@rine-network/openclaw 0.1.4 → 0.1.5

package/README.md

@@ -11,8 +11,33 @@ conversation). The agent can also actively send/read/discover via tools.
 ## Install
 
 ```bash
+# 1. Install and enable the plugin
 openclaw plugins install npm:@rine-network/openclaw
 openclaw plugins enable rine
+```
+
+**Step 2 is required — add the `channels.rine` block to `openclaw.json`:**
+
+```json
+{
+  "channels": {
+    "rine": {
+      "transport": "sse",
+      "healthMonitor": { "enabled": false }
+    }
+  }
+}
+```
+
+OpenClaw only activates a channel plugin — importing its code, registering the notify
+service, tools, and inbound route — when the channel id appears under `channels.<id>` in
+`openclaw.json`. Without it, `plugins list` shows the plugin as "enabled/loaded" but the
+inbox is **silently dead** (no notify service) and you will see recurring
+`health-monitor: restarting (reason: stopped)` churn. Setting
+`healthMonitor.enabled: false` silences that churn (requires plugin ≥ 0.1.3).
+
+```bash
+# 3. Restart and verify
 openclaw gateway restart
 openclaw plugins inspect rine --runtime --json   # verify channel + tools + service + route
 ```
@@ -53,7 +78,9 @@ install/update time — once installed, the plugin loads normally. (npm placing
 
 ## Pick a transport posture
 
-Set `channels.rine.transport` in `openclaw.json` (default `sse`):
+The `channels.rine` block in `openclaw.json` is what activates the channel (see **Install**
+above). Once you have the block, you can tune the `transport` field within it — the default
+is `sse` if you omit the field entirely:
 
 | Transport | How it works | Best for |
 |-----------|--------------|----------|

package/dist/channel-DpHhVQ-n.js

@@ -0,0 +1,277 @@
+import { patchTopLevelChannelConfigSection } from "openclaw/plugin-sdk/setup";
+import { HttpClient, getCredentialEntry, getOrRefreshToken, resolveApiUrl, resolveConfigDir } from "@rine-network/core";
+import { tools } from "@rine-network/mcp/tools";
+//#region src/constants.ts
+/**
+* The single `"default"` profile/account literal, shared so a rename touches one place.
+*
+* It is the rine credential *profile* key passed to core's
+* `getCredentialEntry`/`getOrRefreshToken` (the entry under `.default` in
+* credentials.json) and, identically, the OpenClaw single-account id for the rine
+* channel. Both are `"default"` by convention.
+*/
+const DEFAULT_ACCOUNT_ID = "default";
+/**
+* Internal mcp tools the plugin depends on at runtime but does NOT expose to the agent.
+* Validated at startup (alongside `selectExposedTools`) so a rename of an mcp tool fails
+* fast at load, not at first reply. `rine_reply` backs the inbound→reply dispatch path;
+* `rine_send` backs the channel `outbound` adapter (active sends to an arbitrary target).
+*/
+const INTERNAL_TOOLS = ["rine_reply", "rine_send"];
+//#endregion
+//#region src/config.ts
+const DEFAULTS = {
+	transport: "sse",
+	pollIntervalMs: 6e4,
+	reconnectBaseMs: 3e3,
+	reconnectMaxMs: 3e5,
+	a2aAcceptCleartext: true
+};
+function asString(v) {
+	return typeof v === "string" && v.trim() !== "" ? v : void 0;
+}
+function asNumber(v, fallback) {
+	return typeof v === "number" && Number.isFinite(v) ? v : fallback;
+}
+function asTransport(v) {
+	return v === "expose" || v === "poll" || v === "sse" ? v : DEFAULTS.transport;
+}
+function asAllowFrom(v) {
+	if (Array.isArray(v)) {
+		const entries = v.filter((e) => typeof e === "string");
+		return entries.length > 0 ? entries : ["*"];
+	}
+	return ["*"];
+}
+/** Resolve the typed config from a raw `api.pluginConfig` (or `{}`), applying defaults. */
+function resolveRineConfig(raw = {}) {
+	return {
+		transport: asTransport(raw.transport),
+		configDir: asString(raw.configDir),
+		agentId: asString(raw.agentId),
+		baseUrl: asString(raw.baseUrl),
+		pollIntervalMs: asNumber(raw.pollIntervalMs, DEFAULTS.pollIntervalMs),
+		reconnectBaseMs: asNumber(raw.reconnectBaseMs, DEFAULTS.reconnectBaseMs),
+		reconnectMaxMs: asNumber(raw.reconnectMaxMs, DEFAULTS.reconnectMaxMs),
+		exposeBaseUrl: asString(raw.exposeBaseUrl),
+		a2aAcceptCleartext: typeof raw.a2aAcceptCleartext === "boolean" ? raw.a2aAcceptCleartext : DEFAULTS.a2aAcceptCleartext,
+		allowFrom: asAllowFrom(raw.allowFrom)
+	};
+}
+/**
+* Resolve rine credentials using core's 3-level config-dir fallback
+* ($RINE_CONFIG_DIR > ~/.config/rine > $PWD/.rine). An explicit `cfg.configDir`
+* override wins and is threaded directly — we never mutate `process.env`. Reuses core
+* helpers; no host keychain access, no token writes.
+*/
+function readRineCredentials(cfg) {
+	const configDir = cfg.configDir ?? resolveConfigDir();
+	const apiUrl = cfg.baseUrl ?? resolveApiUrl();
+	const entry = getCredentialEntry(configDir, DEFAULT_ACCOUNT_ID);
+	return {
+		configDir,
+		apiUrl,
+		entry,
+		pollUrl: entry?.poll_url
+	};
+}
+//#endregion
+//#region src/outbound.ts
+function toolByName(name, all = tools) {
+	const def = all.find((t) => t.name === name);
+	if (!def) throw new Error(`rine: required mcp tool "${name}" not found — version skew`);
+	return def;
+}
+/**
+* Route an agent reply back out as a rine message, reusing the lifted `rine_reply`
+* handler (E2EE encrypt + POST /messages/{id}/reply, auto-routed to the original
+* sender, conversation_id preserved). No crypto/HTTP reimplemented.
+*/
+async function sendRineReply(client, inbound, text) {
+	return toolByName("rine_reply").handler(client.toolContext, {
+		message_id: inbound.id,
+		payload: { text }
+	});
+}
+/**
+* Active send of an agent reply/message to an arbitrary rine target, reusing the
+* lifted `rine_send` handler (E2EE encrypt + POST /messages). Backs the channel
+* `outbound.sendText` adapter so OpenClaw's generic `send` message-action resolves
+* and delivers (without this the channel had no outbound surface — the agent's
+* generic send failed with `Unknown target … for rine`).
+*
+* `from` (the sending agent id) is passed only when configured; in a single-agent
+* org `rine_send` resolves the sole agent itself.
+*/
+async function sendRineText(client, to, text, from) {
+	const res = await toolByName("rine_send").handler(client.toolContext, {
+		to,
+		payload: { text },
+		...from ? { from } : {}
+	});
+	return { messageId: res?.id ?? res?.message_id ?? "unknown" };
+}
+//#endregion
+//#region src/rine-client.ts
+/** Hard ceiling on a single unauthenticated /poll request (the poll loop owns the cadence). */
+const POLL_REQUEST_TIMEOUT_MS = 3e4;
+/**
+* Build the rine HTTP client + ToolContext from resolved creds. Mirrors
+* rine-mcp/src/server.ts bootstrap: tokenFn = getCredentialEntry + getOrRefreshToken;
+* new HttpClient({ tokenFn, apiUrl, canRefresh }).
+*/
+function buildRineClient(creds) {
+	const { configDir, apiUrl, entry } = creds;
+	const getJwt = (force) => getOrRefreshToken(configDir, apiUrl, entry, DEFAULT_ACCOUNT_ID, { force });
+	const client = new HttpClient({
+		tokenFn: getJwt,
+		apiUrl,
+		canRefresh: Boolean(entry)
+	});
+	const toolContext = {
+		client,
+		configDir,
+		apiUrl
+	};
+	async function pollCount(pollUrl, signal) {
+		try {
+			const res = await fetch(pollUrl, { signal: signal ?? AbortSignal.timeout(POLL_REQUEST_TIMEOUT_MS) });
+			if (!res.ok) return 0;
+			const body = await res.json();
+			return typeof body.count === "number" ? body.count : 0;
+		} catch {
+			return 0;
+		}
+	}
+	async function fetchNewMessages(agentId, limit = 50) {
+		const res = await client.get(`/agents/${agentId}/messages`, {
+			status: "new",
+			limit
+		});
+		return Array.isArray(res.items) ? res.items : [];
+	}
+	async function markDelivered(agentId, ids) {
+		if (ids.length === 0) return 0;
+		return (await client.markDelivered(agentId, ids)).marked;
+	}
+	return {
+		toolContext,
+		client,
+		configDir,
+		apiUrl,
+		getJwt,
+		pollCount,
+		fetchNewMessages,
+		markDelivered
+	};
+}
+//#endregion
+//#region src/channel.ts
+/** Re-derive the typed rine config from the `channels.rine` block of a live OpenClawConfig. */
+function rineConfigFromCfg(cfg) {
+	const channels = cfg.channels;
+	return resolveRineConfig(channels?.rine ?? {});
+}
+/**
+* Minimal but type-valid `ChannelPlugin` for rine. Required fields only:
+* id / meta / capabilities / config. Inbound delivery + outbound replies are owned by
+* the notify service + dispatch seam (the canonical reply path lives on the runtime
+* singleton, available to the service), so the channel object stays thin — it advertises
+* the `rine` channel so sessions key as `agent:<id>:rine:<kind>:<peer>` and the channel
+* surfaces in `plugins inspect`. See SDK_CONTRACT.md.
+*/
+const rinePlugin = {
+	id: "rine",
+	meta: {
+		id: "rine",
+		label: "rine",
+		selectionLabel: "rine",
+		detailLabel: "rine network",
+		docsPath: "/channels/rine",
+		docsLabel: "rine",
+		blurb: "Agent-to-agent E2EE messaging over the rine network (A2A relay / SSE / poll).",
+		systemImage: "antenna.radiowaves.left.and.right",
+		order: 120,
+		showConfigured: true
+	},
+	capabilities: {
+		chatTypes: ["direct", "group"],
+		reply: true,
+		threads: true,
+		media: false
+	},
+	reload: { configPrefixes: ["channels.rine"] },
+	config: {
+		listAccountIds: () => [DEFAULT_ACCOUNT_ID],
+		resolveAccount: (_cfg, accountId) => ({ accountId: accountId ?? "default" }),
+		defaultAccountId: () => DEFAULT_ACCOUNT_ID
+	},
+	/**
+	* Setup wizard: scaffolds a default `channels.rine` block on first run so
+	* users get a working channel without hand-editing openclaw.json.
+	* Rine credentials live in ~/.config/rine (not openclaw.json), so
+	* `credentials: []` — the wizard completes immediately after the prepare hook.
+	*/
+	setupWizard: {
+		channel: "rine",
+		status: {
+			configuredLabel: "rine configured",
+			unconfiguredLabel: "rine not configured",
+			configuredHint: "Receiving messages via rine network",
+			unconfiguredHint: "Run 'openclaw plugins setup rine' to activate",
+			resolveConfigured: ({ cfg }) => {
+				const ch = cfg.channels;
+				return typeof ch?.rine === "object" && ch.rine !== null;
+			}
+		},
+		credentials: [],
+		prepare: ({ cfg }) => {
+			const ch = cfg.channels;
+			if (typeof ch?.rine === "object" && ch.rine !== null) return;
+			return { cfg: patchTopLevelChannelConfigSection({
+				cfg,
+				channel: "rine",
+				patch: {
+					transport: "sse",
+					healthMonitor: { enabled: false }
+				}
+			}) };
+		}
+	},
+	outbound: {
+		deliveryMode: "direct",
+		resolveTarget: ({ to }) => {
+			const trimmed = to?.trim();
+			if (!trimmed) return {
+				ok: false,
+				error: /* @__PURE__ */ new Error("Delivering to rine needs a target handle or UUID (e.g. alice@acme or #ops@acme).")
+			};
+			return {
+				ok: true,
+				to: trimmed
+			};
+		},
+		sendText: async (ctx) => {
+			const config = rineConfigFromCfg(ctx.cfg);
+			const creds = readRineCredentials(config);
+			if (!creds.entry) throw new Error("rine: no credentials at the resolved config dir — run rine_onboard or set RINE_CONFIG_DIR.");
+			const { messageId } = await sendRineText(buildRineClient(creds), ctx.to, ctx.text, config.agentId);
+			return {
+				channel: "rine",
+				messageId
+			};
+		}
+	},
+	/**
+	* Tell core that any non-empty string is a valid rine target. Without this,
+	* core's directory-search path treats a free-form `name@org` handle as a
+	* display-name (it matches none of the built-in id heuristics) and emits
+	* `Unknown target "<handle>" for rine` before delivery is ever attempted.
+	*/
+	messaging: { targetResolver: {
+		hint: "Use a rine handle (name@org or #group@org) or an agent UUID.",
+		looksLikeId: (raw) => Boolean(raw?.trim())
+	} }
+};
+//#endregion
+export { resolveRineConfig as a, readRineCredentials as i, buildRineClient as n, INTERNAL_TOOLS as o, sendRineReply as r, rinePlugin as t };

package/dist/index.js

@@ -1,9 +1,9 @@
-import { a as INTERNAL_TOOLS, i as DEFAULT_ACCOUNT_ID, n as resolveRineConfig, r as rinePlugin, t as readRineCredentials } from "./config-BsdV6THh.js";
+import { a as resolveRineConfig, i as readRineCredentials, n as buildRineClient, o as INTERNAL_TOOLS, r as sendRineReply, t as rinePlugin } from "./channel-DpHhVQ-n.js";
 import { i as normalizeStandardWebhook, n as normalizeA2A, t as isAllowed } from "./inbound-G0JD7YmI.js";
 import { defineChannelPluginEntry } from "openclaw/plugin-sdk/channel-core";
-import { HttpClient, fetchAgents, getOrRefreshToken, resolveAgent } from "@rine-network/core";
-import { dispatchInboundDirectDmWithRuntime } from "openclaw/plugin-sdk/channel-inbound";
+import { fetchAgents, resolveAgent } from "@rine-network/core";
 import { tools } from "@rine-network/mcp/tools";
+import { dispatchInboundDirectDmWithRuntime } from "openclaw/plugin-sdk/channel-inbound";
 import { jsonResult } from "openclaw/plugin-sdk/channel-actions";
 //#region openclaw.plugin.json
 var description = "Agent-to-agent E2EE messaging over the rine network (A2A relay / SSE / poll).";
@@ -84,85 +84,20 @@ var configSchema = {
 	}
 };
 //#endregion
-//#region src/rine-client.ts
-/** Hard ceiling on a single unauthenticated /poll request (the poll loop owns the cadence). */
-const POLL_REQUEST_TIMEOUT_MS = 3e4;
-/**
-* Build the rine HTTP client + ToolContext from resolved creds. Mirrors
-* rine-mcp/src/server.ts bootstrap: tokenFn = getCredentialEntry + getOrRefreshToken;
-* new HttpClient({ tokenFn, apiUrl, canRefresh }).
-*/
-function buildRineClient(creds) {
-	const { configDir, apiUrl, entry } = creds;
-	const getJwt = (force) => getOrRefreshToken(configDir, apiUrl, entry, DEFAULT_ACCOUNT_ID, { force });
-	const client = new HttpClient({
-		tokenFn: getJwt,
-		apiUrl,
-		canRefresh: Boolean(entry)
-	});
-	const toolContext = {
-		client,
-		configDir,
-		apiUrl
-	};
-	async function pollCount(pollUrl, signal) {
-		try {
-			const res = await fetch(pollUrl, { signal: signal ?? AbortSignal.timeout(POLL_REQUEST_TIMEOUT_MS) });
-			if (!res.ok) return 0;
-			const body = await res.json();
-			return typeof body.count === "number" ? body.count : 0;
-		} catch {
-			return 0;
-		}
-	}
-	async function fetchNewMessages(agentId, limit = 50) {
-		const res = await client.get(`/agents/${agentId}/messages`, {
-			status: "new",
-			limit
-		});
-		return Array.isArray(res.items) ? res.items : [];
-	}
-	async function markDelivered(agentId, ids) {
-		if (ids.length === 0) return 0;
-		return (await client.markDelivered(agentId, ids)).marked;
-	}
-	return {
-		toolContext,
-		client,
-		configDir,
-		apiUrl,
-		getJwt,
-		pollCount,
-		fetchNewMessages,
-		markDelivered
-	};
-}
-//#endregion
-//#region src/outbound.ts
-function toolByName(name, all = tools) {
-	const def = all.find((t) => t.name === name);
-	if (!def) throw new Error(`rine: required mcp tool "${name}" not found — version skew`);
-	return def;
-}
-/**
-* Route an agent reply back out as a rine message, reusing the lifted `rine_reply`
-* handler (E2EE encrypt + POST /messages/{id}/reply, auto-routed to the original
-* sender, conversation_id preserved). No crypto/HTTP reimplemented.
-*/
-async function sendRineReply(client, inbound, text) {
-	return toolByName("rine_reply").handler(client.toolContext, {
-		message_id: inbound.id,
-		payload: { text }
-	});
-}
-//#endregion
 //#region src/dispatch.ts
 function msgOf(err) {
 	return err instanceof Error ? err.message : String(err);
 }
-/** The inline pointer body — ciphertext stays out of the transcript; agent calls `rine_read`. */
+/**
+* The inline pointer body — ciphertext stays out of the transcript; agent calls `rine_read`.
+*
+* The body also binds the reply target to the SENDER. Without this, a model that replies via the
+* optional `rine_send` tool can copy the message's own `to_agent_id` (= this agent's id, surfaced
+* by `rine_read`) and self-target, producing `Unknown target` (TODO-4). The auto-routing path is
+* `rine_reply message_id=<id>`, which derives the recipient from the original sender server-side.
+*/
 function pointerText(msg) {
-	return `[rine ${msg.type} from ${msg.fromHandle}] message ${msg.id} (read with rine_read)`;
+	return `[rine ${msg.type} from ${msg.fromHandle}] message ${msg.id} (read with rine_read; reply with rine_reply message_id=${msg.id} — it auto-routes to ${msg.fromHandle}. If you use rine_send instead, set to=${msg.fromHandle}, never your own agent id.)`;
 }
 /**
 * Build the shared `onMessage` path all transports converge on.

package/dist/setup.js

@@ -1,4 +1,4 @@
-import { n as resolveRineConfig, r as rinePlugin, t as readRineCredentials } from "./config-BsdV6THh.js";
+import { a as resolveRineConfig, i as readRineCredentials, t as rinePlugin } from "./channel-DpHhVQ-n.js";
 import { defineSetupPluginEntry } from "openclaw/plugin-sdk/channel-core";
 //#region setup.ts
 /** Auto-detect existing rine creds for the setup flow. Pure read; no writes. */

package/dist/src/constants.d.ts

@@ -10,6 +10,7 @@ export declare const DEFAULT_ACCOUNT_ID = "default";
 /**
  * Internal mcp tools the plugin depends on at runtime but does NOT expose to the agent.
  * Validated at startup (alongside `selectExposedTools`) so a rename of an mcp tool fails
- * fast at load, not at first reply. `rine_reply` backs the inbound→reply dispatch path.
+ * fast at load, not at first reply. `rine_reply` backs the inbound→reply dispatch path;
+ * `rine_send` backs the channel `outbound` adapter (active sends to an arbitrary target).
  */
-export declare const INTERNAL_TOOLS: readonly ["rine_reply"];
+export declare const INTERNAL_TOOLS: readonly ["rine_reply", "rine_send"];

package/dist/src/dispatch.d.ts

@@ -24,7 +24,14 @@ export interface OnMessageDeps {
  * a transient error that must be retried, so the cursor must stay behind it.
  */
 export type OnMessage = (msg: RineInbound) => Promise<boolean>;
-/** The inline pointer body — ciphertext stays out of the transcript; agent calls `rine_read`. */
+/**
+ * The inline pointer body — ciphertext stays out of the transcript; agent calls `rine_read`.
+ *
+ * The body also binds the reply target to the SENDER. Without this, a model that replies via the
+ * optional `rine_send` tool can copy the message's own `to_agent_id` (= this agent's id, surfaced
+ * by `rine_read`) and self-target, producing `Unknown target` (TODO-4). The auto-routing path is
+ * `rine_reply message_id=<id>`, which derives the recipient from the original sender server-side.
+ */
 export declare function pointerText(msg: RineInbound): string;
 /**
  * Build the shared `onMessage` path all transports converge on.

package/dist/src/outbound.d.ts

@@ -6,3 +6,16 @@ import type { RineInbound } from "./types.js";
  * sender, conversation_id preserved). No crypto/HTTP reimplemented.
  */
 export declare function sendRineReply(client: RineClient, inbound: RineInbound, text: string): Promise<unknown>;
+/**
+ * Active send of an agent reply/message to an arbitrary rine target, reusing the
+ * lifted `rine_send` handler (E2EE encrypt + POST /messages). Backs the channel
+ * `outbound.sendText` adapter so OpenClaw's generic `send` message-action resolves
+ * and delivers (without this the channel had no outbound surface — the agent's
+ * generic send failed with `Unknown target … for rine`).
+ *
+ * `from` (the sending agent id) is passed only when configured; in a single-agent
+ * org `rine_send` resolves the sole agent itself.
+ */
+export declare function sendRineText(client: RineClient, to: string, text: string, from?: string): Promise<{
+    messageId: string;
+}>;

package/openclaw.plugin.json

@@ -3,7 +3,7 @@
   "kind": "channel",
   "name": "rine",
   "description": "Agent-to-agent E2EE messaging over the rine network (A2A relay / SSE / poll).",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "channels": ["rine"],
   "skills": ["skills/rine"],
   "activation": { "onStartup": true },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rine-network/openclaw",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Official OpenClaw plugin for rine.network \u2014 agent-to-agent E2EE messaging as a native channel, with A2A-relay / SSE / poll transports, tools, and the bundled rine skill.",
   "type": "module",
   "main": "dist/index.js",

package/dist/config-BsdV6THh.js

@@ -1,113 +0,0 @@
-import { getCredentialEntry, resolveApiUrl, resolveConfigDir } from "@rine-network/core";
-//#region src/constants.ts
-/**
-* The single `"default"` profile/account literal, shared so a rename touches one place.
-*
-* It is the rine credential *profile* key passed to core's
-* `getCredentialEntry`/`getOrRefreshToken` (the entry under `.default` in
-* credentials.json) and, identically, the OpenClaw single-account id for the rine
-* channel. Both are `"default"` by convention.
-*/
-const DEFAULT_ACCOUNT_ID = "default";
-/**
-* Internal mcp tools the plugin depends on at runtime but does NOT expose to the agent.
-* Validated at startup (alongside `selectExposedTools`) so a rename of an mcp tool fails
-* fast at load, not at first reply. `rine_reply` backs the inbound→reply dispatch path.
-*/
-const INTERNAL_TOOLS = ["rine_reply"];
-//#endregion
-//#region src/channel.ts
-/**
-* Minimal but type-valid `ChannelPlugin` for rine. Required fields only:
-* id / meta / capabilities / config. Inbound delivery + outbound replies are owned by
-* the notify service + dispatch seam (the canonical reply path lives on the runtime
-* singleton, available to the service), so the channel object stays thin — it advertises
-* the `rine` channel so sessions key as `agent:<id>:rine:<kind>:<peer>` and the channel
-* surfaces in `plugins inspect`. See SDK_CONTRACT.md.
-*/
-const rinePlugin = {
-	id: "rine",
-	meta: {
-		id: "rine",
-		label: "rine",
-		selectionLabel: "rine",
-		detailLabel: "rine network",
-		docsPath: "/channels/rine",
-		docsLabel: "rine",
-		blurb: "Agent-to-agent E2EE messaging over the rine network (A2A relay / SSE / poll).",
-		systemImage: "antenna.radiowaves.left.and.right",
-		order: 120,
-		showConfigured: true
-	},
-	capabilities: {
-		chatTypes: ["direct", "group"],
-		reply: true,
-		threads: true,
-		media: false
-	},
-	reload: { configPrefixes: ["channels.rine"] },
-	config: {
-		listAccountIds: () => [DEFAULT_ACCOUNT_ID],
-		resolveAccount: (_cfg, accountId) => ({ accountId: accountId ?? "default" }),
-		defaultAccountId: () => DEFAULT_ACCOUNT_ID
-	}
-};
-//#endregion
-//#region src/config.ts
-const DEFAULTS = {
-	transport: "sse",
-	pollIntervalMs: 6e4,
-	reconnectBaseMs: 3e3,
-	reconnectMaxMs: 3e5,
-	a2aAcceptCleartext: true
-};
-function asString(v) {
-	return typeof v === "string" && v.trim() !== "" ? v : void 0;
-}
-function asNumber(v, fallback) {
-	return typeof v === "number" && Number.isFinite(v) ? v : fallback;
-}
-function asTransport(v) {
-	return v === "expose" || v === "poll" || v === "sse" ? v : DEFAULTS.transport;
-}
-function asAllowFrom(v) {
-	if (Array.isArray(v)) {
-		const entries = v.filter((e) => typeof e === "string");
-		return entries.length > 0 ? entries : ["*"];
-	}
-	return ["*"];
-}
-/** Resolve the typed config from a raw `api.pluginConfig` (or `{}`), applying defaults. */
-function resolveRineConfig(raw = {}) {
-	return {
-		transport: asTransport(raw.transport),
-		configDir: asString(raw.configDir),
-		agentId: asString(raw.agentId),
-		baseUrl: asString(raw.baseUrl),
-		pollIntervalMs: asNumber(raw.pollIntervalMs, DEFAULTS.pollIntervalMs),
-		reconnectBaseMs: asNumber(raw.reconnectBaseMs, DEFAULTS.reconnectBaseMs),
-		reconnectMaxMs: asNumber(raw.reconnectMaxMs, DEFAULTS.reconnectMaxMs),
-		exposeBaseUrl: asString(raw.exposeBaseUrl),
-		a2aAcceptCleartext: typeof raw.a2aAcceptCleartext === "boolean" ? raw.a2aAcceptCleartext : DEFAULTS.a2aAcceptCleartext,
-		allowFrom: asAllowFrom(raw.allowFrom)
-	};
-}
-/**
-* Resolve rine credentials using core's 3-level config-dir fallback
-* ($RINE_CONFIG_DIR > ~/.config/rine > $PWD/.rine). An explicit `cfg.configDir`
-* override wins and is threaded directly — we never mutate `process.env`. Reuses core
-* helpers; no host keychain access, no token writes.
-*/
-function readRineCredentials(cfg) {
-	const configDir = cfg.configDir ?? resolveConfigDir();
-	const apiUrl = cfg.baseUrl ?? resolveApiUrl();
-	const entry = getCredentialEntry(configDir, DEFAULT_ACCOUNT_ID);
-	return {
-		configDir,
-		apiUrl,
-		entry,
-		pollUrl: entry?.poll_url
-	};
-}
-//#endregion
-export { INTERNAL_TOOLS as a, DEFAULT_ACCOUNT_ID as i, resolveRineConfig as n, rinePlugin as r, readRineCredentials as t };