@pmoses-s1/sentinelone-mcp 1.0.0 → 1.2.0

package/index.js

@@ -2,348 +2,171 @@
 /**
  * SentinelOne MCP Server
  *
- * Implements the Model Context Protocol (MCP) over stdio using raw JSON-RPC 2.0.
- * No external dependencies — pure Node.js 18+.
+ * Implements the Model Context Protocol over either stdio (default) or
+ * Streamable HTTP, using raw JSON-RPC 2.0 throughout. No external runtime
+ * dependencies. Pure Node.js 18+.
  *
- * Exposes:
- *   Resources  : sentinelone://soc-context  (CLAUDE.md SOC analyst operating instructions)
- *   Prompts    : soc_analyst                (system prompt embedding CLAUDE.md)
- *   Tools (21) : PowerQuery, Mgmt Console, SDL API, Hyperautomation, UAM Ingest
+ * Exposes 26 tools across PowerQuery, Mgmt Console REST, UAM, SDL API,
+ * Hyperautomation, and UAM Ingest; plus 2 resources and 2 prompts.
  *
- * Run as: node index.js
- * Configure in claude_desktop_config.json or .mcp.json — see README.md.
+ * Quick start:
+ *   stdio (default, used by Claude Desktop / Claude Code / Cowork):
+ *     node index.js
+ *
+ *   Streamable HTTP, bound to localhost, no auth (single-user local):
+ *     node index.js --transport http
+ *
+ *   Streamable HTTP, bound to 0.0.0.0 with team bearer tokens:
+ *     MCP_BEARER_TOKENS_FILE=/etc/sentinelone-mcp/bearer-tokens.json \
+ *       node index.js --transport http --host 0.0.0.0 --port 8765
+ *
+ * Full configuration reference: README.md and deploy/README.md.
  */
 
-import { createInterface } from 'readline';
-import { readFileSync, existsSync } from 'fs';
-import { join, dirname } from 'path';
-import { fileURLToPath } from 'url';
-
-import { tools as pqTools }        from './tools/powerquery.js';
-import { tools as mgmtTools }       from './tools/mgmt-console.js';
-import { tools as sdlTools }        from './tools/sdl-api.js';
-import { tools as haTools }         from './tools/hyperautomation.js';
-import { tools as uamIngestTools }  from './tools/uam-ingest.js';
+import { dispatch, SERVER_INFO, ALL_TOOLS } from './lib/server-core.js';
 import { getCreds, hasS1Creds, hasSdlCreds } from './lib/credentials.js';
 import { hasHecCreds } from './lib/uam-ingest.js';
-
-const __dir = dirname(fileURLToPath(import.meta.url));
-
-// ─── SOC context (CLAUDE.md) ──────────────────────────────────────────────────
-
-function loadSocContext() {
-  // Resolution order (highest priority wins):
-  //   1. S1_CLAUDE_MD_PATH env var (explicit override, e.g. set by claude_desktop_config.json)
-  //   2. <cwd>/CLAUDE.md (Cowork project folder when launched from a project)
-  //   3. relative to this server's install dir (works when running from a git clone)
-  const candidates = [
-    process.env.S1_CLAUDE_MD_PATH,
-    process.cwd() ? join(process.cwd(), 'CLAUDE.md') : null,
-    join(__dir, '..', 'CLAUDE.md'),            // claude-skills/CLAUDE.md (git clone)
-    join(__dir, '..', '..', 'CLAUDE.md'),       // project root (git clone)
-    join(__dir, 'CLAUDE.md'),                   // same dir
-  ].filter(Boolean);
-  for (const p of candidates) {
-    if (existsSync(p)) {
-      try { return readFileSync(p, 'utf-8'); } catch { /* skip */ }
-    }
-  }
-  return '# SentinelOne SOC Analyst Context\n\n_CLAUDE.md not found. Place it in your Cowork project folder, or set S1_CLAUDE_MD_PATH to an absolute path._';
-}
-
-const SOC_CONTEXT = loadSocContext();
-
-// ─── Tool registry ────────────────────────────────────────────────────────────
-
-const ALL_TOOLS = [...pqTools, ...mgmtTools, ...sdlTools, ...haTools, ...uamIngestTools];
-
-// MCP tool schema (inputSchema is JSON Schema)
-const TOOL_DEFS = ALL_TOOLS.map(t => ({
-  name: t.name,
-  description: t.description,
-  inputSchema: t.inputSchema,
-}));
-
-// Handler map
-const HANDLERS = Object.fromEntries(ALL_TOOLS.map(t => [t.name, t.handler]));
-
-// ─── Resources ────────────────────────────────────────────────────────────────
-
-const RESOURCES = [
-  {
-    uri: 'sentinelone://soc-context',
-    name: 'SOC Analyst Operating Instructions',
-    description: 'CLAUDE.md — Principal SOC Analyst operating instructions including investigation workflow, evidence discipline, anomaly detection playbook, MITRE ATT&CK mapping, and tool usage priorities.',
-    mimeType: 'text/markdown',
-  },
-  {
-    uri: 'sentinelone://credentials-status',
-    name: 'Credential Configuration Status',
-    description: 'Reports which credentials are configured and which API surfaces are available.',
-    mimeType: 'application/json',
-  },
-];
-
-// ─── Prompts ──────────────────────────────────────────────────────────────────
-
-const PROMPTS = [
-  {
-    name: 'soc_analyst',
-    description: 'Load the Principal SOC Analyst system context from CLAUDE.md. Call at the start of every security investigation session to prime the operating instructions, evidence discipline rules, investigation workflow, and tool usage priorities.',
-    arguments: [],
-  },
-  {
-    name: 'session_init',
-    description: 'Structured session initialization prompt. Triggers mandatory data-source enumeration, alert triage, and schema discovery in parallel — mirroring the standard engagement workflow from the SOC playbook.',
-    arguments: [],
-  },
-];
-
-// ─── MCP protocol ─────────────────────────────────────────────────────────────
-
-const SERVER_INFO = {
-  name: 'sentinelone-mcp-server',
-  version: '1.0.0',
-};
-
-const PROTOCOL_VERSION = '2024-11-05';
-
-function ok(id, result) {
-  return { jsonrpc: '2.0', id, result };
-}
-
-function err(id, code, message, data) {
-  return { jsonrpc: '2.0', id, error: { code, message, ...(data ? { data } : {}) } };
-}
-
-function send(obj) {
-  process.stdout.write(JSON.stringify(obj) + '\n');
-}
+import { loadTokens, installSighupReload } from './lib/auth.js';
 
 function log(...args) {
   process.stderr.write('[sentinelone-mcp] ' + args.join(' ') + '\n');
 }
 
-// ─── Method handlers ──────────────────────────────────────────────────────────
-
-async function dispatch(method, params, id) {
-  switch (method) {
-
-    case 'initialize': {
-      return ok(id, {
-        protocolVersion: PROTOCOL_VERSION,
-        capabilities: {
-          resources: { subscribe: false, listChanged: false },
-          tools: { listChanged: false },
-          prompts: { listChanged: false },
-        },
-        serverInfo: SERVER_INFO,
-        instructions: 'SentinelOne MCP server providing PowerQuery, Mgmt Console API, SDL API, and Hyperautomation tools. Load the "soc_analyst" prompt at session start for full operating context.',
-      });
-    }
-
-    case 'ping': {
-      return ok(id, {});
-    }
-
-    case 'resources/list': {
-      return ok(id, { resources: RESOURCES });
-    }
-
-    case 'resources/read': {
-      const uri = params?.uri;
-      if (uri === 'sentinelone://soc-context') {
-        return ok(id, {
-          contents: [{ uri, mimeType: 'text/markdown', text: SOC_CONTEXT }],
-        });
-      }
-      if (uri === 'sentinelone://credentials-status') {
-        const c = getCreds();
-        const status = {
-          s1MgmtApi: {
-            configured: hasS1Creds(),
-            consoleUrl: c.S1_CONSOLE_URL ? c.S1_CONSOLE_URL.replace(/https?:\/\//, '').split('.')[0] + '...' : 'NOT SET',
-            tokenPresent: !!c.S1_CONSOLE_API_TOKEN,
-          },
-          sdlApi: {
-            configured: hasSdlCreds(),
-            xdrUrl: c.SDL_XDR_URL || 'NOT SET',
-            configWriteKey: !!c.SDL_CONFIG_WRITE_KEY,
-            logWriteKey: !!c.SDL_LOG_WRITE_KEY,
-          },
-          uamIngestApi: {
-            configured: hasHecCreds(),
-            hecUrl: c.S1_HEC_INGEST_URL || 'NOT SET (add S1_HEC_INGEST_URL to credentials.json)',
-            tokenPresent: !!c.S1_CONSOLE_API_TOKEN,
-          },
-        };
-        return ok(id, {
-          contents: [{ uri, mimeType: 'application/json', text: JSON.stringify(status, null, 2) }],
-        });
-      }
-      return err(id, -32002, `Resource not found: ${uri}`);
+// ─── CLI flag parser ──────────────────────────────────────────────────────────
+
+function parseArgs(argv) {
+  const out = {
+    transport: process.env.MCP_TRANSPORT || 'stdio',
+    host:      process.env.MCP_HTTP_HOST || '127.0.0.1',
+    port:      Number(process.env.MCP_HTTP_PORT) || 8765,
+    path:      process.env.MCP_HTTP_PATH || '/mcp',
+    help:      false,
+    version:   false,
+  };
+
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    const next = () => argv[++i];
+    switch (a) {
+      case '-h': case '--help':    out.help = true; break;
+      case '-v': case '--version': out.version = true; break;
+      case '--transport':          out.transport = next(); break;
+      case '--host':               out.host = next(); break;
+      case '--port':               out.port = Number(next()); break;
+      case '--path':               out.path = next(); break;
+      default:
+        if (a.startsWith('--')) {
+          process.stderr.write(`Unknown flag: ${a}\nRun with --help for usage.\n`);
+          process.exit(2);
+        }
     }
+  }
 
-    case 'prompts/list': {
-      return ok(id, { prompts: PROMPTS });
-    }
-
-    case 'prompts/get': {
-      const name = params?.name;
-
-      if (name === 'soc_analyst') {
-        return ok(id, {
-          description: 'Principal SOC Analyst operating instructions from CLAUDE.md',
-          messages: [
-            {
-              role: 'user',
-              content: {
-                type: 'text',
-                text: `You are operating as a Principal SOC Analyst. Load and follow the instructions below precisely.\n\n${SOC_CONTEXT}`,
-              },
-            },
-          ],
-        });
-      }
-
-      if (name === 'session_init') {
-        return ok(id, {
-          description: 'Structured session initialization',
-          messages: [
-            {
-              role: 'user',
-              content: {
-                type: 'text',
-                text: `Begin a new SOC analyst session. Follow this initialization sequence:
-
-1. Call \`powerquery_enumerate_sources\` to discover active SDL data sources (MANDATORY — never assume sources from prior sessions).
-2. In parallel, call \`uam_list_alerts\` with filter="status=OPEN" to pull active alerts.
-3. For each discovered data source not already in the schema registry, plan schema discovery via \`powerquery_schema_discover\`.
-4. Report: (a) active data sources list, (b) open alert count and top 5 by severity, (c) which sources need schema discovery.
-
-Apply the SOC analyst context from the soc_analyst prompt throughout.`,
-              },
-            },
-          ],
-        });
-      }
-
-      return err(id, -32002, `Prompt not found: ${name}`);
-    }
-
-    case 'tools/list': {
-      return ok(id, { tools: TOOL_DEFS });
-    }
-
-    case 'tools/call': {
-      const toolName = params?.name;
-      const args = params?.arguments || {};
-
-      if (!toolName) {
-        return err(id, -32602, 'Missing tool name');
-      }
-
-      const handler = HANDLERS[toolName];
-      if (!handler) {
-        return err(id, -32602, `Tool not found: ${toolName}`);
-      }
-
-      try {
-        const output = await handler(args);
-        const text = typeof output === 'string' ? output : JSON.stringify(output, null, 2);
-        return ok(id, {
-          content: [{ type: 'text', text }],
-          isError: false,
-        });
-      } catch (e) {
-        log(`Tool error [${toolName}]:`, e.message);
-        return ok(id, {
-          content: [{ type: 'text', text: `Error: ${e.message}` }],
-          isError: true,
-        });
-      }
-    }
+  if (!['stdio', 'http'].includes(out.transport)) {
+    process.stderr.write(`Invalid --transport: ${out.transport} (expected: stdio, http)\n`);
+    process.exit(2);
+  }
+  if (out.transport === 'http' && (!out.port || out.port <= 0 || out.port > 65535)) {
+    process.stderr.write(`Invalid --port: ${out.port}\n`);
+    process.exit(2);
+  }
+  if (!out.path.startsWith('/')) {
+    process.stderr.write(`Invalid --path: ${out.path} (must start with /)\n`);
+    process.exit(2);
+  }
 
-    // Notifications have no id — just ignore
-    case 'notifications/initialized':
-    case 'initialized':
-      return null;
+  return out;
+}
 
-    default: {
-      if (id !== undefined) {
-        return err(id, -32601, `Method not found: ${method}`);
-      }
-      return null;
-    }
-  }
+function printHelp() {
+  process.stdout.write(`\
+sentinelone-mcp ${SERVER_INFO.version}
+
+USAGE
+  sentinelone-mcp [options]
+
+OPTIONS
+  --transport <stdio|http>    Transport to use. Default: stdio.
+  --host <host>               HTTP bind address. Default: 127.0.0.1.
+  --port <port>               HTTP port. Default: 8765.
+  --path <path>               HTTP MCP endpoint path. Default: /mcp.
+  -h, --help                  Show this help.
+  -v, --version               Show server version.
+
+ENVIRONMENT
+  MCP_TRANSPORT               Same as --transport.
+  MCP_HTTP_HOST               Same as --host.
+  MCP_HTTP_PORT               Same as --port.
+  MCP_HTTP_PATH               Same as --path.
+
+  MCP_BEARER_TOKENS_FILE      Path to a JSON file mapping {name: token} for
+                              per-user authenticated HTTP access. Recommended
+                              for teams. SIGHUP reloads without restart.
+  MCP_BEARER_TOKENS           Comma-separated raw tokens (no per-user names).
+                              Fallback when MCP_BEARER_TOKENS_FILE is not set.
+
+  S1_CONSOLE_URL              Console URL, e.g. https://usea1-acme.sentinelone.net
+  S1_CONSOLE_API_TOKEN        Mgmt Console API token. Required for most tools.
+  S1_HEC_INGEST_URL           HEC ingest host. Required for uam_ingest_alert,
+                              uam_post_indicators, uam_post_alert.
+  SDL_XDR_URL                 SDL tenant URL.
+  SDL_LOG_READ_KEY            SDL Log Read key.
+  SDL_CONFIG_READ_KEY         SDL Config Read key.
+  SDL_CONFIG_WRITE_KEY        SDL Config Write key. Required for sdl_put_file.
+  S1_CREDS_FILE               Explicit path to a credentials.json file.
+                              Highest priority for credential resolution.
+  S1_CLAUDE_MD_PATH           Absolute path to CLAUDE.md for the soc_analyst
+                              prompt and sentinelone://soc-context resource.
+
+EXAMPLES
+  Run as a local MCP server for Claude Desktop / Cowork:
+    sentinelone-mcp
+
+  Run as an HTTP service for personal use:
+    sentinelone-mcp --transport http
+    # then: curl -s http://127.0.0.1:8765/healthz
+
+  Run as a shared team service with token auth:
+    MCP_BEARER_TOKENS_FILE=/etc/sentinelone-mcp/bearer-tokens.json \\
+      sentinelone-mcp --transport http --host 0.0.0.0 --port 8765
+    # See deploy/README.md for the full Linux VM walkthrough.
+`);
 }
 
-// ─── Main loop ────────────────────────────────────────────────────────────────
+// ─── Main ────────────────────────────────────────────────────────────────────
 
 async function main() {
-  log(`Starting (node ${process.version})`);
+  const opts = parseArgs(process.argv.slice(2));
+
+  if (opts.help)    { printHelp(); process.exit(0); }
+  if (opts.version) { process.stdout.write(`${SERVER_INFO.version}\n`); process.exit(0); }
+
+  log(`Starting ${SERVER_INFO.name} v${SERVER_INFO.version} (node ${process.version})`);
 
   const creds = getCreds();
   log(`S1 Mgmt API:  ${hasS1Creds() ? 'configured (' + creds.S1_CONSOLE_URL + ')' : 'NOT configured'}`);
   log(`SDL API:      ${hasSdlCreds() ? 'configured (' + creds.SDL_XDR_URL + ')' : 'NOT configured'}`);
-  log(`UAM Ingest:   ${hasHecCreds() ? 'configured (' + creds.S1_HEC_INGEST_URL + ')' : 'NOT configured (add S1_HEC_INGEST_URL to credentials.json)'}`);
+  log(`UAM Ingest:   ${hasHecCreds() ? 'configured (' + creds.S1_HEC_INGEST_URL + ')' : 'NOT configured (add S1_HEC_INGEST_URL)'}`);
   log(`Tools:        ${ALL_TOOLS.length} registered`);
 
-  const rl = createInterface({ input: process.stdin, terminal: false });
-
-  // Track in-flight async requests so we don't exit while one is still running
-  let inFlight = 0;
-  let stdinClosed = false;
-
-  function maybeExit() {
-    if (stdinClosed && inFlight === 0) {
-      log('All requests complete, exiting.');
-      process.exit(0);
-    }
-  }
-
-  rl.on('line', async (line) => {
-    const trimmed = line.trim();
-    if (!trimmed) return;
-
-    let msg;
+  if (opts.transport === 'http') {
     try {
-      msg = JSON.parse(trimmed);
+      loadTokens();
     } catch (e) {
-      send(err(null, -32700, `Parse error: ${e.message}`));
-      return;
+      process.stderr.write(`[auth] FATAL: ${e.message}\n`);
+      process.exit(1);
     }
+    installSighupReload();
 
-    // Notification (no id) — handle but don't respond
-    const isNotification = msg.id === undefined;
-
-    inFlight++;
-    try {
-      const response = await dispatch(msg.method, msg.params, msg.id);
-      if (response !== null && !isNotification) {
-        send(response);
-      }
-    } catch (e) {
-      log('Unhandled dispatch error:', e.message, e.stack);
-      if (!isNotification) {
-        send(err(msg.id ?? null, -32603, `Internal error: ${e.message}`));
-      }
-    } finally {
-      inFlight--;
-      maybeExit();
-    }
-  });
-
-  rl.on('close', () => {
-    log('stdin closed, waiting for in-flight requests...');
-    stdinClosed = true;
-    maybeExit();
-  });
+    const { startHttp } = await import('./lib/http-transport.js');
+    await startHttp(dispatch, { port: opts.port, host: opts.host, path: opts.path });
+    log('HTTP transport ready. Press Ctrl+C to stop.');
+    return;
+  }
 
-  process.on('SIGINT', () => {
-    log('SIGINT received, exiting.');
-    process.exit(0);
-  });
+  // Default: stdio
+  const { startStdio } = await import('./lib/stdio-transport.js');
+  await startStdio(dispatch);
 }
 
 main().catch(e => {

package/lib/auth.js

@@ -0,0 +1,161 @@
+/**
+ * Bearer token auth loader for HTTP transport.
+ *
+ * Sources (highest wins):
+ *   1. MCP_BEARER_TOKENS_FILE — path to JSON: { "<name>": "<token>", ... }
+ *      Allows per-user tokens with stable names for audit logs.
+ *      File mode is enforced via the install script (0600 recommended).
+ *   2. MCP_BEARER_TOKENS — comma-separated raw tokens (no per-user names).
+ *      Names default to "token-1", "token-2", etc.
+ *
+ * If neither is set, HTTP transport runs with NO authentication. The server
+ * logs a loud warning at startup. Suitable only for stdio-style local-only
+ * deployments where the bind address is 127.0.0.1 and no other process can
+ * reach the port.
+ *
+ * SIGHUP reloads the token store without restarting the server, so rotation
+ * is "edit file, kill -HUP <pid>" with zero downtime.
+ *
+ * Zero dependencies. Synchronous load, async reload via SIGHUP.
+ */
+
+import { readFileSync, existsSync, statSync } from 'fs';
+
+let _tokens = new Map();   // token -> name
+let _loadedFrom = null;
+let _warnedNoAuth = false;
+
+function parseFileTokens(path) {
+  const raw = readFileSync(path, 'utf-8');
+  const obj = JSON.parse(raw);
+  if (!obj || typeof obj !== 'object' || Array.isArray(obj)) {
+    throw new Error('MCP_BEARER_TOKENS_FILE must contain a JSON object of {name: token}');
+  }
+  const m = new Map();
+  for (const [name, token] of Object.entries(obj)) {
+    if (typeof token !== 'string' || token.length < 16) {
+      throw new Error(`Token for "${name}" must be a string of at least 16 chars`);
+    }
+    m.set(token, name);
+  }
+  return m;
+}
+
+function parseEnvTokens(raw) {
+  const m = new Map();
+  const parts = raw.split(',').map(s => s.trim()).filter(Boolean);
+  parts.forEach((token, i) => {
+    if (token.length < 16) {
+      throw new Error(`Token #${i + 1} in MCP_BEARER_TOKENS must be at least 16 chars`);
+    }
+    m.set(token, `token-${i + 1}`);
+  });
+  return m;
+}
+
+function logModeForPath(path) {
+  try {
+    const s = statSync(path);
+    const mode = (s.mode & 0o777).toString(8);
+    if ((s.mode & 0o077) !== 0) {
+      process.stderr.write(
+        `[auth] WARNING: ${path} mode is ${mode}; recommended 0600. ` +
+        `Run: chmod 600 ${path}\n`
+      );
+    }
+    return mode;
+  } catch { return null; }
+}
+
+export function loadTokens() {
+  const filePath = process.env.MCP_BEARER_TOKENS_FILE;
+  const envRaw   = process.env.MCP_BEARER_TOKENS;
+
+  if (filePath) {
+    if (!existsSync(filePath)) {
+      throw new Error(`MCP_BEARER_TOKENS_FILE points at non-existent path: ${filePath}`);
+    }
+    _tokens = parseFileTokens(filePath);
+    _loadedFrom = `file:${filePath}`;
+    const mode = logModeForPath(filePath);
+    process.stderr.write(
+      `[auth] Loaded ${_tokens.size} bearer token(s) from ${filePath} (mode ${mode || 'unknown'})\n`
+    );
+    return _tokens.size;
+  }
+
+  if (envRaw) {
+    _tokens = parseEnvTokens(envRaw);
+    _loadedFrom = 'env:MCP_BEARER_TOKENS';
+    process.stderr.write(
+      `[auth] Loaded ${_tokens.size} bearer token(s) from MCP_BEARER_TOKENS env var\n`
+    );
+    return _tokens.size;
+  }
+
+  _tokens = new Map();
+  _loadedFrom = null;
+  return 0;
+}
+
+/**
+ * Returns true if any token store is configured. When false, HTTP transport
+ * must either (a) refuse to start, or (b) start with a loud warning,
+ * depending on caller policy.
+ */
+export function isAuthConfigured() {
+  return _tokens.size > 0;
+}
+
+/**
+ * Validates an Authorization header value and returns the matched token name
+ * (for audit logging), or null if the header is missing/invalid.
+ *
+ * Accepts:  "Bearer <token>"
+ * Rejects:  empty, malformed, unknown token.
+ */
+export function authenticate(authHeader) {
+  if (!authHeader || typeof authHeader !== 'string') return null;
+  const m = authHeader.match(/^Bearer\s+(.+)$/i);
+  if (!m) return null;
+  const token = m[1].trim();
+  return _tokens.get(token) || null;
+}
+
+/**
+ * Warn once if HTTP transport is enabled with no auth. Caller invokes this
+ * at startup.
+ */
+export function warnIfNoAuth(host) {
+  if (!isAuthConfigured() && !_warnedNoAuth) {
+    _warnedNoAuth = true;
+    const reachable = host !== '127.0.0.1' && host !== 'localhost';
+    process.stderr.write(
+      `[auth] WARNING: HTTP transport is running with NO authentication.\n` +
+      (reachable
+        ? `[auth] WARNING: bound to ${host} (reachable from other hosts). ` +
+          `Set MCP_BEARER_TOKENS_FILE or MCP_BEARER_TOKENS, or bind to 127.0.0.1.\n`
+        : `[auth] (Bound to ${host}; OK for purely local single-user use, ` +
+          `not OK for team / VM deployments.)\n`)
+    );
+  }
+}
+
+export function authSourceForLogging() {
+  return _loadedFrom;
+}
+
+/**
+ * Install a SIGHUP handler that reloads tokens from the same source.
+ * Returns nothing; intended to be called once at startup.
+ */
+export function installSighupReload() {
+  process.on('SIGHUP', () => {
+    try {
+      const n = loadTokens();
+      process.stderr.write(`[auth] SIGHUP: reloaded, ${n} token(s) active\n`);
+    } catch (e) {
+      process.stderr.write(`[auth] SIGHUP: reload FAILED, keeping previous tokens: ${e.message}\n`);
+    }
+  });
+}