
+  async _normalizeFrame(data) {
+    if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) {
+      return data;
+    }
+    if (typeof Blob !== "undefined" && data instanceof Blob) {
+      return await data.arrayBuffer();
+    }
+    return;
+  }
+  _captureSocketUrl(ws) {
+    if (ws.url != null && ws.url !== "")
+      this._liveSocketUrl = ws.url;
+  }
+  _attachLifecycle(ws, disconnectListeners) {
     ws.addEventListener("close", (event) => {
       console.error("WebSocket closed:", event);
       for (const cb of disconnectListeners)
@@ -2477,25 +3227,6 @@ class WebSocketConnection extends TransportConnection {
         originalError: event instanceof Error ? event : undefined
       }));
     });
-    return {
-      sendActionData,
-      updateRunConfig: wsData.updateRunConfig,
-      addOnDisconnectListener: (cb) => {
-        disconnectListeners.push(cb);
-      },
-      sendReturnData: (payload) => {
-        ws.send(JSON.stringify(payload.toJsonObject()));
-      }
-    };
-  }
-  _parseActionMessage(message) {
-    let json;
-    try {
-      json = JSON.parse(message);
-    } catch {
-      return;
-    }
-    return isActionPayload_Any_JsonObject(json) ? json : undefined;
   }
   _abortAll(error) {
     const snapshot = [...this._abortSet];
@@ -2529,8 +3260,9 @@ class WebSocketTransport extends Transport {
         status: "ready" /* ready */,
         readyData: {
           ws: options.createWebSocket(input),
-          formatMessage: options.formatMessage,
-          updateRunConfig: options.updateRunConfig
+          formatMessage: options.createFormatMessage?.() ?? options.formatMessage,
+          updateRunConfig: options.updateRunConfig,
+          secureChannel: options.security
         }
       });
     }
@@ -2550,7 +3282,322 @@ class WebSocketTransport extends Transport {
     };
   }
 }
+// src/ActionRuntime/Handler/Server/ActionServerHandler.ts
+class ActionServerHandler extends ActionExternalClientHandler {
+  _formatMessage;
+  _createFormatMessage;
+  _send;
+  _serverTimeout;
+  _onConnectionBound;
+  _incomingListeners = [];
+  _security;
+  _allowedLevels;
+  _noneAllowed;
+  _handshakeMode;
+  _connByClient = new Map;
+  _clientByConn = new Map;
+  _connEncoding = new Map;
+  _codecByConn = new Map;
+  _handshakeByConn = new Map;
+  _cryptoByConn = new Map;
+  _authedConns = new Set;
+  _plainConns = new Set;
+  _inboundChainByConn = new Map;
+  _outboundChainByConn = new Map;
+  constructor(options) {
+    super({ runtimeCoordinate: options.clientEnv, transports: [] });
+    this._formatMessage = options.formatMessage;
+    this._createFormatMessage = options.createFormatMessage;
+    this._send = options.send;
+    this._serverTimeout = options.defaultTimeout ?? DEFAULT_TRANSPORT_TIMEOUT;
+    this._onConnectionBound = options.onConnectionBound;
+    this._security = options.security;
+    this._allowedLevels = options.security == null ? [] : Array.isArray(options.security.securityLevel) ? options.security.securityLevel : [options.security.securityLevel];
+    this._noneAllowed = this._allowedLevels.includes("none" /* none */);
+    this._handshakeMode = this._allowedLevels.some((level) => level !== "none" /* none */);
+  }
+  _codecFor(connection) {
+    if (this._createFormatMessage != null) {
+      let codec = this._codecByConn.get(connection);
+      if (codec == null) {
+        codec = this._createFormatMessage();
+        this._codecByConn.set(connection, codec);
+      }
+      return codec;
+    }
+    if (this._formatMessage != null)
+      return this._formatMessage;
+    throw err_nice_transport.fromId("not_found" /* not_found */, {
+      actionId: "server-handler-codec (provide formatMessage or createFormatMessage)"
+    });
+  }
+  _setIncomingActionDataListener(listener) {
+    this._incomingListeners.push(listener);
+  }
+  receive(connection, frame) {
+    if (this._security == null || !this._handshakeMode) {
+      this._receivePlain(connection, frame);
+      return;
+    }
+    const previous = this._inboundChainByConn.get(connection) ?? Promise.resolve();
+    const next = previous.then(() => this._receiveSecure(connection, frame)).catch((err4) => console.error("[ws-server] failed to process inbound frame", err4));
+    this._inboundChainByConn.set(connection, next);
+  }
+  _receivePlain(connection, frame) {
+    const wire = decodeActionFrame(frame, this._codecFor(connection));
+    if (wire == null)
+      return;
+    const encoding = typeof frame === "string" ? "json" : "binary";
+    this._connEncoding.set(connection, encoding);
+    if (wire.type === "request" /* request */) {
+      this._resolveRequestIdentity(connection, wire, encoding);
+    }
+    for (const listener of this._incomingListeners)
+      listener(wire);
+  }
+  async _receiveSecure(connection, frame) {
+    const security = this._security;
+    if (security == null)
+      return;
+    if (this._plainConns.has(connection)) {
+      this._receivePlain(connection, frame);
+      return;
+    }
+    if (!this._authedConns.has(connection)) {
+      const message = typeof frame === "string" ? decodeHandshakeMessage(frame) : undefined;
+      if (message == null) {
+        if (this._noneAllowed) {
+          this._plainConns.add(connection);
+          this._receivePlain(connection, frame);
+        }
+        return;
+      }
+      await security.link.initialize();
+      let handshake = this._handshakeByConn.get(connection);
+      if (handshake == null) {
+        handshake = createServerHandshake({
+          link: security.link,
+          localCoordinate: security.localCoordinate,
+          dictionaryVersion: security.dictionaryVersion,
+          securityLevel: security.securityLevel,
+          verifyKeyResolver: security.verifyKeyResolver
+        });
+        this._handshakeByConn.set(connection, handshake);
+      }
+      if (message.t === "hello" /* hello */) {
+        this._send(connection, encodeHandshakeMessage(await handshake.onHello(message)));
+      } else if (message.t === "prove" /* prove */) {
+        const reply = await handshake.onProve(message);
+        this._send(connection, encodeHandshakeMessage(reply));
+        const result = handshake.getResult();
+        if (reply.t === "accept" /* accept */ && result != null) {
+          this._completeServerHandshake(connection, result);
+        }
+      }
+      return;
+    }
+    let bytes = frame;
+    const cryptoReady = this._cryptoByConn.get(connection);
+    if (cryptoReady != null) {
+      try {
+        bytes = await (await cryptoReady).decryptFrame(frame);
+      } catch (err4) {
+        console.error("[ws-server] failed to decrypt inbound frame", err4);
+        return;
+      }
+    }
+    const wire = decodeActionFrame(bytes, this._codecFor(connection));
+    if (wire == null)
+      return;
+    if (wire.type === "request" /* request */) {
+      const bound = this._clientByConn.get(connection);
+      if (bound != null)
+        wire.context.originClient = bound.toJsonObject();
+    }
+    for (const listener of this._incomingListeners)
+      listener(wire);
+  }
+  _completeServerHandshake(connection, result) {
+    const clientCoord = new RuntimeCoordinate(result.remote);
+    this._bindConnection(connection, clientCoord);
+    this._connEncoding.set(connection, "binary");
+    this._authedConns.add(connection);
+    this._handshakeByConn.delete(connection);
+    if (result.securityLevel === "encrypted" /* encrypted */ && this._security != null) {
+      this._cryptoByConn.set(connection, Promise.resolve(createActionFrameCrypto({
+        link: this._security.link,
+        linkedClientId: result.linkedClientId
+      })));
+    }
+    this._onConnectionBound?.(connection, {
+      client: clientCoord.toJsonObject(),
+      encoding: "binary",
+      secure: {
+        securityLevel: result.securityLevel,
+        linkedClientId: result.linkedClientId,
+        keyMaterial: result.encryptionKeyMaterial
+      }
+    });
+  }
+  _resolveRequestIdentity(connection, wire, encoding) {
+    const wireOrigin = wire.context.originClient;
+    if (wireOrigin != null && wireOrigin.envId !== UNSET_RUNTIME_ENV_ID) {
+      const clientCoord = new RuntimeCoordinate(wireOrigin);
+      const isNewBinding = this._clientByConn.get(connection)?.stringId !== clientCoord.stringId;
+      this._bindConnection(connection, clientCoord);
+      if (isNewBinding) {
+        this._onConnectionBound?.(connection, { client: clientCoord.toJsonObject(), encoding });
+      }
+      return;
+    }
+    const bound = this._clientByConn.get(connection);
+    if (bound != null)
+      wire.context.originClient = bound.toJsonObject();
+  }
+  rehydrateConnection(connection, binding) {
+    this._bindConnection(connection, new RuntimeCoordinate(binding.client));
+    this._connEncoding.set(connection, binding.encoding);
+    const secure = binding.secure;
+    if (secure == null)
+      return;
+    this._authedConns.add(connection);
+    if (secure.securityLevel === "encrypted" /* encrypted */ && secure.keyMaterial != null && this._security != null) {
+      const security = this._security;
+      const { linkedClientId, keyMaterial } = secure;
+      const cryptoReady = security.link.initialize().then(() => security.link.linkClient({
+        linkedClientId,
+        verifyPublicKey: keyMaterial.verifyPublicKey,
+        exchangePublicKey: keyMaterial.exchangePublicKey,
+        saltString: keyMaterial.saltString,
+        infoString: keyMaterial.infoString,
+        bindVerifyKeysIntoDerivation: keyMaterial.bindVerifyKeysIntoDerivation
+      })).then(() => createActionFrameCrypto({ link: security.link, linkedClientId }));
+      this._cryptoByConn.set(connection, cryptoReady);
+      const gate = cryptoReady.then(() => {}, (err4) => console.error("[ws-server] failed to restore encrypted session", err4));
+      this._inboundChainByConn.set(connection, gate);
+      this._outboundChainByConn.set(connection, gate);
+    }
+  }
+  toHandlerRouteItem() {
+    return {
+      type: this.handlerType,
+      client: this.externalClient,
+      transType: "custom" /* custom */,
+      transOrd: 0
+    };
+  }
+  dropConnection(connection) {
+    const coord = this._clientByConn.get(connection);
+    if (coord != null && this._connByClient.get(coord.stringId) === connection) {
+      this._connByClient.delete(coord.stringId);
+    }
+    this._clientByConn.delete(connection);
+    this._connEncoding.delete(connection);
+    this._codecByConn.delete(connection);
+    this._handshakeByConn.delete(connection);
+    this._cryptoByConn.delete(connection);
+    this._authedConns.delete(connection);
+    this._plainConns.delete(connection);
+    this._inboundChainByConn.delete(connection);
+    this._outboundChainByConn.delete(connection);
+  }
+  getConnectionForClient(client) {
+    return this._connByClient.get(client.stringId);
+  }
+  pushToClient(runtime2, target, request, options) {
+    const connection = this._resolveConnection(target);
+    return this._dispatch(runtime2, connection, request, options?.timeout);
+  }
+  async sendReturnPayload(payload, config) {
+    const connection = this._connByClient.get(payload.context.originClient.stringId);
+    if (connection == null)
+      return false;
+    this._sendPayload(connection, payload, config.targetLocalRuntime.coordinate);
+    return true;
+  }
+  async handleActionRequest(action, config) {
+    const runtime2 = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
+    const connection = this._resolveSingleConnection();
+    return this._dispatch(runtime2, connection, action, config?.timeout);
+  }
+  _dispatch(runtime2, connection, action, timeout) {
+    const timeoutMs = timeout ?? this._serverTimeout;
+    action.context._setOriginClient(runtime2.coordinate);
+    action.context.addRouteItem({
+      runtime: runtime2.coordinate,
+      handler: this.toHandlerRouteItem(),
+      time: Date.now()
+    });
+    const runningAction = new RunningAction({
+      context: action.context,
+      request: action,
+      parentCuid: peekHandlerCuid(),
+      callSite: action._callSite
+    });
+    runtime2.registerRunningAction(runningAction);
+    const timeoutId = setTimeout(() => {
+      runningAction._abort(err_nice_transport.fromId("timeout" /* timeout */, { timeout: timeoutMs }));
+    }, timeoutMs);
+    runningAction.addUpdateListeners([
+      (update) => {
+        if (update.type === "finished" /* finished */)
+          clearTimeout(timeoutId);
+      }
+    ]);
+    try {
+      this._sendPayload(connection, action, runtime2.coordinate);
+    } catch (err4) {
+      runningAction._abort(err4);
+    }
+    return runningAction;
+  }
+  _sendPayload(connection, payload, localClient) {
+    const encoding = this._connEncoding.get(connection) ?? "binary";
+    const frame = encoding === "json" ? JSON.stringify(payload.toJsonObject()) : this._codecFor(connection).outgoing({
+      action: payload,
+      localClient,
+      externalClient: this.externalClient
+    });
+    const cryptoReady = this._cryptoByConn.get(connection);
+    if (cryptoReady == null) {
+      this._send(connection, frame);
+      return;
+    }
+    const bytes = toFrameBytes(frame);
+    const previous = this._outboundChainByConn.get(connection) ?? Promise.resolve();
+    const next = previous.then(() => cryptoReady).then((crypto) => crypto.encryptFrame(bytes)).then((encrypted) => this._send(connection, encrypted)).catch((err4) => console.error("[ws-server] failed to encrypt/send frame", err4));
+    this._outboundChainByConn.set(connection, next);
+  }
+  _bindConnection(connection, client) {
+    this._connByClient.set(client.stringId, connection);
+    this._clientByConn.set(connection, client);
+  }
+  _resolveConnection(target) {
+    if (target instanceof RuntimeCoordinate) {
+      const connection = this._connByClient.get(target.stringId);
+      if (connection == null) {
+        throw err_nice_transport.fromId("not_found" /* not_found */, {
+          actionId: target.stringId
+        });
+      }
+      return connection;
+    }
+    return target;
+  }
+  _resolveSingleConnection() {
+    if (this._clientByConn.size !== 1) {
+      throw err_nice_transport.fromId("not_found" /* not_found */, {
+        actionId: "server-handler-target (use pushToClient with an explicit connection or client coordinate)"
+      });
+    }
+    return this._clientByConn.keys().next().value;
+  }
+}
+var createServerHandler = (options) => {
+  return new ActionServerHandler(options);
+};
 export {
+  runtimeLinkId,
   isActionPayload_Result_JsonObject,
   isActionPayload_Request_JsonObject,
   isActionPayload_Any_JsonObject,
@@ -2558,9 +3605,20 @@ export {
   err_nice_transport,
   err_nice_external_client,
   err_nice_action,
+  encodeHandshakeMessage,
+  decodeHandshakeMessage,
+  decodeActionFrame,
+  createStorageTofuVerifyKeyResolver,
+  createServerHandshake,
+  createServerHandler,
   createLocalHandler,
+  createInMemoryTofuVerifyKeyResolver,
   createExternalClientHandler,
+  createClientHandshake,
+  createBinaryWsSessionFactory,
+  createBinaryWsAdapter,
   createActionRootDomain,
+  createActionFrameCrypto,
   actionSchema,
   WebSocketTransport,
   Transport,
@@ -2569,15 +3627,18 @@ export {
   HttpTransport,
   ETransportType,
   ETransportStatus,
+  ESecurityLevel,
   ERunningActionUpdateType,
   ERunningActionState,
   ERunningActionFinishedType,
+  EHandshakeMessageType,
   EErrId_NiceTransport_WebSocket,
   EErrId_NiceTransport,
   EErrId_NiceAction,
   EActionProgressType,
   EActionPayloadType,
   CustomTransport,
+  ActionServerHandler,
   ActionSchema,
   ActionRuntime,
   ActionRootDomain,