@nice-code/action 0.6.0 → 0.6.2

package/build/index.js

@@ -965,6 +965,7 @@ class ActionRuntime {
   }
   async handleActionPayload(action, options) {
     if (action.type === "request" /* request */) {
+      const observers = action.context._domain._collectActionObservers();
       let handlerForAction;
       try {
         handlerForAction = this.getHandlerForActionOrThrow(action, options);
@@ -973,6 +974,7 @@ class ActionRuntime {
           context: action.context,
           request: action
         });
+        runningAction2.addUpdateListeners(observers);
         runningAction2._completeWithResult(action.errorResult(castNiceError(err2)));
         return runningAction2;
       }
@@ -980,6 +982,7 @@ class ActionRuntime {
         ...options,
         targetLocalRuntime: this
       });
+      runningAction.addUpdateListeners(observers);
       this._trySetupReturnDispatch(runningAction);
       return runningAction;
     }
@@ -1293,6 +1296,9 @@ class ActionDomainBase {
       this._listeners = this._listeners.filter((l) => l !== listener);
     };
   }
+  _getActionObservers() {
+    return this._listeners;
+  }
 }
 
 // src/ActionDefinition/Domain/ActionDomain.ts
@@ -1309,6 +1315,9 @@ class ActionDomain extends ActionDomainBase {
   get rootDomain() {
     return this._rootDomain;
   }
+  _collectActionObservers() {
+    return [...this._rootDomain._getActionObservers(), ...this._getActionObservers()];
+  }
   _registerRuntime(runtime2) {
     this._rootDomain._registerRuntime(runtime2);
   }
@@ -1975,7 +1984,7 @@ class ActionExternalClientHandler extends ActionHandler {
       });
       if (methods.sendReturnData == null)
         return false;
-      methods.sendReturnData(payload);
+      methods.sendReturnData(payload, { localClient, externalClient: this.externalClient });
       return true;
     } catch {
       return false;
@@ -2339,6 +2348,606 @@ class HttpTransport extends Transport {
     };
   }
 }
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionFrameCrypto.ts
+import { pack, unpack } from "msgpackr";
+var ENCRYPTED_ENVELOPE_LENGTH = 2;
+function createActionFrameCrypto({
+  link,
+  linkedClientId
+}) {
+  return {
+    async encryptFrame(frame) {
+      const { nonce, ciphertext } = await link.encryptBytesForLinkedClient({
+        linkedClientId,
+        dataToEncrypt: frame
+      });
+      return pack([nonce, ciphertext]);
+    },
+    async decryptFrame(frame) {
+      if (typeof frame === "string") {
+        throw new Error("[ws-crypto] expected an encrypted binary frame, received text");
+      }
+      const buffer = frame instanceof ArrayBuffer ? new Uint8Array(frame) : frame;
+      const envelope = unpack(buffer);
+      if (!Array.isArray(envelope) || envelope.length !== ENCRYPTED_ENVELOPE_LENGTH) {
+        throw new Error("[ws-crypto] malformed encrypted frame envelope");
+      }
+      const [nonce, ciphertext] = envelope;
+      if (!(nonce instanceof Uint8Array) || !(ciphertext instanceof Uint8Array)) {
+        throw new Error("[ws-crypto] malformed encrypted frame fields");
+      }
+      return await link.decryptBytesFromLinkedClient({
+        linkedClientId,
+        dataToDecrypt: { nonce, ciphertext }
+      });
+    }
+  };
+}
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionWsHandshake.ts
+import {
+  createTypedStorage
+} from "@nice-code/util";
+import { nanoid as nanoid5 } from "nanoid";
+import * as v from "valibot";
+var HANDSHAKE_PROTOCOL = "nice-ws-hs/1";
+var ESecurityLevel;
+((ESecurityLevel2) => {
+  ESecurityLevel2["none"] = "none";
+  ESecurityLevel2["authenticated"] = "authenticated";
+  ESecurityLevel2["encrypted"] = "encrypted";
+})(ESecurityLevel ||= {});
+var EHandshakeMessageType;
+((EHandshakeMessageType2) => {
+  EHandshakeMessageType2["hello"] = "hello";
+  EHandshakeMessageType2["welcome"] = "welcome";
+  EHandshakeMessageType2["prove"] = "prove";
+  EHandshakeMessageType2["accept"] = "accept";
+  EHandshakeMessageType2["reject"] = "reject";
+})(EHandshakeMessageType ||= {});
+var vEd25519Raw = v.custom((val) => typeof val === "string" && val.startsWith("ed25519::raw_base64::"));
+var vX25519Raw = v.custom((val) => typeof val === "string" && val.startsWith("x25519::raw_base64::"));
+var vCoordinate = v.object({
+  envId: v.string(),
+  perId: v.optional(v.string()),
+  insId: v.optional(v.string())
+});
+var vSecurityLevel = v.picklist([
+  "none" /* none */,
+  "authenticated" /* authenticated */,
+  "encrypted" /* encrypted */
+]);
+var vHsHello = v.object({
+  t: v.literal("hello" /* hello */),
+  protocol: v.string(),
+  securityLevel: vSecurityLevel,
+  dictionaryVersion: v.string(),
+  client: vCoordinate,
+  clientNonce: v.string(),
+  verifyPublicKey: vEd25519Raw,
+  exchangePublicKey: v.optional(vX25519Raw)
+});
+var vHsWelcome = v.object({
+  t: v.literal("welcome" /* welcome */),
+  securityLevel: vSecurityLevel,
+  dictionaryVersion: v.string(),
+  server: vCoordinate,
+  serverNonce: v.string(),
+  verifyPublicKey: vEd25519Raw,
+  exchangePublicKey: v.optional(vX25519Raw)
+});
+var vHsProve = v.object({
+  t: v.literal("prove" /* prove */),
+  signatureBase64: v.string()
+});
+var vHsAccept = v.object({
+  t: v.literal("accept" /* accept */),
+  signatureBase64: v.optional(v.string())
+});
+var vHsReject = v.object({
+  t: v.literal("reject" /* reject */),
+  reason: v.string()
+});
+var vHandshakeMessage = v.variant("t", [vHsHello, vHsWelcome, vHsProve, vHsAccept, vHsReject]);
+function encodeHandshakeMessage(message) {
+  return JSON.stringify(message);
+}
+function decodeHandshakeMessage(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return;
+  }
+  const result = v.safeParse(vHandshakeMessage, parsed);
+  return result.success ? result.output : undefined;
+}
+function runtimeLinkId(coordinate) {
+  return `runtime::${new RuntimeCoordinate(coordinate).stringId}`;
+}
+function coordId(coordinate) {
+  return new RuntimeCoordinate(coordinate).stringId;
+}
+function sessionSalt(clientNonce, serverNonce) {
+  return `${clientNonce}::${serverNonce}`;
+}
+function handshakeInfo(dictionaryVersion) {
+  return `${HANDSHAKE_PROTOCOL}::${dictionaryVersion}`;
+}
+function buildHandshakeChallenge(parts) {
+  return JSON.stringify([
+    HANDSHAKE_PROTOCOL,
+    parts.securityLevel,
+    parts.dictionaryVersion,
+    parts.clientCoordId,
+    parts.serverCoordId,
+    parts.clientNonce,
+    parts.serverNonce,
+    parts.clientVerifyKey,
+    parts.serverVerifyKey,
+    parts.clientExchangeKey ?? "_",
+    parts.serverExchangeKey ?? "_"
+  ]);
+}
+function reject(reason) {
+  return { t: "reject" /* reject */, reason };
+}
+function tofuPinKey(client) {
+  return `${client.envId}::${client.perId ?? client.insId ?? "_"}`;
+}
+function createInMemoryTofuVerifyKeyResolver() {
+  const pinned = new Map;
+  return {
+    async resolve({ client, verifyPublicKey }) {
+      const key = tofuPinKey(client);
+      const existing = pinned.get(key);
+      if (existing == null) {
+        pinned.set(key, verifyPublicKey);
+        return { trusted: true };
+      }
+      if (existing === verifyPublicKey)
+        return { trusted: true };
+      return { trusted: false, reason: "verify key changed for client identity (pin mismatch)" };
+    }
+  };
+}
+function createStorageTofuVerifyKeyResolver(storageAdapter) {
+  const storage = createTypedStorage({ storageAdapter });
+  return {
+    async resolve({ client, verifyPublicKey }) {
+      const key = tofuPinKey(client);
+      const existing = (await storage.getJson("pins"))?.[key];
+      if (existing == null) {
+        await storage.updateJsonWithDef("pins", {}, (current) => ({
+          ...current,
+          [key]: verifyPublicKey
+        }));
+        return { trusted: true };
+      }
+      if (existing === verifyPublicKey)
+        return { trusted: true };
+      return { trusted: false, reason: "verify key changed for client identity (pin mismatch)" };
+    }
+  };
+}
+function createClientHandshake(config) {
+  const { link, localCoordinate, dictionaryVersion, securityLevel } = config;
+  const wantsEncryption = securityLevel === "encrypted" /* encrypted */;
+  const clientNonce = nanoid5();
+  let pending;
+  return {
+    async createHello() {
+      return {
+        t: "hello" /* hello */,
+        protocol: HANDSHAKE_PROTOCOL,
+        securityLevel,
+        dictionaryVersion,
+        client: localCoordinate,
+        clientNonce,
+        verifyPublicKey: await link.getLocalVerifyPublicKey(),
+        exchangePublicKey: wantsEncryption ? await link.getLocalExchangePublicKey() : undefined
+      };
+    },
+    async onWelcome(welcome) {
+      if (welcome.dictionaryVersion !== dictionaryVersion) {
+        throw new Error("[ws-handshake] server dictionary version mismatch");
+      }
+      if (welcome.securityLevel !== securityLevel) {
+        throw new Error("[ws-handshake] server security level mismatch");
+      }
+      if (wantsEncryption && welcome.exchangePublicKey == null) {
+        throw new Error("[ws-handshake] server did not provide an exchange key for encryption");
+      }
+      const linkedServerId = runtimeLinkId(welcome.server);
+      await link.linkClient({
+        linkedClientId: linkedServerId,
+        verifyPublicKey: welcome.verifyPublicKey,
+        ...wantsEncryption ? {
+          exchangePublicKey: welcome.exchangePublicKey,
+          saltString: sessionSalt(clientNonce, welcome.serverNonce),
+          infoString: handshakeInfo(dictionaryVersion),
+          bindVerifyKeysIntoDerivation: true
+        } : {}
+      });
+      const challenge = buildHandshakeChallenge({
+        securityLevel,
+        dictionaryVersion,
+        clientCoordId: coordId(localCoordinate),
+        serverCoordId: coordId(welcome.server),
+        clientNonce,
+        serverNonce: welcome.serverNonce,
+        clientVerifyKey: await link.getLocalVerifyPublicKey(),
+        serverVerifyKey: welcome.verifyPublicKey,
+        clientExchangeKey: wantsEncryption ? await link.getLocalExchangePublicKey() : undefined,
+        serverExchangeKey: welcome.exchangePublicKey
+      });
+      pending = { linkedServerId, server: welcome.server, challenge };
+      return {
+        t: "prove" /* prove */,
+        signatureBase64: (await link.signChallenge([challenge])).signatureBase64
+      };
+    },
+    async onAccept(accept) {
+      if (pending == null)
+        throw new Error("[ws-handshake] accept before welcome");
+      if (accept.signatureBase64 != null) {
+        const valid = await link.verifyChallengeFromLinkedClient({
+          linkedClientId: pending.linkedServerId,
+          challenge: pending.challenge,
+          signatureBase64: accept.signatureBase64
+        });
+        if (!valid)
+          throw new Error("[ws-handshake] server signature invalid");
+      }
+      return { linkedClientId: pending.linkedServerId, remote: pending.server, securityLevel };
+    }
+  };
+}
+function createServerHandshake(config) {
+  const { link, localCoordinate, dictionaryVersion } = config;
+  const allowedLevels = Array.isArray(config.securityLevel) ? config.securityLevel : [config.securityLevel];
+  const verifyKeyResolver = config.verifyKeyResolver ?? createInMemoryTofuVerifyKeyResolver();
+  const serverNonce = nanoid5();
+  let pending;
+  let result;
+  return {
+    async onHello(hello) {
+      if (hello.protocol !== HANDSHAKE_PROTOCOL)
+        return reject("unsupported handshake protocol");
+      if (hello.dictionaryVersion !== dictionaryVersion)
+        return reject("dictionary version mismatch");
+      const negotiatedLevel = hello.securityLevel;
+      if (negotiatedLevel === "none" /* none */ || !allowedLevels.includes(negotiatedLevel)) {
+        return reject("security level not allowed");
+      }
+      const wantsEncryption = negotiatedLevel === "encrypted" /* encrypted */;
+      if (wantsEncryption && hello.exchangePublicKey == null) {
+        return reject("missing exchange key for encryption");
+      }
+      const linkedClientId = runtimeLinkId(hello.client);
+      await link.linkClient({
+        linkedClientId,
+        verifyPublicKey: hello.verifyPublicKey,
+        ...wantsEncryption ? {
+          exchangePublicKey: hello.exchangePublicKey,
+          saltString: sessionSalt(hello.clientNonce, serverNonce),
+          infoString: handshakeInfo(dictionaryVersion),
+          bindVerifyKeysIntoDerivation: true
+        } : {}
+      });
+      const serverVerifyKey = await link.getLocalVerifyPublicKey();
+      const serverExchangeKey = wantsEncryption ? await link.getLocalExchangePublicKey() : undefined;
+      const keyMaterial = wantsEncryption && hello.exchangePublicKey != null ? {
+        verifyPublicKey: hello.verifyPublicKey,
+        exchangePublicKey: hello.exchangePublicKey,
+        saltString: sessionSalt(hello.clientNonce, serverNonce),
+        infoString: handshakeInfo(dictionaryVersion),
+        bindVerifyKeysIntoDerivation: true
+      } : undefined;
+      pending = {
+        client: hello.client,
+        linkedClientId,
+        clientVerifyKey: hello.verifyPublicKey,
+        negotiatedLevel,
+        keyMaterial,
+        challenge: buildHandshakeChallenge({
+          securityLevel: negotiatedLevel,
+          dictionaryVersion,
+          clientCoordId: coordId(hello.client),
+          serverCoordId: coordId(localCoordinate),
+          clientNonce: hello.clientNonce,
+          serverNonce,
+          clientVerifyKey: hello.verifyPublicKey,
+          serverVerifyKey,
+          clientExchangeKey: hello.exchangePublicKey,
+          serverExchangeKey
+        })
+      };
+      return {
+        t: "welcome" /* welcome */,
+        securityLevel: negotiatedLevel,
+        dictionaryVersion,
+        server: localCoordinate,
+        serverNonce,
+        verifyPublicKey: serverVerifyKey,
+        exchangePublicKey: serverExchangeKey
+      };
+    },
+    async onProve(prove) {
+      if (pending == null)
+        return reject("prove before hello");
+      const signatureValid = await link.verifyChallengeFromLinkedClient({
+        linkedClientId: pending.linkedClientId,
+        challenge: pending.challenge,
+        signatureBase64: prove.signatureBase64
+      });
+      if (!signatureValid)
+        return reject("invalid client signature");
+      const trust = await verifyKeyResolver.resolve({
+        client: pending.client,
+        verifyPublicKey: pending.clientVerifyKey
+      });
+      if (!trust.trusted)
+        return reject(trust.reason ?? "client verify key not trusted");
+      result = {
+        linkedClientId: pending.linkedClientId,
+        remote: pending.client,
+        securityLevel: pending.negotiatedLevel,
+        encryptionKeyMaterial: pending.keyMaterial
+      };
+      return {
+        t: "accept" /* accept */,
+        signatureBase64: (await link.signChallenge([pending.challenge])).signatureBase64
+      };
+    },
+    getResult() {
+      return result;
+    }
+  };
+}
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsAdapter.ts
+import { pack as pack2, unpack as unpack2 } from "msgpackr";
+
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/actionWireCodec.ts
+var PayloadTypeToInt = {
+  ["request" /* request */]: 0,
+  ["result" /* result */]: 1,
+  ["progress" /* progress */]: 2
+};
+var ReversePayloadType = [
+  "request" /* request */,
+  "result" /* result */,
+  "progress" /* progress */
+];
+function buildActionRouteDictionary(domains) {
+  const routeToInt = new Map;
+  const intToRoute = [];
+  for (const dom of domains) {
+    for (const actionId of Object.keys(dom.actionSchema)) {
+      const routeKey = `${dom.domain}:${actionId}`;
+      if (routeToInt.has(routeKey))
+        continue;
+      routeToInt.set(routeKey, intToRoute.length);
+      intToRoute.push({ domain: dom.domain, id: actionId, allDomains: dom.allDomains });
+    }
+  }
+  return { routeToInt, intToRoute };
+}
+function extractWirePayload(json) {
+  if (json.type === "request" /* request */)
+    return json.input;
+  if (json.type === "result" /* result */)
+    return json.result;
+  if (json.type === "progress" /* progress */)
+    return json.progress;
+  return;
+}
+function assembleWireJson(routeMeta, payloadType, time, context, payloadData) {
+  const base = {
+    form: "data" /* data */,
+    domain: routeMeta.domain,
+    id: routeMeta.id,
+    allDomains: routeMeta.allDomains,
+    time,
+    context
+  };
+  if (payloadType === "request" /* request */) {
+    return { ...base, type: "request" /* request */, input: payloadData, inputHash: "" };
+  }
+  if (payloadType === "result" /* result */) {
+    return { ...base, type: "result" /* result */, result: payloadData, outputHash: "" };
+  }
+  return { ...base, type: "progress" /* progress */, progress: payloadData };
+}
+
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsAdapter.ts
+var ENVELOPE = {
+  route: 0,
+  type: 1,
+  time: 2,
+  cuid: 3,
+  originClient: 4,
+  payload: 5
+};
+var ENVELOPE_LENGTH = 6;
+function createBinaryWsAdapter(domains) {
+  const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
+  return {
+    outgoing: (input) => {
+      const json = input.action.toJsonObject();
+      const routeKey = `${json.domain}:${json.id}`;
+      const routeInt = routeToInt.get(routeKey);
+      if (routeInt == null) {
+        throw new Error(`[binary-ws] Cannot pack unregistered action route: ${routeKey}`);
+      }
+      const envelope = new Array(ENVELOPE_LENGTH);
+      envelope[ENVELOPE.route] = routeInt;
+      envelope[ENVELOPE.type] = PayloadTypeToInt[json.type];
+      envelope[ENVELOPE.time] = json.time;
+      envelope[ENVELOPE.cuid] = json.context.cuid;
+      envelope[ENVELOPE.originClient] = json.context.originClient;
+      envelope[ENVELOPE.payload] = extractWirePayload(json);
+      return pack2(envelope);
+    },
+    incoming: (frame) => {
+      let buffer;
+      if (frame instanceof ArrayBuffer) {
+        buffer = new Uint8Array(frame);
+      } else if (frame instanceof Uint8Array) {
+        buffer = frame;
+      } else {
+        return;
+      }
+      try {
+        const envelope = unpack2(buffer);
+        if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH)
+          return;
+        const routeMeta = intToRoute[envelope[ENVELOPE.route]];
+        const payloadType = ReversePayloadType[envelope[ENVELOPE.type]];
+        if (routeMeta == null || payloadType == null)
+          return;
+        const time = envelope[ENVELOPE.time];
+        const context = {
+          cuid: envelope[ENVELOPE.cuid],
+          timeCreated: time,
+          routing: [],
+          originClient: envelope[ENVELOPE.originClient]
+        };
+        return assembleWireJson(routeMeta, payloadType, time, context, envelope[ENVELOPE.payload]);
+      } catch (e) {
+        console.error("[binary-ws] Failed to unpack binary action frame", e);
+        return;
+      }
+    }
+  };
+}
+// src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/createBinaryWsSessionFactory.ts
+import { pack as pack3, unpack as unpack3 } from "msgpackr";
+import { nanoid as nanoid6 } from "nanoid";
+var ENVELOPE2 = {
+  route: 0,
+  type: 1,
+  corr: 2,
+  time: 3,
+  originClient: 4,
+  payload: 5
+};
+var ENVELOPE_LENGTH2 = 6;
+var DEFAULT_CORRELATION_TTL_MS = 5 * 60000;
+function isKnownIdentity(coordinate) {
+  return coordinate != null && coordinate.envId !== UNSET_RUNTIME_ENV_ID;
+}
+function pruneExpired(map, now, ttlMs) {
+  for (const [key, entry] of map) {
+    if (now - entry.time <= ttlMs)
+      break;
+    map.delete(key);
+  }
+}
+function createBinaryWsSessionFactory(domains, options) {
+  const { routeToInt, intToRoute } = buildActionRouteDictionary(domains);
+  const unknownIdentity = RuntimeCoordinate.unknown.toJsonObject();
+  const ttlMs = options?.correlationTtlMs ?? DEFAULT_CORRELATION_TTL_MS;
+  return () => {
+    let outCounter = 0;
+    const corrToCuid = new Map;
+    const cuidToCorr = new Map;
+    let selfIdentity;
+    let peerIdentity;
+    return {
+      outgoing: (input) => {
+        const json = input.action.toJsonObject();
+        const routeKey = `${json.domain}:${json.id}`;
+        const routeInt = routeToInt.get(routeKey);
+        if (routeInt == null) {
+          throw new Error(`[binary-ws] Cannot pack unregistered action route: ${routeKey}`);
+        }
+        const now = Date.now();
+        pruneExpired(corrToCuid, now, ttlMs);
+        pruneExpired(cuidToCorr, now, ttlMs);
+        let corr;
+        let wireIdentity;
+        if (json.type === "request" /* request */) {
+          corr = outCounter++;
+          corrToCuid.set(corr, { value: json.context.cuid, time: now });
+          if (selfIdentity == null && isKnownIdentity(json.context.originClient)) {
+            selfIdentity = json.context.originClient;
+            wireIdentity = json.context.originClient;
+          }
+        } else {
+          corr = cuidToCorr.get(json.context.cuid)?.value ?? -1;
+          if (json.type === "result" /* result */)
+            cuidToCorr.delete(json.context.cuid);
+        }
+        const envelope = new Array(ENVELOPE_LENGTH2);
+        envelope[ENVELOPE2.route] = routeInt;
+        envelope[ENVELOPE2.type] = PayloadTypeToInt[json.type];
+        envelope[ENVELOPE2.corr] = corr;
+        envelope[ENVELOPE2.time] = json.time;
+        envelope[ENVELOPE2.originClient] = wireIdentity;
+        envelope[ENVELOPE2.payload] = extractWirePayload(json);
+        return pack3(envelope);
+      },
+      incoming: (frame) => {
+        let buffer;
+        if (frame instanceof ArrayBuffer) {
+          buffer = new Uint8Array(frame);
+        } else if (frame instanceof Uint8Array) {
+          buffer = frame;
+        } else {
+          return;
+        }
+        try {
+          const envelope = unpack3(buffer);
+          if (!Array.isArray(envelope) || envelope.length !== ENVELOPE_LENGTH2)
+            return;
+          const routeMeta = intToRoute[envelope[ENVELOPE2.route]];
+          const payloadType = ReversePayloadType[envelope[ENVELOPE2.type]];
+          if (routeMeta == null || payloadType == null)
+            return;
+          const now = Date.now();
+          pruneExpired(corrToCuid, now, ttlMs);
+          pruneExpired(cuidToCorr, now, ttlMs);
+          const corr = envelope[ENVELOPE2.corr];
+          const time = envelope[ENVELOPE2.time];
+          const wireIdentity = envelope[ENVELOPE2.originClient];
+          let cuid;
+          let originClient;
+          if (payloadType === "request" /* request */) {
+            cuid = nanoid6();
+            cuidToCorr.set(cuid, { value: corr, time: now });
+            if (isKnownIdentity(wireIdentity))
+              peerIdentity = wireIdentity;
+            originClient = peerIdentity ?? unknownIdentity;
+          } else {
+            cuid = corrToCuid.get(corr)?.value ?? nanoid6();
+            if (payloadType === "result" /* result */)
+              corrToCuid.delete(corr);
+            originClient = selfIdentity ?? unknownIdentity;
+          }
+          const context = { cuid, timeCreated: time, routing: [], originClient };
+          return assembleWireJson(routeMeta, payloadType, time, context, envelope[ENVELOPE2.payload]);
+        } catch (e) {
+          console.error("[binary-ws] Failed to unpack binary action session frame", e);
+          return;
+        }
+      }
+    };
+  };
+}
+// src/utils/decodeActionFrame.ts
+function decodeActionFrame(frame, decoder) {
+  const decoded = decoder?.incoming?.(frame) ?? (typeof frame === "string" ? parseJsonActionFrame(frame) : undefined);
+  return decoded != null && isActionPayload_Any_JsonObject(decoded) ? decoded : undefined;
+}
+function parseJsonActionFrame(message) {
+  try {
+    const json = JSON.parse(message);
+    return isActionPayload_Any_JsonObject(json) ? json : undefined;
+  } catch {
+    return;
+  }
+}
+
 // src/ActionRuntime/Handler/ExternalClient/Transport/helpers/createUnsetTransportResolvers.ts
 var createUnsetTransportResolvers = (type) => ({
   onIncomingActionDataJson: (json) => {
@@ -2347,6 +2956,20 @@ var createUnsetTransportResolvers = (type) => ({
 });
 
 // src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/ws_util.ts
+function sendFrame(ws, data) {
+  if (typeof data === "string" || data instanceof ArrayBuffer) {
+    ws.send(data);
+    return;
+  }
+  ws.send(new Uint8Array(data));
+}
+function toFrameBytes(frame) {
+  if (typeof frame === "string")
+    return new TextEncoder().encode(frame);
+  if (frame instanceof ArrayBuffer)
+    return new Uint8Array(frame);
+  return frame;
+}
 function shortWs(url) {
   try {
     const u = new URL(url);
@@ -2357,6 +2980,8 @@ function shortWs(url) {
 }
 
 // src/ActionRuntime/Handler/ExternalClient/Transport/WebSocket/WebSocketConnection.ts
+var HANDSHAKE_TIMEOUT_MS = 15000;
+
 class WebSocketConnection extends TransportConnection {
   resolvers;
   _abortSet = new Set;
@@ -2375,16 +3000,13 @@ class WebSocketConnection extends TransportConnection {
     }
     if (transportStatusInfo.status === "ready" /* ready */) {
       const ws = transportStatusInfo.readyData.ws;
-      if (ws.readyState !== WebSocket.OPEN) {
+      if (ws.readyState !== WebSocket.OPEN || this._isSecure(transportStatusInfo.readyData)) {
+        const readyData = transportStatusInfo.readyData;
         const initialization = async () => {
-          await new Promise((resolve, reject) => {
-            ws.addEventListener("open", () => resolve(), { once: true });
-            ws.addEventListener("error", (event) => reject(event), { once: true });
-            ws.addEventListener("close", (event) => reject(new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
-          });
+          await this._awaitOpen(ws);
           return {
             status: "ready" /* ready */,
-            readyData: this._finalizeTransportMethods(transportStatusInfo.readyData)
+            readyData: await this._finalize(readyData)
           };
         };
         return {
@@ -2397,15 +3019,10 @@ class WebSocketConnection extends TransportConnection {
     if (transportStatusInfo.status === "initializing" /* initializing */) {
       const promiseForReadyData = transportStatusInfo.initializationPromise.then(async (result) => {
         if (result.status === "ready" /* ready */) {
-          const ws = result.readyData.ws;
-          await new Promise((resolve, reject) => {
-            ws.addEventListener("open", () => resolve(), { once: true });
-            ws.addEventListener("error", (event) => reject(event), { once: true });
-            ws.addEventListener("close", (event) => reject(new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
-          });
+          await this._awaitOpen(result.readyData.ws);
           return {
             status: "ready" /* ready */,
-            readyData: this._finalizeTransportMethods(result.readyData)
+            readyData: await this._finalize(result.readyData)
           };
         }
         return result;
@@ -2432,11 +3049,120 @@ class WebSocketConnection extends TransportConnection {
       summary: `ws ${shortWs(this._liveSocketUrl)}`
     };
   }
+  _isSecure(wsData) {
+    return wsData.secureChannel != null && wsData.secureChannel.securityLevel !== "none" /* none */;
+  }
+  _awaitOpen(ws) {
+    if (ws.readyState === WebSocket.OPEN)
+      return Promise.resolve();
+    return new Promise((resolve, reject2) => {
+      ws.addEventListener("open", () => resolve(), { once: true });
+      ws.addEventListener("error", (event) => reject2(event), { once: true });
+      ws.addEventListener("close", (event) => reject2(new Error(`WebSocket closed before open: code=${event.code}`)), { once: true });
+    });
+  }
+  _finalize(wsData) {
+    return this._isSecure(wsData) ? this._finalizeSecureMethods(wsData) : this._finalizeTransportMethods(wsData);
+  }
   _finalizeTransportMethods(wsData) {
     const ws = wsData.ws;
     const disconnectListeners = [];
-    if (ws.url != null && ws.url !== "")
-      this._liveSocketUrl = ws.url;
+    this._captureSocketUrl(ws);
+    this._attachLifecycle(ws, disconnectListeners);
+    ws.addEventListener("message", async (event) => {
+      const frame = await this._normalizeFrame(event.data);
+      if (frame !== undefined)
+        await this._handleIncomingActionFrame(frame, wsData, undefined);
+    });
+    return this._buildSendMethods(ws, wsData, undefined, disconnectListeners);
+  }
+  async _finalizeSecureMethods(wsData) {
+    const ws = wsData.ws;
+    const disconnectListeners = [];
+    this._captureSocketUrl(ws);
+    this._attachLifecycle(ws, disconnectListeners);
+    let active = false;
+    let crypto;
+    const handshakeQueue = [];
+    const handshakeWaiters = [];
+    const pendingActionFrames = [];
+    ws.addEventListener("message", async (event) => {
+      const frame = await this._normalizeFrame(event.data);
+      if (frame === undefined)
+        return;
+      if (active) {
+        await this._handleIncomingActionFrame(frame, wsData, crypto);
+        return;
+      }
+      if (typeof frame === "string") {
+        const message = decodeHandshakeMessage(frame);
+        if (message != null) {
+          const waiter = handshakeWaiters.shift();
+          if (waiter != null)
+            waiter(message);
+          else
+            handshakeQueue.push(message);
+          return;
+        }
+      }
+      pendingActionFrames.push(frame);
+    });
+    const nextHandshakeMessage = () => {
+      const queued = handshakeQueue.shift();
+      if (queued != null)
+        return Promise.resolve(queued);
+      return new Promise((resolve, reject2) => {
+        const timeout = setTimeout(() => reject2(new Error("[ws-handshake] timed out waiting for server reply")), HANDSHAKE_TIMEOUT_MS);
+        handshakeWaiters.push((message) => {
+          clearTimeout(timeout);
+          resolve(message);
+        });
+      });
+    };
+    crypto = await this._runClientHandshake(ws, wsData.secureChannel, nextHandshakeMessage);
+    active = true;
+    for (const frame of pendingActionFrames)
+      await this._handleIncomingActionFrame(frame, wsData, crypto);
+    pendingActionFrames.length = 0;
+    return this._buildSendMethods(ws, wsData, crypto, disconnectListeners);
+  }
+  async _runClientHandshake(ws, secure, nextHandshakeMessage) {
+    await secure.link.initialize();
+    const handshake = createClientHandshake({
+      link: secure.link,
+      localCoordinate: secure.localCoordinate,
+      dictionaryVersion: secure.dictionaryVersion,
+      securityLevel: secure.securityLevel
+    });
+    sendFrame(ws, encodeHandshakeMessage(await handshake.createHello()));
+    const welcome = await nextHandshakeMessage();
+    if (welcome.t === "reject" /* reject */) {
+      throw new Error(`[ws-handshake] rejected by server: ${welcome.reason}`);
+    }
+    if (welcome.t !== "welcome" /* welcome */) {
+      throw new Error(`[ws-handshake] expected welcome, got ${welcome.t}`);
+    }
+    sendFrame(ws, encodeHandshakeMessage(await handshake.onWelcome(welcome)));
+    const accept = await nextHandshakeMessage();
+    if (accept.t === "reject" /* reject */) {
+      throw new Error(`[ws-handshake] rejected by server: ${accept.reason}`);
+    }
+    if (accept.t !== "accept" /* accept */) {
+      throw new Error(`[ws-handshake] expected accept, got ${accept.t}`);
+    }
+    const result = await handshake.onAccept(accept);
+    return result.securityLevel === "encrypted" /* encrypted */ ? createActionFrameCrypto({ link: secure.link, linkedClientId: result.linkedClientId }) : undefined;
+  }
+  _buildSendMethods(ws, wsData, crypto, disconnectListeners) {
+    let sendChain = Promise.resolve();
+    const enqueueSend = (frame) => {
+      if (crypto == null) {
+        sendFrame(ws, frame);
+        return;
+      }
+      const bytes = toFrameBytes(frame);
+      sendChain = sendChain.then(() => crypto.encryptFrame(bytes)).then((encrypted) => sendFrame(ws, encrypted)).catch((err4) => console.error("[ws] failed to encrypt/send frame", err4));
+    };
     const sendActionData = (inputs) => {
       const { action, runningAction, timeout } = inputs;
       if (action.type === "request" /* request */) {
@@ -2453,16 +3179,49 @@ class WebSocketConnection extends TransportConnection {
           }
         ]);
       }
-      ws.send(wsData.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
+      enqueueSend(wsData.formatMessage?.outgoing(inputs) ?? JSON.stringify(inputs.action.toJsonObject()));
     };
-    ws.addEventListener("message", (event) => {
-      if (typeof event.data === "string") {
-        const rawJson = wsData.formatMessage?.incoming?.(event.data) ?? this._parseActionMessage(event.data);
-        if (rawJson != null && isActionPayload_Any_JsonObject(rawJson)) {
-          this.resolvers.onIncomingActionDataJson(rawJson);
-        }
+    return {
+      sendActionData,
+      updateRunConfig: wsData.updateRunConfig,
+      addOnDisconnectListener: (cb) => {
+        disconnectListeners.push(cb);
+      },
+      sendReturnData: (payload, clients) => {
+        const formatted = clients != null ? wsData.formatMessage?.outgoing({ action: payload, ...clients }) : undefined;
+        enqueueSend(formatted ?? JSON.stringify(payload.toJsonObject()));
       }
-    });
+    };
+  }
+  async _handleIncomingActionFrame(frame, wsData, crypto) {
+    let decoded = frame;
+    if (crypto != null) {
+      try {
+        decoded = await crypto.decryptFrame(frame);
+      } catch (err4) {
+        console.error("[ws] failed to decrypt incoming frame", err4);
+        return;
+      }
+    }
+    const rawJson = decodeActionFrame(decoded, wsData.formatMessage);
+    if (rawJson != null) {
+      this.resolvers.onIncomingActionDataJson(rawJson);
+    }
+  }
+  async _normalizeFrame(data) {
+    if (typeof data === "string" || data instanceof ArrayBuffer || data instanceof Uint8Array) {
+      return data;
+    }
+    if (typeof Blob !== "undefined" && data instanceof Blob) {
+      return await data.arrayBuffer();
+    }
+    return;
+  }
+  _captureSocketUrl(ws) {
+    if (ws.url != null && ws.url !== "")
+      this._liveSocketUrl = ws.url;
+  }
+  _attachLifecycle(ws, disconnectListeners) {
     ws.addEventListener("close", (event) => {
       console.error("WebSocket closed:", event);
       for (const cb of disconnectListeners)
@@ -2477,25 +3236,6 @@ class WebSocketConnection extends TransportConnection {
         originalError: event instanceof Error ? event : undefined
       }));
     });
-    return {
-      sendActionData,
-      updateRunConfig: wsData.updateRunConfig,
-      addOnDisconnectListener: (cb) => {
-        disconnectListeners.push(cb);
-      },
-      sendReturnData: (payload) => {
-        ws.send(JSON.stringify(payload.toJsonObject()));
-      }
-    };
-  }
-  _parseActionMessage(message) {
-    let json;
-    try {
-      json = JSON.parse(message);
-    } catch {
-      return;
-    }
-    return isActionPayload_Any_JsonObject(json) ? json : undefined;
   }
   _abortAll(error) {
     const snapshot = [...this._abortSet];
@@ -2529,8 +3269,9 @@ class WebSocketTransport extends Transport {
         status: "ready" /* ready */,
         readyData: {
           ws: options.createWebSocket(input),
-          formatMessage: options.formatMessage,
-          updateRunConfig: options.updateRunConfig
+          formatMessage: options.createFormatMessage?.() ?? options.formatMessage,
+          updateRunConfig: options.updateRunConfig,
+          secureChannel: options.security
         }
       });
     }
@@ -2550,7 +3291,322 @@ class WebSocketTransport extends Transport {
     };
   }
 }
+// src/ActionRuntime/Handler/Server/ActionServerHandler.ts
+class ActionServerHandler extends ActionExternalClientHandler {
+  _formatMessage;
+  _createFormatMessage;
+  _send;
+  _serverTimeout;
+  _onConnectionBound;
+  _incomingListeners = [];
+  _security;
+  _allowedLevels;
+  _noneAllowed;
+  _handshakeMode;
+  _connByClient = new Map;
+  _clientByConn = new Map;
+  _connEncoding = new Map;
+  _codecByConn = new Map;
+  _handshakeByConn = new Map;
+  _cryptoByConn = new Map;
+  _authedConns = new Set;
+  _plainConns = new Set;
+  _inboundChainByConn = new Map;
+  _outboundChainByConn = new Map;
+  constructor(options) {
+    super({ runtimeCoordinate: options.clientEnv, transports: [] });
+    this._formatMessage = options.formatMessage;
+    this._createFormatMessage = options.createFormatMessage;
+    this._send = options.send;
+    this._serverTimeout = options.defaultTimeout ?? DEFAULT_TRANSPORT_TIMEOUT;
+    this._onConnectionBound = options.onConnectionBound;
+    this._security = options.security;
+    this._allowedLevels = options.security == null ? [] : Array.isArray(options.security.securityLevel) ? options.security.securityLevel : [options.security.securityLevel];
+    this._noneAllowed = this._allowedLevels.includes("none" /* none */);
+    this._handshakeMode = this._allowedLevels.some((level) => level !== "none" /* none */);
+  }
+  _codecFor(connection) {
+    if (this._createFormatMessage != null) {
+      let codec = this._codecByConn.get(connection);
+      if (codec == null) {
+        codec = this._createFormatMessage();
+        this._codecByConn.set(connection, codec);
+      }
+      return codec;
+    }
+    if (this._formatMessage != null)
+      return this._formatMessage;
+    throw err_nice_transport.fromId("not_found" /* not_found */, {
+      actionId: "server-handler-codec (provide formatMessage or createFormatMessage)"
+    });
+  }
+  _setIncomingActionDataListener(listener) {
+    this._incomingListeners.push(listener);
+  }
+  receive(connection, frame) {
+    if (this._security == null || !this._handshakeMode) {
+      this._receivePlain(connection, frame);
+      return;
+    }
+    const previous = this._inboundChainByConn.get(connection) ?? Promise.resolve();
+    const next = previous.then(() => this._receiveSecure(connection, frame)).catch((err4) => console.error("[ws-server] failed to process inbound frame", err4));
+    this._inboundChainByConn.set(connection, next);
+  }
+  _receivePlain(connection, frame) {
+    const wire = decodeActionFrame(frame, this._codecFor(connection));
+    if (wire == null)
+      return;
+    const encoding = typeof frame === "string" ? "json" : "binary";
+    this._connEncoding.set(connection, encoding);
+    if (wire.type === "request" /* request */) {
+      this._resolveRequestIdentity(connection, wire, encoding);
+    }
+    for (const listener of this._incomingListeners)
+      listener(wire);
+  }
+  async _receiveSecure(connection, frame) {
+    const security = this._security;
+    if (security == null)
+      return;
+    if (this._plainConns.has(connection)) {
+      this._receivePlain(connection, frame);
+      return;
+    }
+    if (!this._authedConns.has(connection)) {
+      const message = typeof frame === "string" ? decodeHandshakeMessage(frame) : undefined;
+      if (message == null) {
+        if (this._noneAllowed) {
+          this._plainConns.add(connection);
+          this._receivePlain(connection, frame);
+        }
+        return;
+      }
+      await security.link.initialize();
+      let handshake = this._handshakeByConn.get(connection);
+      if (handshake == null) {
+        handshake = createServerHandshake({
+          link: security.link,
+          localCoordinate: security.localCoordinate,
+          dictionaryVersion: security.dictionaryVersion,
+          securityLevel: security.securityLevel,
+          verifyKeyResolver: security.verifyKeyResolver
+        });
+        this._handshakeByConn.set(connection, handshake);
+      }
+      if (message.t === "hello" /* hello */) {
+        this._send(connection, encodeHandshakeMessage(await handshake.onHello(message)));
+      } else if (message.t === "prove" /* prove */) {
+        const reply = await handshake.onProve(message);
+        this._send(connection, encodeHandshakeMessage(reply));
+        const result = handshake.getResult();
+        if (reply.t === "accept" /* accept */ && result != null) {
+          this._completeServerHandshake(connection, result);
+        }
+      }
+      return;
+    }
+    let bytes = frame;
+    const cryptoReady = this._cryptoByConn.get(connection);
+    if (cryptoReady != null) {
+      try {
+        bytes = await (await cryptoReady).decryptFrame(frame);
+      } catch (err4) {
+        console.error("[ws-server] failed to decrypt inbound frame", err4);
+        return;
+      }
+    }
+    const wire = decodeActionFrame(bytes, this._codecFor(connection));
+    if (wire == null)
+      return;
+    if (wire.type === "request" /* request */) {
+      const bound = this._clientByConn.get(connection);
+      if (bound != null)
+        wire.context.originClient = bound.toJsonObject();
+    }
+    for (const listener of this._incomingListeners)
+      listener(wire);
+  }
+  _completeServerHandshake(connection, result) {
+    const clientCoord = new RuntimeCoordinate(result.remote);
+    this._bindConnection(connection, clientCoord);
+    this._connEncoding.set(connection, "binary");
+    this._authedConns.add(connection);
+    this._handshakeByConn.delete(connection);
+    if (result.securityLevel === "encrypted" /* encrypted */ && this._security != null) {
+      this._cryptoByConn.set(connection, Promise.resolve(createActionFrameCrypto({
+        link: this._security.link,
+        linkedClientId: result.linkedClientId
+      })));
+    }
+    this._onConnectionBound?.(connection, {
+      client: clientCoord.toJsonObject(),
+      encoding: "binary",
+      secure: {
+        securityLevel: result.securityLevel,
+        linkedClientId: result.linkedClientId,
+        keyMaterial: result.encryptionKeyMaterial
+      }
+    });
+  }
+  _resolveRequestIdentity(connection, wire, encoding) {
+    const wireOrigin = wire.context.originClient;
+    if (wireOrigin != null && wireOrigin.envId !== UNSET_RUNTIME_ENV_ID) {
+      const clientCoord = new RuntimeCoordinate(wireOrigin);
+      const isNewBinding = this._clientByConn.get(connection)?.stringId !== clientCoord.stringId;
+      this._bindConnection(connection, clientCoord);
+      if (isNewBinding) {
+        this._onConnectionBound?.(connection, { client: clientCoord.toJsonObject(), encoding });
+      }
+      return;
+    }
+    const bound = this._clientByConn.get(connection);
+    if (bound != null)
+      wire.context.originClient = bound.toJsonObject();
+  }
+  rehydrateConnection(connection, binding) {
+    this._bindConnection(connection, new RuntimeCoordinate(binding.client));
+    this._connEncoding.set(connection, binding.encoding);
+    const secure = binding.secure;
+    if (secure == null)
+      return;
+    this._authedConns.add(connection);
+    if (secure.securityLevel === "encrypted" /* encrypted */ && secure.keyMaterial != null && this._security != null) {
+      const security = this._security;
+      const { linkedClientId, keyMaterial } = secure;
+      const cryptoReady = security.link.initialize().then(() => security.link.linkClient({
+        linkedClientId,
+        verifyPublicKey: keyMaterial.verifyPublicKey,
+        exchangePublicKey: keyMaterial.exchangePublicKey,
+        saltString: keyMaterial.saltString,
+        infoString: keyMaterial.infoString,
+        bindVerifyKeysIntoDerivation: keyMaterial.bindVerifyKeysIntoDerivation
+      })).then(() => createActionFrameCrypto({ link: security.link, linkedClientId }));
+      this._cryptoByConn.set(connection, cryptoReady);
+      const gate = cryptoReady.then(() => {}, (err4) => console.error("[ws-server] failed to restore encrypted session", err4));
+      this._inboundChainByConn.set(connection, gate);
+      this._outboundChainByConn.set(connection, gate);
+    }
+  }
+  toHandlerRouteItem() {
+    return {
+      type: this.handlerType,
+      client: this.externalClient,
+      transType: "custom" /* custom */,
+      transOrd: 0
+    };
+  }
+  dropConnection(connection) {
+    const coord = this._clientByConn.get(connection);
+    if (coord != null && this._connByClient.get(coord.stringId) === connection) {
+      this._connByClient.delete(coord.stringId);
+    }
+    this._clientByConn.delete(connection);
+    this._connEncoding.delete(connection);
+    this._codecByConn.delete(connection);
+    this._handshakeByConn.delete(connection);
+    this._cryptoByConn.delete(connection);
+    this._authedConns.delete(connection);
+    this._plainConns.delete(connection);
+    this._inboundChainByConn.delete(connection);
+    this._outboundChainByConn.delete(connection);
+  }
+  getConnectionForClient(client) {
+    return this._connByClient.get(client.stringId);
+  }
+  pushToClient(runtime2, target, request, options) {
+    const connection = this._resolveConnection(target);
+    return this._dispatch(runtime2, connection, request, options?.timeout);
+  }
+  async sendReturnPayload(payload, config) {
+    const connection = this._connByClient.get(payload.context.originClient.stringId);
+    if (connection == null)
+      return false;
+    this._sendPayload(connection, payload, config.targetLocalRuntime.coordinate);
+    return true;
+  }
+  async handleActionRequest(action, config) {
+    const runtime2 = config?.targetLocalRuntime ?? ActionRuntime.getDefault();
+    const connection = this._resolveSingleConnection();
+    return this._dispatch(runtime2, connection, action, config?.timeout);
+  }
+  _dispatch(runtime2, connection, action, timeout) {
+    const timeoutMs = timeout ?? this._serverTimeout;
+    action.context._setOriginClient(runtime2.coordinate);
+    action.context.addRouteItem({
+      runtime: runtime2.coordinate,
+      handler: this.toHandlerRouteItem(),
+      time: Date.now()
+    });
+    const runningAction = new RunningAction({
+      context: action.context,
+      request: action,
+      parentCuid: peekHandlerCuid(),
+      callSite: action._callSite
+    });
+    runtime2.registerRunningAction(runningAction);
+    const timeoutId = setTimeout(() => {
+      runningAction._abort(err_nice_transport.fromId("timeout" /* timeout */, { timeout: timeoutMs }));
+    }, timeoutMs);
+    runningAction.addUpdateListeners([
+      (update) => {
+        if (update.type === "finished" /* finished */)
+          clearTimeout(timeoutId);
+      }
+    ]);
+    try {
+      this._sendPayload(connection, action, runtime2.coordinate);
+    } catch (err4) {
+      runningAction._abort(err4);
+    }
+    return runningAction;
+  }
+  _sendPayload(connection, payload, localClient) {
+    const encoding = this._connEncoding.get(connection) ?? "binary";
+    const frame = encoding === "json" ? JSON.stringify(payload.toJsonObject()) : this._codecFor(connection).outgoing({
+      action: payload,
+      localClient,
+      externalClient: this.externalClient
+    });
+    const cryptoReady = this._cryptoByConn.get(connection);
+    if (cryptoReady == null) {
+      this._send(connection, frame);
+      return;
+    }
+    const bytes = toFrameBytes(frame);
+    const previous = this._outboundChainByConn.get(connection) ?? Promise.resolve();
+    const next = previous.then(() => cryptoReady).then((crypto) => crypto.encryptFrame(bytes)).then((encrypted) => this._send(connection, encrypted)).catch((err4) => console.error("[ws-server] failed to encrypt/send frame", err4));
+    this._outboundChainByConn.set(connection, next);
+  }
+  _bindConnection(connection, client) {
+    this._connByClient.set(client.stringId, connection);
+    this._clientByConn.set(connection, client);
+  }
+  _resolveConnection(target) {
+    if (target instanceof RuntimeCoordinate) {
+      const connection = this._connByClient.get(target.stringId);
+      if (connection == null) {
+        throw err_nice_transport.fromId("not_found" /* not_found */, {
+          actionId: target.stringId
+        });
+      }
+      return connection;
+    }
+    return target;
+  }
+  _resolveSingleConnection() {
+    if (this._clientByConn.size !== 1) {
+      throw err_nice_transport.fromId("not_found" /* not_found */, {
+        actionId: "server-handler-target (use pushToClient with an explicit connection or client coordinate)"
+      });
+    }
+    return this._clientByConn.keys().next().value;
+  }
+}
+var createServerHandler = (options) => {
+  return new ActionServerHandler(options);
+};
 export {
+  runtimeLinkId,
   isActionPayload_Result_JsonObject,
   isActionPayload_Request_JsonObject,
   isActionPayload_Any_JsonObject,
@@ -2558,9 +3614,20 @@ export {
   err_nice_transport,
   err_nice_external_client,
   err_nice_action,
+  encodeHandshakeMessage,
+  decodeHandshakeMessage,
+  decodeActionFrame,
+  createStorageTofuVerifyKeyResolver,
+  createServerHandshake,
+  createServerHandler,
   createLocalHandler,
+  createInMemoryTofuVerifyKeyResolver,
   createExternalClientHandler,
+  createClientHandshake,
+  createBinaryWsSessionFactory,
+  createBinaryWsAdapter,
   createActionRootDomain,
+  createActionFrameCrypto,
   actionSchema,
   WebSocketTransport,
   Transport,
@@ -2569,15 +3636,18 @@ export {
   HttpTransport,
   ETransportType,
   ETransportStatus,
+  ESecurityLevel,
   ERunningActionUpdateType,
   ERunningActionState,
   ERunningActionFinishedType,
+  EHandshakeMessageType,
   EErrId_NiceTransport_WebSocket,
   EErrId_NiceTransport,
   EErrId_NiceAction,
   EActionProgressType,
   EActionPayloadType,
   CustomTransport,
+  ActionServerHandler,
   ActionSchema,
   ActionRuntime,
   ActionRootDomain,