Strongly Certified · Streaming Workflow

SSE Event Feed → LLM Watch

Subscribe to a security event firehose. Watch-worthy events triage on a webhook.

Subscribes to a Server-Sent Events firehose (GitHub events, Stripe events, internal pubsub bridges, custom SSE feeds), routes security- / compliance- / operationally-relevant events through a small LLM that drafts a one-sentence summary, and POSTs to your incident webhook. W3C-compliant Last-Event-ID resume on disconnect.

Talk to an Engineer See What It Does

≤2.5s

Event-to-webhook (p95)

Last-Event-ID

W3C-spec resume

Interruptible

EndFrame wakes backoff

What it does

The voice loop, end-to-end.

No black box. Each step is a typed-frame node you can edit, monitor, and replace.

An upstream service publishes an event on its SSE feed (Accept: text/event-stream). streaming-sse-source connects via aiohttp and parses the W3C wire format natively (no httpx-sse dep).

Each delivered event becomes a TextFrame carrying sse_event / sse_id / sse_url attributes. id: lines update Last-Event-ID for spec-compliant resume on disconnect.

streaming-conditional matches a watch-worthy regex (security_alert / compliance_violation / breach / leak / fraud / unauthorized / escalated, plus high/critical severity). Routine events drop at the default branch.

The LLM drafts a one-sentence summary. streaming-webhook-response POSTs to your incident receiver. SSE connection / decode / reconnect-give-up failures fan into the same channel.

Capabilities

Built for production. Day Two-ready.

Streaming graph contract, observability, and cost discipline come standard. The agent ships with a full test suite that runs in CI on every node version bump.

W3C-compliant parser

Native SSE wire-format decoder: data: lines accumulate (joined with newline), event: sets the type, id: updates Last-Event-ID, retry: sets server-recommended backoff, comment lines (':') skip per spec, single-space-after-colon stripped per spec.

W3C specNative parserNo httpx-sse

Last-Event-ID resume

id: field updates Last-Event-ID; sticky across events without id; sent as Last-Event-ID HTTP header on every reconnect. Spec-compliant servers replay missed events on resume.

Spec resumePer-reconnectAuto-maintained

Server retry: precedence

Server-advertised retry: ms (in milliseconds) overrides operator's reconnect_initial_ms while it stands. Honours upstream backoff guidance without operator config drift.

Spec complianceAuto-honouredOverride-safe

Interruptible backoff

Reconnect-loop sleep uses asyncio.wait_for(self._stop.wait(), timeout=seconds) so an inbound EndFrame wakes the backoff immediately. Session shutdown is never blocked by a long retry timer.

Wake-on-stopEndFrame-awareNo 10-min hangs

Cost-bounded

Routine events drop at the conditional before any LLM call. The LLM cost scales with watch-traffic volume, not feed volume. Default regex matches security / compliance / fraud event types and high / critical severities.

Conditional dropWatch-rate costRegex-tunable

Live span tree

Each emitted event writes a span tagged with sse_event / sse_id / sse_url. Filter the canvas overlay by event type to debug detection behaviour or by sse_id range to inspect a specific replay window.

ADR-S14Per-eventReplay window filter

Built on

Real services. Your stack.

Every dependency is a registered Strongly service or a model you control. Swap any one of them in the install wizard. The graph stays intact.

Source

streaming-sse-source 1.0.0 — aiohttp + native W3C decoder

Datasource

HTTP datasource with Accept: text/event-stream + Bearer token / custom headers

LLM model

gpt-4o-mini default — swap any registered chat model

Sink

streaming-webhook-response — Slack / PagerDuty / ServiceNow

Five common customisations

Tune it. Don't fork it.

The marketplace template is the graph. Every customisation below is a config change or a single-node addition - never a rewrite.

Server-side filter at source

The SSE source accepts an event_types allow-list. Drop non-matching events at the source BEFORE TextFrame emission to save downstream pipeline work.

Per-event-type prompt

Fork the prompt with streaming-llm-router predicating on sse_event so each event type gets a domain-tuned watch prompt.

Severity escalation

Replace the 2-port conditional with streaming-confidence-router: critical → PagerDuty page, high → Slack warn, medium → email digest.

Resume from saved offset

Persist the most-recent sse_id from a downstream sink and pass it back via Last-Event-ID on next deploy for at-least-once redeliverability across pod restarts.

Webhook signing

Wire streaming-text-transformer to compute an HMAC over the summary + timestamp before POSTing to the receiver.