@rine-network/openclaw 0.1.0

package/dist/setup.js

@@ -0,0 +1,16 @@
+import { n as resolveRineConfig, r as rinePlugin, t as readRineCredentials } from "./config-BsdV6THh.js";
+import { defineSetupPluginEntry } from "openclaw/plugin-sdk/channel-core";
+//#region setup.ts
+/** Auto-detect existing rine creds for the setup flow. Pure read; no writes. */
+function detectRineSetup(raw = {}) {
+	const creds = readRineCredentials(resolveRineConfig(raw));
+	return {
+		configDir: creds.configDir,
+		apiUrl: creds.apiUrl,
+		hasCredentials: Boolean(creds.entry),
+		pollUrl: creds.pollUrl
+	};
+}
+var setup_default = defineSetupPluginEntry(rinePlugin);
+//#endregion
+export { setup_default as default, detectRineSetup };

package/dist/src/channel.d.ts

@@ -0,0 +1,14 @@
+import type { ChannelPlugin } from "openclaw/plugin-sdk";
+/** Single-account model for the rine channel (the credentialed agent). */
+export interface RineAccount {
+    accountId: string;
+}
+/**
+ * Minimal but type-valid `ChannelPlugin` for rine. Required fields only:
+ * id / meta / capabilities / config. Inbound delivery + outbound replies are owned by
+ * the notify service + dispatch seam (the canonical reply path lives on the runtime
+ * singleton, available to the service), so the channel object stays thin — it advertises
+ * the `rine` channel so sessions key as `agent:<id>:rine:<kind>:<peer>` and the channel
+ * surfaces in `plugins inspect`. See SDK_CONTRACT.md.
+ */
+export declare const rinePlugin: ChannelPlugin<RineAccount>;

package/dist/src/config.d.ts

@@ -0,0 +1,17 @@
+import type { CredentialEntry } from "@rine-network/core";
+import type { RineConfig } from "./types.js";
+/** Resolve the typed config from a raw `api.pluginConfig` (or `{}`), applying defaults. */
+export declare function resolveRineConfig(raw?: Record<string, unknown>): RineConfig;
+export interface ResolvedCreds {
+    configDir: string;
+    apiUrl: string;
+    entry: CredentialEntry | undefined;
+    pollUrl: string | undefined;
+}
+/**
+ * Resolve rine credentials using core's 3-level config-dir fallback
+ * ($RINE_CONFIG_DIR > ~/.config/rine > $PWD/.rine). An explicit `cfg.configDir`
+ * override wins and is threaded directly — we never mutate `process.env`. Reuses core
+ * helpers; no host keychain access, no token writes.
+ */
+export declare function readRineCredentials(cfg: RineConfig): ResolvedCreds;

package/dist/src/constants.d.ts

@@ -0,0 +1,15 @@
+/**
+ * The single `"default"` profile/account literal, shared so a rename touches one place.
+ *
+ * It is the rine credential *profile* key passed to core's
+ * `getCredentialEntry`/`getOrRefreshToken` (the entry under `.default` in
+ * credentials.json) and, identically, the OpenClaw single-account id for the rine
+ * channel. Both are `"default"` by convention.
+ */
+export declare const DEFAULT_ACCOUNT_ID = "default";
+/**
+ * Internal mcp tools the plugin depends on at runtime but does NOT expose to the agent.
+ * Validated at startup (alongside `selectExposedTools`) so a rename of an mcp tool fails
+ * fast at load, not at first reply. `rine_reply` backs the inbound→reply dispatch path.
+ */
+export declare const INTERNAL_TOOLS: readonly ["rine_reply"];

package/dist/src/dispatch.d.ts

@@ -0,0 +1,54 @@
+import type { OpenClawConfig, PluginLogger, PluginRuntime } from "openclaw/plugin-sdk";
+import type { RineClient } from "./rine-client.js";
+import type { RineConfig, RineInbound } from "./types.js";
+/**
+ * The agent-turn dispatch fn — injected so the dedupe/ordering logic is unit-testable
+ * without the SDK. In production it wraps `dispatchInboundDirectDmWithRuntime`
+ * (`openclaw/plugin-sdk/channel-inbound`), the canonical inbound→agent-turn helper that
+ * routes, finalizes the PascalCase ctx, records the session, and dispatches.
+ */
+export type DispatchFn = (msg: RineInbound, signal: AbortSignal) => Promise<void>;
+export interface OnMessageDeps {
+    client: RineClient;
+    config: RineConfig;
+    agentId: string;
+    logger: PluginLogger;
+    dispatch: DispatchFn;
+    signal: AbortSignal;
+}
+/**
+ * A single inbound → exactly-one agent-turn handler with at-least-once mark-delivered.
+ *
+ * Returns `true` when the message reached a terminal handled state (delivered, already-seen,
+ * or quarantined) so the SSE cursor may advance past it; `false` only when dispatch FAILED —
+ * a transient error that must be retried, so the cursor must stay behind it.
+ */
+export type OnMessage = (msg: RineInbound) => Promise<boolean>;
+/** The inline pointer body — ciphertext stays out of the transcript; agent calls `rine_read`. */
+export declare function pointerText(msg: RineInbound): string;
+/**
+ * Build the shared `onMessage` path all transports converge on.
+ *
+ * Invariants (acceptance §6):
+ *  - dedupe by rine message id (Set, add-id-BEFORE-await race guard; delete-on-error
+ *    so a failed dispatch is retried; hourly clear bounds memory).
+ *  - mark-delivered ONLY after a successful dispatch (at-least-once).
+ *  - disallowed sender → quarantine (logged exactly once), no dispatch, not marked
+ *    delivered (recoverable after the operator fixes allowFrom + restarts the gateway).
+ */
+export declare function makeOnMessage(deps: OnMessageDeps): OnMessage;
+/**
+ * Production dispatch fn: wakes an agent turn for one inbound rine message via the
+ * canonical `dispatchInboundDirectDmWithRuntime` helper. `api.config` (cfg) and
+ * `api.runtime` (the `DirectDmRuntime` facade) are threaded in from the service.
+ *
+ * Keeps the pointer-body design: `pointerText(msg)` carries only a "read with rine_read"
+ * pointer, so ciphertext never enters the transcript.
+ */
+export declare function makeRuntimeDispatcher(params: {
+    cfg: OpenClawConfig;
+    runtime: PluginRuntime;
+    client: RineClient;
+    agentId: string;
+    logger: PluginLogger;
+}): DispatchFn;

package/dist/src/inbound.d.ts

@@ -0,0 +1,27 @@
+import type { MessageRead } from "@rine-network/core";
+import type { AllowDecision, RineInbound } from "./types.js";
+/**
+ * Normalize a rine SSE `event: message` payload (or a `/messages` item) — both are
+ * a full `MessageRead` JSON — into the transport-agnostic `RineInbound`.
+ */
+export declare function normalizeRineEvent(raw: MessageRead): RineInbound;
+/**
+ * Normalize a rine standard-webhook body. rine's webhook delivers the message
+ * record (possibly wrapped under `message`/`data`). Falls through to the same
+ * MessageRead shape as the SSE/messages path.
+ */
+export declare function normalizeStandardWebhook(body: unknown): RineInbound | undefined;
+/**
+ * Normalize an A2A per-task push (`result.artifactUpdate` JSON-RPC envelope).
+ * taskId == contextId == conversationId. Returns undefined if the shape doesn't match.
+ *
+ * SECURITY: `from` (→ `fromHandle`) is self-reported by the A2A producer. The webhook
+ * HMAC proves the *channel* (the rine relay) is genuine, not that the asserted sender is
+ * who they claim — treat the handle as unverified for any trust decision.
+ */
+export declare function normalizeA2A(body: unknown): RineInbound | undefined;
+/**
+ * Allowlist decision. `*` = allow all; `@org` = org-scoped; exact handle match.
+ * Disallowed senders are **quarantined** (caller logs), never silently dropped.
+ */
+export declare function isAllowed(fromHandle: string, allowFrom: string[]): AllowDecision;

package/dist/src/outbound.d.ts

@@ -0,0 +1,8 @@
+import type { RineClient } from "./rine-client.js";
+import type { RineInbound } from "./types.js";
+/**
+ * Route an agent reply back out as a rine message, reusing the lifted `rine_reply`
+ * handler (E2EE encrypt + POST /messages/{id}/reply, auto-routed to the original
+ * sender, conversation_id preserved). No crypto/HTTP reimplemented.
+ */
+export declare function sendRineReply(client: RineClient, inbound: RineInbound, text: string): Promise<unknown>;

package/dist/src/rine-client.d.ts

@@ -0,0 +1,25 @@
+import { HttpClient } from "@rine-network/core";
+import type { MessageRead } from "@rine-network/core";
+import type { ToolContext } from "@rine-network/mcp/tools";
+import type { ResolvedCreds } from "./config.js";
+export interface RineClient {
+    /** Shared `ToolContext` for the lifted mcp tool handlers. */
+    toolContext: ToolContext;
+    client: HttpClient;
+    configDir: string;
+    apiUrl: string;
+    /** Mint/refresh the OAuth JWT via core's token cache (auto-refresh on 401). */
+    getJwt: (force?: boolean) => Promise<string>;
+    /** Unauthenticated poll: `GET {pollUrl}` → count. Returns 0 on any failure. */
+    pollCount: (pollUrl: string, signal?: AbortSignal) => Promise<number>;
+    /** Fetch new messages for an agent (auth). */
+    fetchNewMessages: (agentId: string, limit?: number) => Promise<MessageRead[]>;
+    /** Mark messages delivered (auth) — at-least-once after successful dispatch. */
+    markDelivered: (agentId: string, ids: string[]) => Promise<number>;
+}
+/**
+ * Build the rine HTTP client + ToolContext from resolved creds. Mirrors
+ * rine-mcp/src/server.ts bootstrap: tokenFn = getCredentialEntry + getOrRefreshToken;
+ * new HttpClient({ tokenFn, apiUrl, canRefresh }).
+ */
+export declare function buildRineClient(creds: ResolvedCreds): RineClient;

package/dist/src/service.d.ts

@@ -0,0 +1,26 @@
+import type { OpenClawPluginApi, PluginLogger } from "openclaw/plugin-sdk";
+import type { OpenClawPluginService } from "openclaw/plugin-sdk/core";
+import type { RineClient } from "./rine-client.js";
+import type { TransportContext } from "./transports/context.js";
+import type { RineConfig } from "./types.js";
+/** Run the chosen transport. Exposed for testing with a stubbed transport map. */
+export declare function runTransport(tc: TransportContext): Promise<void>;
+/**
+ * Resolve the rine agent id this install is bound to. `channels.rine.agentId` (a UUID,
+ * handle, or bare name) wins; otherwise the org's sole agent is auto-selected — the same
+ * resolution the CLI uses (`fetchAgents` + `resolveAgent`).
+ *
+ * The OAuth `client_id` is NOT an agent id: credentials.json stores `client_id`/`client_secret`,
+ * and binding the transport to it requests `/agents/{client_id}/stream|messages`, which 404s on
+ * every transport. Returns undefined (the service idles) on a network error or an ambiguous
+ * multi-agent org with no `agentId` set — both surface an actionable log; the gateway
+ * health-monitor restarts the idle service, re-resolving once connectivity/config is fixed.
+ */
+export declare function resolveBoundAgentId(client: RineClient, config: RineConfig, logger: PluginLogger): Promise<string | undefined>;
+/**
+ * The single background notify service. `start(ctx)` resolves creds, owns the
+ * AbortController (the service ctx has NO abort signal — see SDK_CONTRACT.md), then
+ * hands off to `startNotifyLoop` which resolves the bound agent id and runs the transport.
+ * `stop` aborts it. The long-lived loop lives here, not in a channel `gateway.startAccount`.
+ */
+export declare function makeRineService(api: OpenClawPluginApi): OpenClawPluginService;

package/dist/src/tools.d.ts

@@ -0,0 +1,40 @@
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import type { AnyAgentTool } from "openclaw/plugin-sdk";
+import type { ToolContext, ToolDef } from "@rine-network/mcp/tools";
+/** Tools exposed by the plugin (filtered from the mcp tool array). */
+export declare const EXPOSED_TOOLS: readonly ["rine_whoami", "rine_discover", "rine_send", "rine_read", "rine_inbox", "rine_onboard"];
+/** Mutating tools gated behind the allowlist (manifest `toolMetadata.optional`). */
+export declare const OPTIONAL_TOOLS: Set<string>;
+/**
+ * Strip raw ciphertext from any tool result before it reaches a transcript.
+ * Recurses through objects/arrays so `rine_read`/`rine_inbox` (which spread the
+ * raw `MessageRead`) never surface `encrypted_payload`. Plaintext lives on the
+ * `decrypted`/`verified` fields the mcp handlers add.
+ */
+export declare function stripCiphertext(value: unknown): unknown;
+/** Filter mcp tools to the exposed set; fail loud on a missing name (version skew). */
+export declare function selectExposedTools(all?: ToolDef[]): ToolDef[];
+/**
+ * Validate the undeclared internal tools the plugin relies on (e.g. `rine_reply`,
+ * which backs the inbound→reply path). Throws at startup on a version skew so a rename
+ * of an mcp tool fails fast at load — not silently at first reply.
+ */
+export declare function assertInternalTools(all?: ToolDef[]): void;
+/**
+ * Adapt one mcp ToolDef into an OpenClaw AnyAgentTool with ciphertext stripping.
+ * `parameters` is rine-mcp's JSON-schema `inputSchema`; `registerTool` stores it
+ * verbatim (no TypeBox validation — see SDK_CONTRACT.md), so the whole tool object
+ * is cast to `AnyAgentTool` at one documented seam. (typebox is a transitive dep of
+ * openclaw, not directly importable, so we never reference its `TSchema` type.)
+ *
+ * A thrown handler (e.g. an optional tool called on a headless install, or a transient
+ * API failure) is converted into an actionable `jsonResult` error string — the agent
+ * gets a result it can reason about instead of the turn crashing or hanging.
+ */
+export declare function toOpenClawTool(def: ToolDef, ctx: ToolContext): AnyAgentTool;
+/**
+ * Register the exposed rine tools on the plugin api. `rine_send`/`rine_onboard`
+ * are registered `{ optional: true }` (allowlist gating per manifest toolMetadata).
+ * Internal deps (`rine_reply`) are validated here too so version skew fails at load.
+ */
+export declare function registerRineTools(api: OpenClawPluginApi, ctx: ToolContext): void;

package/dist/src/transports/backoff.d.ts

@@ -0,0 +1,9 @@
+/** Sleep for `ms`, resolving early (rejecting) if the signal aborts. */
+export declare function sleep(ms: number, signal?: AbortSignal): Promise<void>;
+/**
+ * OpenClawcity exp-backoff + jitter:
+ *   exp = base * 2^attempt; capped = min(exp, max);
+ *   jitter = capped * 0.3 * (rand*2 - 1); return max(100, capped + jitter)
+ * Bounded to >=100ms and <= max + 30% jitter.
+ */
+export declare function backoff(attempt: number, baseMs: number, maxMs: number, rand?: () => number): number;

package/dist/src/transports/context.d.ts

@@ -0,0 +1,17 @@
+import type { PluginLogger } from "openclaw/plugin-sdk";
+import type { OnMessage } from "../dispatch.js";
+import type { RineClient } from "../rine-client.js";
+import type { RineConfig } from "../types.js";
+/** Everything a transport needs. Built once by the notify service. */
+export interface TransportContext {
+    client: RineClient;
+    config: RineConfig;
+    agentId: string;
+    logger: PluginLogger;
+    /** Shared dedupe + mark-after-success dispatch path. */
+    onMessage: OnMessage;
+    /** Service-owned abort signal (created in start, aborted in stop). */
+    signal: AbortSignal;
+    /** Poll token URL from credentials.json (`.default.poll_url`). */
+    pollUrl?: string;
+}

package/dist/src/transports/cursor.d.ts

@@ -0,0 +1,5 @@
+import type { PluginLogger } from "openclaw/plugin-sdk";
+/** Read the persisted Last-Event-ID for an agent, or undefined if absent/corrupt. */
+export declare function loadCursor(configDir: string, agentId: string, logger?: PluginLogger): string | undefined;
+/** Persist the Last-Event-ID for an agent via an atomic 0600 write. Best-effort. */
+export declare function saveCursor(configDir: string, agentId: string, eventId: string, logger?: PluginLogger): void;

package/dist/src/transports/expose.d.ts

@@ -0,0 +1,16 @@
+import type { IncomingMessage, ServerResponse } from "node:http";
+import type { OpenClawPluginApi } from "openclaw/plugin-sdk";
+import type { TransportContext } from "./context.js";
+export declare const RINE_INBOUND_PATH = "/rine/inbound";
+/** The /rine/inbound handler: HMAC-verify, normalize (standard or A2A), dispatch. */
+export declare function handleInbound(req: IncomingMessage, res: ServerResponse): Promise<boolean>;
+/** Register the /rine/inbound route globally (idempotent no-op until EXPOSE active). */
+export declare function registerExposeRoute(api: OpenClawPluginApi): void;
+/**
+ * EXPOSE transport. Requires a public base URL; enrolls a standard agent webhook
+ * (`POST /webhooks`, HMAC-signed, fires on all inbound). On any precondition failure
+ * (no URL / SSRF reject / enroll fail) it falls back to SSE. Never a hard failure.
+ * The enrolled webhook is DELETEd best-effort on teardown so it doesn't accumulate
+ * against the per-agent quota.
+ */
+export declare function runExposeTransport(tc: TransportContext): Promise<void>;

package/dist/src/transports/hmac.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Verify a rine standard-webhook signature: `X-Rine-Signature: sha256=<hex>`,
+ * where hex = HMAC-SHA256(rawBody, secret). Constant-time compare.
+ */
+export declare function verifyRineSignature(rawBody: Buffer | string, header: string | undefined, secret: string): boolean;

package/dist/src/transports/poll.d.ts

@@ -0,0 +1,11 @@
+import type { TransportContext } from "./context.js";
+/**
+ * POLL transport — least token-intensive. Fixed-interval `GET /poll/{token}` (unauth);
+ * only on `count > 0` does it mint a JWT, fetch `/messages?status=new`, and dispatch.
+ *
+ * Graceful fallback: on `/poll` failure (e.g. revoked token) it logs an actionable
+ * message and keeps the loop alive at the fixed interval — never crashes the service.
+ * (`pollCount` returns 0 on any error; a transient zero is indistinguishable from an
+ * empty inbox, which is the desired no-work behavior.)
+ */
+export declare function runPollTransport(tc: TransportContext): Promise<void>;

package/dist/src/transports/sse.d.ts

@@ -0,0 +1,18 @@
+import type { TransportContext } from "./context.js";
+interface SseEvent {
+    event: string;
+    id?: string;
+    data: string;
+}
+/** Parse a complete SSE event block (lines split on `\n`). */
+export declare function parseSseBlock(block: string): SseEvent | undefined;
+/**
+ * SSE transport — the safe default. Holds an authenticated outbound stream to
+ * `GET /agents/{id}/stream?persistent=true`, resumes via `Last-Event-ID`, dispatches
+ * `event: message` payloads, reconnects with exp-backoff + jitter.
+ *
+ * Graceful fallback: after repeated connect/stream errors it imports and runs the POLL
+ * transport (SSE → poll rung of the ladder). Never crashes the service.
+ */
+export declare function runSseTransport(tc: TransportContext): Promise<void>;
+export {};

package/dist/src/types.d.ts

@@ -0,0 +1,45 @@
+/** Normalized inbound rine message, transport-agnostic. */
+export interface RineInbound {
+    /** rine message id — the dedupe + mark-delivered key. */
+    id: string;
+    /** rine conversation uuid (thread id / A2A taskId). */
+    conversationId: string;
+    /**
+     * Sender handle `name@org`, or agent id when handle is absent.
+     *
+     * SECURITY: for A2A-sourced inbound this is the *self-reported* `from` field. The
+     * webhook HMAC authenticates the channel (the rine relay), NOT the asserted sender,
+     * so an A2A `fromHandle` is untrusted for authorization — gate on `allowFrom` only as
+     * a coarse filter, never as proof of identity.
+     */
+    fromHandle: string;
+    /** rine message type, e.g. `rine.v1.dm`. */
+    type: string;
+    /** Whether this is a group/broadcast message. */
+    isGroup: boolean;
+    /** Group handle `#name@org` when `isGroup`. */
+    groupHandle?: string;
+    /** Raw ISO-8601 created timestamp. */
+    createdAt?: string;
+    /** Opaque ciphertext — decrypted on demand, never surfaced verbatim. */
+    encryptedPayload: string;
+    /** E2EE scheme tag, e.g. `hpke-v1`, `mls-v1`. */
+    encryptionVersion: string;
+    /** Group id (uuid) for group decrypt. */
+    groupId?: string;
+}
+/** Resolved plugin config (after defaults). Mirrors `openclaw.plugin.json` configSchema. */
+export interface RineConfig {
+    transport: "expose" | "sse" | "poll";
+    configDir?: string;
+    agentId?: string;
+    baseUrl?: string;
+    pollIntervalMs: number;
+    reconnectBaseMs: number;
+    reconnectMaxMs: number;
+    exposeBaseUrl?: string;
+    a2aAcceptCleartext: boolean;
+    allowFrom: string[];
+}
+/** Disposition for a sender vs the allowlist. */
+export type AllowDecision = "allowed" | "quarantined";

package/dist/sse-DqQGOjpI.js

@@ -0,0 +1,170 @@
+import { r as normalizeRineEvent } from "./inbound-G0JD7YmI.js";
+import { n as sleep, t as backoff } from "./backoff-BMNABavv.js";
+import { chmodSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
+import { join } from "node:path";
+//#region src/transports/cursor.ts
+/** Per-agent cursor path; agentId is sanitized so an operator-typed handle can't escape configDir. */
+function cursorPath(configDir, agentId) {
+	return join(configDir, `sse_cursor_${(agentId || "default").replace(/[^A-Za-z0-9._-]/g, "_").slice(0, 128)}.json`);
+}
+function msgOf(err) {
+	return err instanceof Error ? err.message : String(err);
+}
+/** Read the persisted Last-Event-ID for an agent, or undefined if absent/corrupt. */
+function loadCursor(configDir, agentId, logger) {
+	try {
+		const parsed = JSON.parse(readFileSync(cursorPath(configDir, agentId), "utf-8"));
+		return typeof parsed.lastEventId === "string" && parsed.lastEventId !== "" ? parsed.lastEventId : void 0;
+	} catch (err) {
+		if (err.code !== "ENOENT") logger?.debug?.(`rine: cursor load failed (${msgOf(err)}) — resuming without it`);
+		return;
+	}
+}
+/** Persist the Last-Event-ID for an agent via an atomic 0600 write. Best-effort. */
+function saveCursor(configDir, agentId, eventId, logger) {
+	const path = cursorPath(configDir, agentId);
+	const tmp = `${path}.${process.pid}.tmp`;
+	try {
+		mkdirSync(configDir, {
+			recursive: true,
+			mode: 448
+		});
+		writeFileSync(tmp, JSON.stringify({ lastEventId: eventId }), { mode: 384 });
+		renameSync(tmp, path);
+		chmodSync(path, 384);
+	} catch (err) {
+		logger?.debug?.(`rine: cursor save failed for ${eventId} (${msgOf(err)})`);
+	}
+}
+//#endregion
+//#region src/transports/sse.ts
+const MAX_ATTEMPTS_BEFORE_FALLBACK = 5;
+/** ~3× the server heartbeat (~30s): no bytes for this long => dead socket, reconnect. */
+const IDLE_TIMEOUT_MS = 9e4;
+/** Parse a complete SSE event block (lines split on `\n`). */
+function parseSseBlock(block) {
+	let event = "message";
+	let id;
+	const dataLines = [];
+	for (const line of block.split("\n")) {
+		if (line.startsWith(":")) continue;
+		const idx = line.indexOf(":");
+		const field = idx === -1 ? line : line.slice(0, idx);
+		const value = idx === -1 ? "" : line.slice(idx + 1).replace(/^ /, "");
+		if (field === "event") event = value;
+		else if (field === "id") id = value;
+		else if (field === "data") dataLines.push(value);
+	}
+	if (dataLines.length === 0 && !id) return void 0;
+	return {
+		event,
+		id,
+		data: dataLines.join("\n")
+	};
+}
+/**
+* SSE transport — the safe default. Holds an authenticated outbound stream to
+* `GET /agents/{id}/stream?persistent=true`, resumes via `Last-Event-ID`, dispatches
+* `event: message` payloads, reconnects with exp-backoff + jitter.
+*
+* Graceful fallback: after repeated connect/stream errors it imports and runs the POLL
+* transport (SSE → poll rung of the ladder). Never crashes the service.
+*/
+async function runSseTransport(tc) {
+	const { client, config, agentId, logger, onMessage, signal } = tc;
+	let attempt = 0;
+	let lastEventId = loadCursor(client.configDir, agentId, logger);
+	while (!signal.aborted) try {
+		await streamOnce({
+			tc,
+			lastEventId,
+			onDelivered: (id) => {
+				lastEventId = id;
+				saveCursor(client.configDir, agentId, id, logger);
+			},
+			onReset: () => {
+				attempt = 0;
+			},
+			onRaw: async (raw) => onMessage(normalizeRineEvent(raw))
+		});
+		attempt = 0;
+	} catch (err) {
+		attempt += 1;
+		logger.warn(`rine: SSE stream error (attempt ${attempt}): ${err instanceof Error ? err.message : String(err)}`);
+		if (attempt >= MAX_ATTEMPTS_BEFORE_FALLBACK) {
+			logger.warn("rine: SSE failed repeatedly — falling back to POLL transport");
+			const { runPollTransport } = await import("./poll-BvmG87ve.js");
+			await runPollTransport(tc);
+			return;
+		}
+		await waitBackoff(attempt, config, signal);
+	}
+}
+async function waitBackoff(attempt, config, signal) {
+	const delay = backoff(attempt, config.reconnectBaseMs, config.reconnectMaxMs);
+	try {
+		await sleep(delay, signal);
+	} catch {}
+}
+async function streamOnce(params) {
+	const { tc, lastEventId, onDelivered, onReset, onRaw } = params;
+	const { client, agentId, signal } = tc;
+	const headers = {
+		Authorization: `Bearer ${await client.getJwt()}`,
+		Accept: "text/event-stream"
+	};
+	if (lastEventId) headers["Last-Event-ID"] = lastEventId;
+	const url = `${client.apiUrl}/agents/${agentId}/stream?persistent=true`;
+	const res = await fetch(url, {
+		headers,
+		signal
+	});
+	if (!res.ok || !res.body) throw new Error(`stream HTTP ${res.status}`);
+	onReset();
+	const reader = res.body.getReader();
+	const decoder = new TextDecoder();
+	let buffer = "";
+	let gapSeen = false;
+	while (!signal.aborted) {
+		const { done, value } = await readWithIdleWatchdog(reader);
+		if (done) return;
+		buffer += decoder.decode(value, { stream: true });
+		let sep;
+		while ((sep = buffer.indexOf("\n\n")) !== -1) {
+			const block = buffer.slice(0, sep);
+			buffer = buffer.slice(sep + 2);
+			const evt = parseSseBlock(block);
+			if (!evt || evt.event !== "message" || !evt.data) continue;
+			let delivered = false;
+			try {
+				delivered = await onRaw(JSON.parse(evt.data));
+			} catch {
+				if (evt.id) gapSeen = true;
+				continue;
+			}
+			if (delivered && !gapSeen && evt.id) onDelivered(evt.id);
+			else if (!delivered) gapSeen = true;
+		}
+	}
+}
+/**
+* `reader.read()` with an idle watchdog: if no chunk arrives within `IDLE_TIMEOUT_MS`,
+* cancel the reader and throw so the reconnect loop takes over (a silently-dead socket
+* never surfaces a `done`). Resets on every chunk because each call starts a fresh timer.
+*/
+async function readWithIdleWatchdog(reader) {
+	let timer;
+	const idle = new Promise((_, reject) => {
+		timer = setTimeout(() => {
+			reader.cancel().catch(() => {});
+			reject(/* @__PURE__ */ new Error(`SSE idle timeout (${IDLE_TIMEOUT_MS}ms, no bytes)`));
+		}, IDLE_TIMEOUT_MS);
+	});
+	try {
+		return await Promise.race([reader.read(), idle]);
+	} finally {
+		if (timer) clearTimeout(timer);
+	}
+}
+//#endregion
+export { runSseTransport };