@pmoses-s1/sentinelone-mcp 1.0.0 → 1.2.0

package/deploy/README.md

@@ -0,0 +1,366 @@
+# Deployment guide
+
+Three supported topologies, in order of complexity.
+
+| Topology | Who runs it | Transport | Auth | Use this when |
+|---|---|---|---|---|
+| **A. Single user, local** | One human | stdio | none | You use Claude Desktop / Claude Code / Claude Cowork on your own Mac or Linux laptop. |
+| **B. Single user, HTTP** | One human | Streamable HTTP, `127.0.0.1` only | none | You want one server you can curl, or have a non-Claude client that speaks Streamable HTTP. |
+| **C. Team, VM-hosted** | Many humans | Streamable HTTP, behind TLS | per-user bearer tokens | You want N team members to share one server with one set of SentinelOne credentials, with per-user audit and revocation. |
+
+## A. Single user, local (stdio)
+
+`curl -fsSL https://raw.githubusercontent.com/pmoses-s1/claude-skills/main/sentinelone-mcp/deploy/install.sh | bash`
+
+That runs `install.sh --user`, which:
+1. Confirms Node 18+ is present (errors out with install hints if not).
+2. Sets up a per-user npm prefix at `~/.npm-global` if one isn't configured.
+3. Installs `@pmoses-s1/sentinelone-mcp` globally for your user.
+4. Writes a credentials skeleton to `~/.config/sentinelone/credentials.json` (mode 0600).
+5. Prints the next steps.
+
+Then edit `~/.config/sentinelone/credentials.json` with your real values:
+
+```json
+{
+  "S1_CONSOLE_URL":       "https://usea1-yourorg.sentinelone.net",
+  "S1_CONSOLE_API_TOKEN": "eyJ...",
+  "S1_HEC_INGEST_URL":    "https://ingest.us1.sentinelone.net",
+  "SDL_XDR_URL":          "https://xdr.us1.sentinelone.net",
+  "SDL_LOG_READ_KEY":     "...",
+  "SDL_CONFIG_READ_KEY":  "...",
+  "SDL_CONFIG_WRITE_KEY": "..."
+}
+```
+
+Add the server to Claude Desktop (`~/Library/Application Support/Claude/claude_desktop_config.json` on Mac, or `%APPDATA%\Claude\claude_desktop_config.json` on Windows):
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "command": "sentinelone-mcp"
+    }
+  }
+}
+```
+
+Or, equivalently, by package name without the install:
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "command": "npx",
+      "args": ["-y", "@pmoses-s1/sentinelone-mcp@1.1.0"]
+    }
+  }
+}
+```
+
+Restart Claude Desktop. The server picks credentials up from `~/.config/sentinelone/credentials.json` automatically.
+
+## B. Single user, HTTP
+
+Same `install.sh --user`, then start the server in HTTP mode:
+
+```bash
+sentinelone-mcp --transport http
+```
+
+It binds to `127.0.0.1:8765` and runs with no auth (which is fine when the bind address is loopback and you're the only user on the box). Hit it with curl:
+
+```bash
+curl -s http://127.0.0.1:8765/healthz
+# -> ok
+
+curl -s -X POST http://127.0.0.1:8765/mcp \
+  -H 'Content-Type: application/json' \
+  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' | jq '.result.tools | length'
+# -> 26
+```
+
+In Claude Cowork or any MCP client that supports remote HTTP servers, add it:
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "type": "http",
+      "url": "http://127.0.0.1:8765/mcp"
+    }
+  }
+}
+```
+
+## C. Team, VM-hosted (recommended for shared deployments)
+
+This is the topology to use when more than one person should have access to the same SentinelOne tenant through MCP, without distributing the underlying S1 service-user token.
+
+### What you'll end up with
+
+- One Linux VM, reachable on your private network (or via Tailscale, WireGuard, etc.).
+- One `mcp` system user owning `/etc/sentinelone-mcp/`.
+- One `credentials.json` containing the S1 service-user token + SDL keys. Mode 0600, never copied off the box.
+- One `bearer-tokens.json` listing per-user tokens, one per team member: `{"alice": "...", "bob": "...", "claire": "..."}`. Mode 0600. SIGHUP-reloadable.
+- One systemd service running the MCP on `127.0.0.1:8765` with auth enforced.
+- Caddy in front terminating TLS and forwarding to the backend.
+
+Team members connect from their Claude clients with their own bearer token. Audit log identifies them by name. Revocation is one file edit + `systemctl reload`.
+
+### Step-by-step
+
+1. **Provision the VM.** Anything that runs systemd is fine: Ubuntu 22.04 LTS, Debian 12, Rocky/Alma 9, etc.
+
+2. **Install Node 18+.** Pick one:
+   ```bash
+   # Ubuntu / Debian
+   curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
+   sudo apt install -y nodejs
+   ```
+   ```bash
+   # Rocky / Alma
+   curl -fsSL https://rpm.nodesource.com/setup_20.x | sudo bash -
+   sudo dnf install -y nodejs
+   ```
+
+3. **Run the installer in server mode:**
+   ```bash
+   curl -fsSL https://raw.githubusercontent.com/pmoses-s1/claude-skills/main/sentinelone-mcp/deploy/install.sh | sudo bash -s -- --server
+   ```
+   It creates the `mcp` user, drops `/etc/sentinelone-mcp/credentials.json` (placeholder) and `/etc/sentinelone-mcp/bearer-tokens.json` (one freshly-generated admin token, printed once to stdout), installs the systemd unit, and starts the service.
+
+4. **Fill in real SentinelOne credentials:**
+   ```bash
+   sudo vim /etc/sentinelone-mcp/credentials.json
+   sudo systemctl reload sentinelone-mcp
+   curl -s http://127.0.0.1:8765/healthz   # -> ok
+   ```
+
+5. **Put TLS in front with Caddy** (the recommended option):
+   ```bash
+   sudo apt install -y caddy
+   sudo cp /usr/lib/node_modules/@pmoses-s1/sentinelone-mcp/deploy/caddy/Caddyfile.example /etc/caddy/Caddyfile
+   sudo vim /etc/caddy/Caddyfile   # change mcp.s1.internal to your DNS name
+   sudo systemctl reload caddy
+   ```
+   Default Caddyfile uses `tls internal` which signs with Caddy's own CA. Distribute `/var/lib/caddy/.local/share/caddy/pki/authorities/local/root.crt` to your team for trust, or use `tls <your-email>` with a publicly resolvable hostname for Let's Encrypt.
+
+6. **Add team members.** Generate a token per person and append to the file:
+   ```bash
+   sudo bash -c 'cat > /etc/sentinelone-mcp/bearer-tokens.json' <<EOF
+   {
+     "admin": "$(openssl rand -hex 32)",
+     "alice": "$(openssl rand -hex 32)",
+     "bob":   "$(openssl rand -hex 32)",
+     "claire":"$(openssl rand -hex 32)"
+   }
+   EOF
+   sudo chmod 600 /etc/sentinelone-mcp/bearer-tokens.json
+   sudo chown mcp:mcp /etc/sentinelone-mcp/bearer-tokens.json
+   sudo systemctl reload sentinelone-mcp   # SIGHUP, no downtime
+   ```
+   Hand each person their token over a secure channel (1Password, Signal, etc.).
+
+7. **Connect from a Claude client.** Each user adds the server to their config with their personal token:
+   ```json
+   {
+     "mcpServers": {
+       "sentinelone-mcp": {
+         "type": "http",
+         "url": "https://mcp.s1.internal/mcp",
+         "headers": {
+           "Authorization": "Bearer <THEIR_PERSONAL_TOKEN>"
+         }
+       }
+     }
+   }
+   ```
+
+8. **Verify end-to-end.** From a team member's machine:
+   ```bash
+   curl -s -X POST https://mcp.s1.internal/mcp \
+     -H "Authorization: Bearer $TOKEN" \
+     -H 'Content-Type: application/json' \
+     -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' | jq '.result.tools | length'
+   # -> 26
+   ```
+
+9. **Watch the audit log.** Every authenticated request is logged with the bearer name, method, and param summary:
+   ```bash
+   sudo journalctl -u sentinelone-mcp -f | grep '\[audit\]'
+   # [audit] 2026-05-28T15:01:22.413Z | alice | tools/call | name=powerquery_run | 200 ok
+   # [audit] 2026-05-28T15:01:34.221Z | bob   | tools/list | -                  | 200 ok
+   ```
+
+## Day-2 operations
+
+### Adding a team member
+
+```bash
+sudo vim /etc/sentinelone-mcp/bearer-tokens.json   # add new {"name": "token"}
+sudo systemctl reload sentinelone-mcp              # SIGHUP, no downtime
+```
+
+### Revoking access
+
+```bash
+sudo vim /etc/sentinelone-mcp/bearer-tokens.json   # remove the entry
+sudo systemctl reload sentinelone-mcp
+```
+
+### Rotating the SentinelOne service-user token
+
+```bash
+sudo vim /etc/sentinelone-mcp/credentials.json     # paste new S1_CONSOLE_API_TOKEN
+sudo systemctl restart sentinelone-mcp             # full restart needed for creds
+```
+
+### Upgrading the MCP server
+
+```bash
+sudo npm install -g @pmoses-s1/sentinelone-mcp@<new-version>
+sudo systemctl restart sentinelone-mcp
+```
+
+### Reading the audit log
+
+The structured audit lines look like:
+
+```
+[audit] 2026-05-28T15:01:22.413Z | alice | tools/call | name=powerquery_run | 200 ok
+[audit] 2026-05-28T16:42:55.108Z | bob   | tools/list | -                  | 200 ok
+[audit] 2026-05-28T17:03:11.221Z | -     | -          | -                  | 401 unauthorized
+```
+
+Quick filters:
+
+```bash
+# everything alice did in the last hour
+sudo journalctl -u sentinelone-mcp --since="1 hour ago" | grep '\[audit\].*| alice |'
+
+# all unauthorized attempts today
+sudo journalctl -u sentinelone-mcp --since=today | grep '\[audit\].*401'
+
+# all tool calls (not just listings)
+sudo journalctl -u sentinelone-mcp -f | grep 'tools/call'
+```
+
+### Health and readiness
+
+`GET /healthz` returns `200 ok` whenever the server is accepting connections. Use it for load balancer probes and for `systemctl-aware` orchestrators:
+
+```bash
+curl -s http://127.0.0.1:8765/healthz   # behind the proxy
+curl -s https://mcp.s1.internal/healthz # in front of the proxy
+```
+
+## Connecting Claude Desktop to a remote MCP
+
+Claude Desktop's `claude_desktop_config.json` only accepts stdio-based MCP servers in current stable builds; the `type: "http"` form gets rejected with "not valid MCP server configuration" on load. To connect Claude Desktop to your VM's HTTPS endpoint, use the bridge script shipped in this repo at [`bridge/sentinelone-mcp-bridge.mjs`](./bridge/sentinelone-mcp-bridge.mjs) — a 40-line zero-dependency Node script that translates Claude Desktop's stdio into POST requests against the MCP HTTP endpoint.
+
+Each team member drops the script anywhere on their machine (typically `~/.local/bin/sentinelone-mcp-bridge.mjs`) and points Claude Desktop at it:
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "command": "node",
+      "args": ["/Users/<you>/.local/bin/sentinelone-mcp-bridge.mjs"],
+      "env": {
+        "MCP_URL":    "https://mcp.s1.internal/mcp",
+        "MCP_BEARER": "<your personal bearer token>"
+      }
+    }
+  }
+}
+```
+
+Then Cmd+Q and reopen Claude Desktop. See [`bridge/README.md`](./bridge/README.md) for install, smoke-test, and troubleshooting steps. Claude Cowork users can keep using the native `type: "http"` config (it supports remote HTTP MCPs in current builds) — only Claude Desktop needs the bridge.
+
+## AWS-specific gotchas
+
+Five things that bit during real deployment to an EC2 instance. None are blockers, but knowing them up front saves hours.
+
+### EC2 public DNS is unstable without an Elastic IP
+
+Stopping and starting an instance assigns a new public IPv4 address and a new public DNS name (`ec2-<new-ip>.<region>.compute.amazonaws.com`). Every ACME-issued cert, every `claude_desktop_config.json`, and every Caddyfile that referenced the old hostname breaks. Allocate an Elastic IP in EC2 → Elastic IPs → Allocate → Associate before issuing certs. Free while attached to a running instance.
+
+The instance's `*.compute.internal` DNS name (e.g. `ip-172-31-7-227.ap-southeast-2.compute.internal`) is the VPC-internal name and is **not** reachable from outside the VPC. It can't be used for ACME validation or for clients on the public internet.
+
+### Let's Encrypt refuses `*.amazonaws.com` by policy
+
+If you try to issue a cert for the EC2 public DNS, LE returns:
+
+```
+HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier
+The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy
+```
+
+Caddy auto-falls back to **ZeroSSL** (also free, also publicly trusted, no policy block on `amazonaws.com`). Use the email-shorthand form `tls <email>` and Caddy handles the fallback transparently. The right end state is a cert with `issuer=ZeroSSL ECC DV SSL CA 2` — verify with:
+
+```bash
+echo | openssl s_client -connect $HOST:8764 -servername $HOST 2>/dev/null \
+  | grep -E "^(issuer=|verify return code)"
+```
+
+For long-term peace of mind, use a real domain instead (Route 53 A record pointing at the Elastic IP) — both LE and ZeroSSL issue without restriction and the hostname survives instance replacement.
+
+### Caddyfile: don't mix `tls` shorthand with `issuer acme` block
+
+```caddyfile
+# WRONG — Caddy errors: "cannot mix issuer subdirective with other issuer-specific subdirectives"
+tls prithvi@example.com {
+    issuer acme {
+        disable_http_challenge
+    }
+}
+```
+
+The shorthand `tls <email>` implicitly configures an ACME issuer. Combining it with an explicit `issuer acme { ... }` block conflicts. Pick one form:
+
+```caddyfile
+# Form 1: shorthand (requires port 80 open for HTTP-01)
+tls prithvi@example.com
+
+# Form 2: explicit block (gives you knobs like disable_http_challenge)
+tls {
+    issuer acme {
+        email prithvi@example.com
+        disable_http_challenge
+    }
+}
+```
+
+### `tls internal` produces a Caddy CA cert, not a public one
+
+If you see ACME succeed in milliseconds rather than ~10-30 seconds, look at the cert: it was likely issued by Caddy's local CA, not by an external ACME server. The give-aways are an instant log line and `no OCSP server specified in certificate` warnings (public CAs always embed OCSP URLs). `tls internal` is fine for private-network deployments with cert distribution to clients, but doesn't help when you want public trust.
+
+### systemd hardening that breaks Node V8 JIT
+
+The hardened service file we ship omits two systemd directives that would otherwise be useful:
+
+- `MemoryDenyWriteExecute=true`
+- `LockPersonality=true`
+
+Both block the W+X memory mappings V8 needs to JIT JavaScript. Adding them causes the service to silently SIGTRAP at startup with `Result: core-dump` and ~5 MB peak memory — no useful log output. If you customize the unit, leave both off.
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+|---|---|---|
+| `Connection refused` on `127.0.0.1:8765` | Service not running | `sudo systemctl status sentinelone-mcp`; check `journalctl -u sentinelone-mcp -n 50`. |
+| 401 on every request | No bearer token, or wrong one | Confirm `Authorization: Bearer <token>` is set; confirm the token is in `/etc/sentinelone-mcp/bearer-tokens.json`. |
+| `tools/call` returns `Error: connect ECONNREFUSED` to `*.sentinelone.net` | S1 creds missing or VM has no outbound to console | `curl -v https://$YOUR_CONSOLE_URL`; check `/etc/sentinelone-mcp/credentials.json`. |
+| Service starts but `Tools: 0 registered` | Code/import error | `journalctl -u sentinelone-mcp -n 100` for the import stack trace. |
+| `502 Bad Gateway` from Caddy | Backend died between Caddy reload and proxy attempt | `systemctl status sentinelone-mcp`. |
+
+## Alternative deployments
+
+These are supported but not first-class:
+
+- **Docker / docker-compose.** Not shipped in this version. The single-file Node binary doesn't need it. If you want a container, the install is `FROM node:20-alpine` + `RUN npm install -g @pmoses-s1/sentinelone-mcp@1.1.0` + `CMD ["sentinelone-mcp", "--transport", "http", "--host", "0.0.0.0"]`. Mount creds at `/etc/sentinelone-mcp/credentials.json` and tokens at `/etc/sentinelone-mcp/bearer-tokens.json`.
+
+- **External bridge (`supergateway`, `mcp-proxy`).** Pre-1.1.0 deployments used these to wrap the stdio-only server. They still work; this server's native HTTP mode is functionally equivalent and removes the extra process. Prefer native unless you have a specific reason.
+
+- **No-auth HTTP on a non-loopback bind.** Possible (set `--host 0.0.0.0` and omit `MCP_BEARER_TOKENS*`) but the server logs a loud warning at startup. Only use if the network itself is trusted (e.g. a Tailscale-only LAN where every node is authenticated upstream).

package/deploy/bridge/README.md

@@ -0,0 +1,93 @@
+# Claude Desktop bridge for the remote MCP
+
+A small stdio↔HTTPS proxy so Claude Desktop can talk to a team-shared `sentinelone-mcp` server running on a VM. Each team member runs the bridge on their own machine; the bridge sends bearer-authed POSTs to the shared MCP endpoint.
+
+## Why this exists
+
+Claude Desktop's `claude_desktop_config.json` only accepts stdio-based MCP servers in current stable builds. Adding a remote server via `type: "http"` gets rejected with "not valid MCP server configuration". The bridge wraps the remote HTTPS endpoint as a local stdio process, which Claude Desktop accepts.
+
+Claude Cowork and Claude Code don't need this — both support `type: "http"` natively.
+
+## What's in the box
+
+- [`sentinelone-mcp-bridge.mjs`](./sentinelone-mcp-bridge.mjs) — the script. 40 lines, zero external dependencies. Requires Node.js 18+ (uses the built-in `fetch`).
+
+## Install (per team member, one-time)
+
+```bash
+# Download the script
+mkdir -p ~/.local/bin
+curl -fsSL https://raw.githubusercontent.com/pmoses-s1/claude-skills/main/sentinelone-mcp/deploy/bridge/sentinelone-mcp-bridge.mjs \
+  -o ~/.local/bin/sentinelone-mcp-bridge.mjs
+chmod +x ~/.local/bin/sentinelone-mcp-bridge.mjs
+
+# Confirm Node is on PATH
+node --version   # must be 18.0.0 or newer
+```
+
+## Configure Claude Desktop
+
+Edit `~/Library/Application Support/Claude/claude_desktop_config.json` on macOS, or `%APPDATA%\Claude\claude_desktop_config.json` on Windows. Add the `sentinelone-mcp` block:
+
+```json
+{
+  "mcpServers": {
+    "sentinelone-mcp": {
+      "command": "node",
+      "args": ["/Users/<you>/.local/bin/sentinelone-mcp-bridge.mjs"],
+      "env": {
+        "MCP_URL":    "https://mcp.s1.internal/mcp",
+        "MCP_BEARER": "<your personal bearer token>"
+      }
+    }
+  }
+}
+```
+
+`MCP_URL` is whatever URL your team's admin gave you (it should end in `/mcp`). `MCP_BEARER` is your personal bearer token from `/etc/sentinelone-mcp/bearer-tokens.json` on the VM.
+
+Quit Claude Desktop fully (Cmd+Q on macOS, not just close the window) and reopen. The 26 tools should appear in the tools list.
+
+## Smoke test (without Claude Desktop)
+
+```bash
+export MCP_URL='https://mcp.s1.internal/mcp'
+export MCP_BEARER='<your token>'
+
+# initialize round trip
+echo '{"jsonrpc":"2.0","id":0,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"cli","version":"1"}}}' \
+  | node ~/.local/bin/sentinelone-mcp-bridge.mjs
+
+# tools/list (should return 26)
+echo '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' \
+  | node ~/.local/bin/sentinelone-mcp-bridge.mjs \
+  | python3 -c 'import sys,json; print(len(json.load(sys.stdin)["result"]["tools"]), "tools")'
+```
+
+## Troubleshooting
+
+| Symptom | Likely cause | Fix |
+|---|---|---|
+| Claude Desktop log: `MCP error -32001: Request timed out` | `MCP_URL` unreachable or wrong path | `curl -sS $MCP_URL` from the same machine. Confirm the URL ends with `/mcp`. |
+| `fetch error: ... UNABLE_TO_GET_ISSUER_CERT_LOCALLY` | Server is using a private CA (e.g. `tls internal`); Node doesn't read the system keychain | Use a publicly-trusted cert on the server (Let's Encrypt or ZeroSSL). See [../README.md#aws-specific-gotchas](../README.md#aws-specific-gotchas). |
+| `bridge fetch error: ... ENOTFOUND` | DNS doesn't resolve `MCP_URL` host | Verify with `nslookup` or `dig`. If using an AWS public DNS, it may have changed; re-check the EC2 console. |
+| 401 from upstream in the log | Wrong / revoked bearer token | Ask the admin for a fresh token; replace `MCP_BEARER`. |
+| Bridge starts but Claude Desktop times out | Node version too old | `node --version` — need 18+. Built-in fetch was added in 18. |
+
+## How it works
+
+```
++----------------+          stdio JSON-RPC          +--------+        HTTPS POST /mcp        +------+
+| Claude Desktop | <------------------------------> | bridge | <---------------------------> | VM   |
++----------------+                                  +--------+   Bearer auth, JSON in/out    +------+
+```
+
+The bridge reads one JSON-RPC message per line from stdin, POSTs it to `MCP_URL` with the `Authorization: Bearer <token>` header, and writes the JSON-RPC reply to stdout. JSON-RPC notifications (messages with no `id`) get no reply, matching the spec. Errors get translated to a JSON-RPC error envelope so Claude Desktop sees something useful instead of a hung process.
+
+There is no session state, no buffering, and no SDK dependency — it's just stdin → fetch → stdout.
+
+## Security notes
+
+- The bearer token is stored in plaintext in `claude_desktop_config.json`. Treat that file as a secret on each laptop.
+- Rotate bearer tokens by editing `/etc/sentinelone-mcp/bearer-tokens.json` on the VM (see [../README.md#day-2-operations](../README.md#day-2-operations)) and reissuing the new value to each team member.
+- TLS verification uses Node's bundled CA store. For privately-issued certs, set `NODE_EXTRA_CA_CERTS=/path/to/root.pem` in the `env` block. Better: use a publicly-trusted cert on the server so no client-side trust is needed.

package/deploy/bridge/sentinelone-mcp-bridge.mjs

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+/**
+ * Tiny stdio -> HTTPS bridge for the SentinelOne MCP server running on a VM.
+ *
+ * Why this exists:
+ *   Claude Desktop's stable claude_desktop_config.json only accepts stdio-based
+ *   MCP servers; the type:"http" form is rejected. This bridge translates
+ *   Claude Desktop's stdio JSON-RPC into POSTs against the MCP HTTP endpoint,
+ *   so a single shared HTTPS MCP can serve a whole team's Claude Desktops.
+ *
+ * Required environment:
+ *   MCP_URL     full HTTPS endpoint, e.g. https://mcp.s1.internal/mcp
+ *   MCP_BEARER  bearer token (no "Bearer " prefix; the script adds it)
+ *
+ * Optional:
+ *   none. Zero external dependencies. Requires Node.js 18+ for built-in fetch.
+ *
+ * Configure Claude Desktop:
+ *   {
+ *     "mcpServers": {
+ *       "sentinelone-mcp": {
+ *         "command": "node",
+ *         "args": ["/Users/<you>/.local/bin/sentinelone-mcp-bridge.mjs"],
+ *         "env": {
+ *           "MCP_URL":    "https://mcp.s1.internal/mcp",
+ *           "MCP_BEARER": "<your bearer token>"
+ *         }
+ *       }
+ *     }
+ *   }
+ *
+ * Smoke test:
+ *   MCP_URL=... MCP_BEARER=... bash -c '
+ *     echo "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/list\"}" \
+ *     | node sentinelone-mcp-bridge.mjs'
+ *   # -> JSON-RPC response with 26 tools in result.tools[]
+ */
+
+import { createInterface } from 'node:readline';
+
+const URL    = process.env.MCP_URL    || (() => { throw new Error('MCP_URL not set'); })();
+const BEARER = process.env.MCP_BEARER || (() => { throw new Error('MCP_BEARER not set'); })();
+
+const log = (...a) => process.stderr.write('[bridge] ' + a.join(' ') + '\n');
+
+log('starting; target', URL);
+
+const rl = createInterface({ input: process.stdin, terminal: false });
+
+let inFlight = 0;
+let stdinClosed = false;
+function maybeExit() {
+  if (stdinClosed && inFlight === 0) {
+    log('all requests complete, exiting');
+    process.exit(0);
+  }
+}
+
+rl.on('line', async (line) => {
+  const raw = line.trim();
+  if (!raw) return;
+
+  let msg;
+  try { msg = JSON.parse(raw); }
+  catch (e) { log('bad json from stdin:', e.message); return; }
+
+  const isNotification = msg.id === undefined;
+
+  inFlight++;
+  try {
+    const res = await fetch(URL, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${BEARER}`,
+        'Accept': 'application/json',
+      },
+      body: raw,
+    });
+
+    if (isNotification) return;
+
+    const text = await res.text();
+    if (!res.ok) log(`HTTP ${res.status} from upstream: ${text.slice(0, 200)}`);
+    process.stdout.write(text.trimEnd() + '\n');
+  } catch (e) {
+    const cause = e.cause ? ` cause=${e.cause.code || e.cause.message || JSON.stringify(e.cause)}` : '';
+    log('fetch error:', e.message, cause);
+    if (!isNotification) {
+      process.stdout.write(JSON.stringify({
+        jsonrpc: '2.0',
+        id: msg.id ?? null,
+        error: { code: -32603, message: `bridge fetch error: ${e.message}${cause}` },
+      }) + '\n');
+    }
+  } finally {
+    inFlight--;
+    maybeExit();
+  }
+});
+
+rl.on('close', () => { log('stdin closed, draining...'); stdinClosed = true; maybeExit(); });
+process.on('SIGINT', () => process.exit(0));
+process.on('SIGTERM', () => process.exit(0));

package/deploy/caddy/Caddyfile.example

@@ -0,0 +1,110 @@
+# Caddyfile for sentinelone-mcp behind TLS on a private network.
+#
+# Two adjustments before using:
+#   1. Replace mcp.s1.internal with your DNS name (or Tailscale hostname).
+#   2. Decide on a TLS strategy:
+#        tls internal      Caddy's built-in CA (good for private networks;
+#                          distribute the root cert to clients).
+#        tls <email>       Let's Encrypt over HTTP-01 (needs public DNS + port 80).
+#        tls /path/to/cert.pem /path/to/key.pem
+#                          Bring your own cert from an internal PKI.
+#
+# AWS users: Let's Encrypt refuses to issue for *.amazonaws.com hostnames by
+# policy. When you use the `tls <email>` shorthand, Caddy automatically falls
+# back to ZeroSSL (also free, also publicly trusted, no policy block). The
+# end-state cert should have `issuer=ZeroSSL ECC DV SSL CA 2`. Port 80 must
+# be open in the SG for HTTP-01 to complete.
+#
+# DO NOT mix `tls <email>` with an `issuer acme { ... }` block — Caddy errors
+# with "cannot mix issuer subdirective with other issuer-specific subdirectives".
+# Pick one form: the email shorthand on its own line, OR a full `tls { ... }`
+# block with the email moved inside the `issuer acme` stanza. Not both.
+#
+# Why Caddy and not nginx? Caddy auto-renews certs, has zero config for SSE
+# streaming (flush_interval handled), and is one binary with no system Python
+# or Lua dependency. Equally valid alternative: nginx with the snippet at the
+# bottom of this file.
+
+mcp.s1.internal {
+    tls internal
+
+    # Strict bearer-token enforcement. The MCP server also enforces tokens
+    # when MCP_BEARER_TOKENS_FILE is set, but checking here too means we never
+    # forward unauthenticated traffic to the backend.
+    #
+    # To bypass Caddy auth (and rely solely on the MCP server's enforcement),
+    # delete the @authorized matcher and the handle blocks below, leaving only
+    # the reverse_proxy.
+    @anyAuth header_regexp Authorization "^Bearer\s+\S+$"
+
+    handle @anyAuth {
+        reverse_proxy 127.0.0.1:8765 {
+            # MCP responses are streamed; flush immediately so partial replies
+            # reach the client without sitting in a buffer.
+            flush_interval -1
+
+            # Reasonable timeouts for long-running PowerQueries (LRQ can take
+            # ~30s on heavy queries). Increase if you see 504s on big queries.
+            transport http {
+                read_timeout 90s
+                write_timeout 90s
+                response_header_timeout 30s
+            }
+        }
+    }
+
+    handle {
+        respond "unauthorized" 401 {
+            close
+        }
+    }
+
+    # Standard security headers.
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Content-Type-Options "nosniff"
+        Referrer-Policy "no-referrer"
+        -Server
+    }
+
+    # Healthcheck pass-through (no auth needed on /healthz).
+    @health path /healthz /health
+    handle @health {
+        reverse_proxy 127.0.0.1:8765
+    }
+
+    # Access log to journald via systemd-journald, structured JSON.
+    log {
+        output stdout
+        format json
+        level INFO
+    }
+}
+
+# ─── nginx equivalent (commented; copy if you prefer nginx) ──────────────────
+# upstream mcp_backend {
+#     server 127.0.0.1:8765;
+#     keepalive 16;
+# }
+# server {
+#     listen 443 ssl http2;
+#     server_name mcp.s1.internal;
+#     ssl_certificate     /etc/ssl/certs/mcp.s1.internal.crt;
+#     ssl_certificate_key /etc/ssl/private/mcp.s1.internal.key;
+#
+#     location = /healthz {
+#         proxy_pass http://mcp_backend;
+#     }
+#
+#     location / {
+#         if ($http_authorization !~ "^Bearer\s+\S+$") {
+#             return 401;
+#         }
+#         proxy_pass http://mcp_backend;
+#         proxy_http_version 1.1;
+#         proxy_set_header Connection "";
+#         proxy_buffering off;
+#         proxy_read_timeout 90s;
+#         proxy_send_timeout 90s;
+#     }
+# }