A link is a bidirectional communication channel between two peers, established via a specific transport. The link carries virtual connections, each identified by a conn_id (u64).

Connection 0 is established implicitly when the link is created. Both peers can immediately send messages on connection 0 after the Hello exchange.

A peer opens a new connection by sending a Connect message with a request_id. The remote peer responds with Accept (providing the new conn_id) or Reject.

The remote peer MUST have called take_incoming_connections() on connection 0 to accept new connections. If not listening, the peer MUST respond with Reject.

Connection IDs are allocated by the acceptor of the Connect request (the peer receiving Connect, not the link acceptor). IDs MUST be unique within the link and MUST NOT be 0.

Only connection 0 (the root connection) can accept incoming connections. Virtual connections opened via Connect/Accept cannot themselves accept further nested connections.

A virtual connection is closed when either peer sends Goodbye on that connection. Closing a connection terminates all in-flight calls and channels on that connection.

Virtual connections are independent. An error or closure on one connection does not affect other connections on the same link. Each connection has its own:

• Request ID space (IDs are unique per-connection, not per-link)
• Channel ID space
• Dispatcher (service handler)

A call consists of exactly one Request and exactly one Response with the same request_id. The caller sends the Request; the callee sends the Response.

Request IDs MUST be unique within a connection. Implementations SHOULD use a monotonically increasing counter starting at 1.

Cancel is advisory. The callee MAY ignore it if the call is already complete. A Response may still arrive after Cancel is sent (either the completed result or a Cancelled error). Implementations MUST handle late Responses gracefully.

Tx<T> represents data flowing from caller to callee (input). Rx<T> represents data flowing from callee to caller (output). Each has exactly one sender and one receiver.

Tx<T> and Rx<T> MUST NOT appear in return types. They may only appear in argument position. The return type is always a plain value (possibly () for methods that only produce output via Rx).

Call results are wrapped in RoamError<E> which distinguishes application errors from protocol errors:

Call errors affect only that call. The connection remains open. Multiple calls can be in flight, and one failing does not affect others.

Connection errors are unrecoverable protocol violations. The peer detecting the error MUST send a Goodbye message with a reason and close the connection.

The Goodbye reason MUST contain the rule ID that was violated (e.g., core.channel.close), optionally followed by context.

Requests and Responses carry metadata: a list of key-value pairs for out-of-band information (tracing, auth, deadlines, etc.).

Clients MAY include a nonce in request metadata to enable idempotent delivery. The metadata key is roam-nonce and the value MUST be MetadataValue::Bytes containing exactly 16 bytes (128 bits).

Nonces MUST be generated using a cryptographically secure random source. UUIDv4 (random variant) is acceptable.

Each logically distinct request MUST use a unique nonce. Retrying the same logical request (due to transport failure) MUST reuse the original nonce.

If a server receives a request with a nonce it has processed before (within its retention window), it MUST return the cached response without re-executing the method handler.

Servers implementing nonce deduplication MUST retain nonce→response mappings for at least 5 minutes. Servers MAY retain them longer.

Nonce uniqueness is scoped to the server (or logical service instance). The same nonce sent to different servers is not deduplicated.

Servers storing nonce→response mappings MUST protect them appropriately. Responses may contain sensitive data.

When retrying a request due to transport failure (connection reset, timeout, etc.), clients MUST use the same nonce as the original request.

For logically new requests (not retries), clients MUST generate a fresh nonce.

Nonces are optional. Requests without a roam-nonce metadata entry are processed normally without deduplication. Retrying such requests may cause duplicate execution.

Servers are not required to implement nonce deduplication. Servers that do not support it MUST ignore the roam-nonce metadata key (per r[call.metadata.unknown]).

Auto-reconnecting client implementations (see Reconnecting Client Specification) SHOULD automatically attach nonces to requests and reuse them on retry. This makes reconnection transparent to callers.

Nonces apply to the initial Request that establishes channels. Channel state (data sent/received, credit) is not preserved across reconnection. Applications requiring resumable streams should implement checkpointing at the application level.

A request ID (u64) MUST be unique within a connection. Implementations SHOULD use a monotonically increasing counter starting at 1.

If a peer receives a Request with a request_id that matches an existing in-flight request, it MUST send a Goodbye message (reason: call.request-id.duplicate-detection) and close the connection.

A request is "in-flight" from when the Request message is sent until the corresponding Response message is received.

Sending a Cancel message does NOT remove a request from in-flight status. The request remains in-flight until a Response is received (which may be a Cancelled error, a completed result, or any other response).

A call is initiated by sending a Request message.

The channels field MUST contain all channel IDs used by the call (both Tx<T> and Rx<T> parameters), in declaration order. This enables transparent proxying without parsing the payload.

The payload MUST be the ¹ encoding of a tuple containing all method arguments in declaration order.

A call is completed by sending a Response message with the same request_id as the original Request.

The response payload MUST be the ¹ encoding of Result<T, RoamError<E>>, where T and E come from the method signature.

Metadata is a list of entries: Vec<(String, MetadataValue, u64)>. Each entry is a triple of (key, value, flags).

The flags field is a u64 bitfield controlling metadata handling:

Flags are encoded as a varint, so common values (0, 1, 2, 3) use only 1 byte.

Metadata keys are case-sensitive strings. Keys MUST be at most 256 bytes (UTF-8 encoded).

Duplicate keys are allowed. If multiple entries have the same key, all values are preserved in order. Consumers MAY use any of the values (typically the first or last).

Metadata order MUST be preserved during transmission. Order is not semantically meaningful for most uses, but some applications may rely on it (e.g., multi-value headers).

Unknown metadata keys MUST be ignored.

Metadata limits:

• At most 128 metadata entries (key-value pairs)
• Each key at most 256 bytes
• Each value at most 16 KB (16,384 bytes)
• Total metadata size at most 64 KB (65,536 bytes)

If a peer receives a message exceeding these limits, it MUST send a Goodbye message (reason: call.metadata.limits) and close the connection.

RoamError<E> distinguishes application errors from protocol errors. The variant order defines wire discriminants (¹ varint encoding):

The User(E) variant (discriminant 0) carries the application's error type. This is semantically different from protocol errors — the method ran and returned Err(e).

Discriminants 1-3 are protocol-level errors. The method may not have run at all (UnknownMethod, InvalidPayload) or was interrupted (Cancelled).

If a callee receives a Request with a method_id it does not recognize, it MUST send a Response with Err(RoamError::UnknownMethod). The connection remains open.

If a callee cannot deserialize the Request payload, it MUST send a Response with Err(RoamError::InvalidPayload). The connection remains open.

For each Request, the callee MUST send exactly one Response with the same request_id. No more, no less.

Responses MAY arrive in any order. The caller MUST use request_id for correlation, not arrival order.

If a caller receives a Response with a request_id that does not match any in-flight request, it MUST ignore the response. Implementations SHOULD log this as a warning.

A caller MAY send a Cancel message to request that the callee stop processing a request. The Cancel message MUST include the request_id of the request to cancel.

Cancellation is best-effort. The callee MAY have already completed the request, or MAY be unable to cancel in-progress work. The callee MUST still send a Response (either the completed result or Cancelled error).

The caller MUST NOT wait indefinitely for a response after sending Cancel. Implementations SHOULD use a timeout after which the caller considers the request cancelled locally, even without a response.

Multiple requests MAY be in flight simultaneously. The caller does not need to wait for a response before sending the next request.

Each request is independent. A slow or failed request MUST NOT block other requests.

Tx<T> and Rx<T> are roam-provided types recognized by the #[roam::service] macro. On the wire, both serialize as a u64 channel ID.

Service definitions are written from the caller's perspective. Tx<T> means "caller transmits data to callee". Rx<T> means "caller receives data from callee".

From the holder's perspective: Tx<T> means "I send on this", Rx<T> means "I receive from this". Generated callee handlers have the types flipped relative to the service definition.

The caller allocates ALL channel IDs (both Tx and Rx). Channel IDs are listed in the Request's channels field (see r[call.request.channels]) and also serialized within Tx<T>/Rx<T> values in the payload. The callee does not allocate any IDs.

On the server side, implementations MUST use the channel IDs from the channels field as authoritative, patching them into deserialized args before binding streams. This ensures transparent proxying can work without parsing the payload.

A channel ID MUST be unique within a connection.

Channel ID 0 is reserved. If a peer receives a channel message with channel_id of 0, it MUST send a Goodbye message (reason: channeling.id.zero-reserved) and close the connection.

For peer-to-peer transports, the link initiator (who opened the link) MUST allocate odd channel IDs (1, 3, 5, ...). The link acceptor MUST allocate even channel IDs (2, 4, 6, ...). This prevents collisions when both peers make concurrent calls.

For virtual connections (opened via Connect/Accept), the parity rule is inherited from the link: the link initiator uses odd IDs on all connections, and the link acceptor uses even IDs on all connections. This is independent of who sent the Connect request.

The caller MAY send Data on Tx<T> channels immediately after sending the Request, without waiting for Response. This enables pipelining for lower latency.

If the caller sends Data before receiving Response, and the Response is an error (Err(RoamError::UnknownMethod), Err(RoamError::InvalidPayload), etc.), the Data was wasted. The channel IDs are "burned" — they were never successfully opened and MUST NOT be reused.

When the callee sends Response, all Rx<T> channels are implicitly closed. The callee MUST NOT send Data on any Rx channel after sending Response.

The caller MUST send Close on each Tx<T> channel when done sending. The callee waits for Close before it knows all input has arrived.

Tx<T> and Rx<T> MUST NOT appear inside error types. A method's error type E in Result<T, E> MUST NOT contain Tx<T> or Rx<T> at any nesting level.

The sending peer sends Data messages containing ¹-encoded values of the channel's element type T. Each Data message contains exactly one value.

Each channel element MUST NOT exceed max_payload_size bytes (the same limit that applies to Request/Response payloads). If a peer receives a channel element exceeding this limit, it MUST send a Goodbye message (reason: channeling.data.size-limit) and close the connection.

If a peer receives a Data message that cannot be deserialized as the channel's element type, it MUST send a Goodbye message (reason: channeling.data.invalid) and close the connection.

For Tx<T> (caller→callee), the caller sends Close when done. For Rx<T> (callee→caller), the channel closes implicitly with Response.

If a peer receives a Data message on a channel after it has been closed, it MUST send a Goodbye message (reason: channeling.data-after-close) and close the connection.

Either peer MAY send Reset to forcefully terminate a channel. The sender uses Reset to abandon early; the receiver uses Reset to signal it no longer wants data.

Upon receiving Reset, the peer MUST consider the channel terminated. Any further Data, Close, or Credit messages for that ID MUST be ignored (they may arrive due to race conditions).

When a channel is reset, any outstanding credit is lost.

If a peer receives a channel message (Data, Close, Reset, Credit) with a channel_id that was never opened, it MUST send a Goodbye message (reason: channeling.unknown) and close the connection.

The RPC call completes when the Response is received. At that point:

• All Rx<T> channels are closed (callee can no longer send)
• Tx<T> channels may still be open (caller may still be sending)
• The request ID is no longer in-flight

Tx<T> channels (caller→callee) may outlive the Response. The caller continues sending until they send Close. The callee processes the final return value only after all input channels are closed.

Channels use credit-based flow control. A sender MUST NOT send a Data message if doing so would exceed the remaining credit for that channel — even if the underlying transport would accept the data.

Credit-based flow control applies to all transports for both Tx<T> and Rx<T> channels. On multi-stream transports (QUIC, WebTransport), roam credit operates independently of any transport-level flow control. The transport may additionally block writes, but that is transparent to the roam layer.

Credits are measured in bytes. The byte count for a channel element is the length of its ¹ encoding — the same bytes that appear in Data.payload, or on multi-stream transports, the bytes written to the dedicated transport stream before ¹ framing. Framing overhead (¹, transport headers) is NOT counted.

The initial channel credit MUST be negotiated during handshake. Each channel starts with this amount of credit independently.

A receiver grants additional credit by sending a Credit message. The bytes field is added to the sender's available credit for that channel.

Credits are additive. If a receiver grants 1000 bytes, then grants 500 more, the sender has 1500 bytes available.

Credit messages SHOULD be processed in receive order without intentional delay. Starving Credit processing can cause unnecessary stalls.

Sending a channel element consumes credits equal to its byte count (see r[flow.channel.byte-accounting]). The sender MUST track remaining credit and MUST NOT send if it would result in negative credit.

If a receiver receives a channel element whose byte count exceeds the remaining credit for that channel, it MUST send a Goodbye message (reason: flow.channel.credit-overrun) and close the connection.

If a sender has zero remaining credit for a channel, it MUST wait for a Credit message before sending more data. This is not a protocol error — the receiver controls the pace.

Close messages (and Reset) do not consume credit. A sender MAY always send Close regardless of credit state. This ensures channels can always be closed.

Implementations MAY use "infinite credit" mode by setting a very large initial credit (e.g., u32::MAX). This disables backpressure but simplifies implementation. The protocol semantics remain the same.

RPC call (Request/Response) payloads are bounded by max_payload_size negotiated during handshake. No credit-based flow control is used.

All messages except Hello, Connect, Accept, and Reject include a conn_id field identifying which virtual connection they belong to. Messages with an unknown conn_id MUST be handled as a protocol error (send Goodbye on connection 0 and close the link).

If a peer receives a Message with an unknown enum discriminant, it MUST send a Goodbye message (reason: message.unknown-variant) and close the connection.

If a peer cannot decode a received message (invalid ¹ encoding, ¹ framing error, or malformed fields), it MUST send a Goodbye message (reason: message.decode-error) and close the connection.

Both peers MUST send a Hello message immediately after connection establishment, before any other message.

Hello is an enum to allow future versions.

If a peer receives a Hello with an unknown variant, it MUST send a Goodbye message (with reason containing message.hello.unknown-version) and close the connection.

A peer MUST NOT send any message other than Hello until it has both sent and received Hello.

The effective limits for a connection are the minimum of both peers' advertised values.

If a peer receives a Request or Response whose payload exceeds the negotiated max_payload_size, it MUST send a Goodbye message (reason: message.hello.enforcement) and close the link.

Either peer MAY send Connect to request a new virtual connection. The request_id is used to correlate the response (Accept or Reject). Connect request IDs are scoped to the link, not to any connection.

Connect metadata MAY include authentication tokens, routing hints, tracing context, or application-specific data. The same metadata limits apply as for RPC calls (see r[call.metadata.limits]).

Connect request_ids MUST be unique among in-flight Connect requests on the link. They are independent of RPC request IDs.

If the peer is listening for incoming connections (via take_incoming_connections() on connection 0), it responds with Accept, providing the newly allocated conn_id. The new connection is immediately usable.

Accept metadata MAY include server-assigned session information, connection-specific configuration, or tracing context.

If the peer is not listening for incoming connections, or if the connection is rejected for any other reason (auth failure, rate limiting, etc.), it MUST respond with Reject.

The reason field SHOULD describe why the connection was rejected. Common reasons include: "not listening", "unauthorized", "rate limited". Metadata MAY provide additional structured rejection information.

If no Accept or Reject is received within a reasonable time, implementations SHOULD treat the Connect as failed. The request_id is "burned" and MUST NOT be reused.

A peer MUST send a Goodbye message before closing a virtual connection due to a protocol error. The reason field MUST contain the rule ID that was violated (e.g., channeling.id.zero-reserved), optionally followed by additional context.

Upon receiving a Goodbye message, a peer MUST stop sending messages on that connection. All in-flight requests on that connection fail with a connection error. All open channels on that connection are terminated. Other connections on the same link are unaffected.

Sending Goodbye on connection 0 closes the entire link. All virtual connections are terminated, and the underlying transport (TCP socket, WebSocket, etc.) is closed.

A peer MAY send Goodbye with an empty reason for graceful shutdown (not due to an error). This is the normal way to close a connection.

Each transport message MUST contain exactly one roam message, ¹-encoded. Fragmentation and reassembly are not supported.

Transport messages MUST be binary (not text). For WebSocket, this means binary frames, not text frames.

All messages (control, RPC, channel data) flow through the same link. The channel_id and conn_id fields provide multiplexing.

Messages MUST be framed using ¹. Each message MUST be followed by a 0x00 delimiter byte.

[COBS-encoded message][0x00][COBS-encoded message][0x00]...