@pmoses-s1/sentinelone-mcp 1.0.0 → 1.2.0

package/lib/server-core.js

@@ -0,0 +1,264 @@
+/**
+ * MCP server core: transport-agnostic.
+ *
+ * Exports:
+ *   - dispatch(method, params, id):    JSON-RPC method dispatcher
+ *   - SERVER_INFO, PROTOCOL_VERSION:    server identity
+ *   - TOOL_DEFS:                        for diagnostics / introspection
+ *   - ALL_TOOLS:                        for tests
+ *
+ * Both stdio-transport and http-transport import dispatch() and feed it
+ * parsed JSON-RPC envelopes. They are responsible for serialization,
+ * framing, and any transport-specific concerns (auth, sessions, headers).
+ */
+
+import { readFileSync, existsSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+
+import { tools as pqTools }        from '../tools/powerquery.js';
+import { tools as mgmtTools }       from '../tools/mgmt-console.js';
+import { tools as sdlTools }        from '../tools/sdl-api.js';
+import { tools as haTools }         from '../tools/hyperautomation.js';
+import { tools as uamIngestTools }  from '../tools/uam-ingest.js';
+import { getCreds, hasS1Creds, hasSdlCreds } from './credentials.js';
+import { hasHecCreds } from './uam-ingest.js';
+
+const __dir = dirname(fileURLToPath(import.meta.url));
+
+// ─── SOC context (CLAUDE.md) ──────────────────────────────────────────────────
+
+function loadSocContext() {
+  const candidates = [
+    process.env.S1_CLAUDE_MD_PATH,
+    process.cwd() ? join(process.cwd(), 'CLAUDE.md') : null,
+    join(__dir, '..', '..', 'CLAUDE.md'),    // claude-skills/CLAUDE.md (git clone)
+    join(__dir, '..', '..', '..', 'CLAUDE.md'),
+    join(__dir, '..', 'CLAUDE.md'),
+  ].filter(Boolean);
+  for (const p of candidates) {
+    if (existsSync(p)) {
+      try { return readFileSync(p, 'utf-8'); } catch { /* skip */ }
+    }
+  }
+  return '# SentinelOne SOC Analyst Context\n\n_CLAUDE.md not found. Place it in your Cowork project folder, or set S1_CLAUDE_MD_PATH to an absolute path._';
+}
+
+const SOC_CONTEXT = loadSocContext();
+
+// ─── Tool registry ────────────────────────────────────────────────────────────
+
+export const ALL_TOOLS = [...pqTools, ...mgmtTools, ...sdlTools, ...haTools, ...uamIngestTools];
+
+export const TOOL_DEFS = ALL_TOOLS.map(t => ({
+  name: t.name,
+  description: t.description,
+  inputSchema: t.inputSchema,
+}));
+
+const HANDLERS = Object.fromEntries(ALL_TOOLS.map(t => [t.name, t.handler]));
+
+// ─── Resources ────────────────────────────────────────────────────────────────
+
+const RESOURCES = [
+  {
+    uri: 'sentinelone://soc-context',
+    name: 'SOC Analyst Operating Instructions',
+    description: 'CLAUDE.md — Principal SOC Analyst operating instructions including investigation workflow, evidence discipline, anomaly detection playbook, MITRE ATT&CK mapping, and tool usage priorities.',
+    mimeType: 'text/markdown',
+  },
+  {
+    uri: 'sentinelone://credentials-status',
+    name: 'Credential Configuration Status',
+    description: 'Reports which credentials are configured and which API surfaces are available.',
+    mimeType: 'application/json',
+  },
+];
+
+// ─── Prompts ──────────────────────────────────────────────────────────────────
+
+const PROMPTS = [
+  {
+    name: 'soc_analyst',
+    description: 'Load the Principal SOC Analyst system context from CLAUDE.md. Call at the start of every security investigation session to prime the operating instructions, evidence discipline rules, investigation workflow, and tool usage priorities.',
+    arguments: [],
+  },
+  {
+    name: 'session_init',
+    description: 'Structured session initialization prompt. Triggers mandatory data-source enumeration, alert triage, and schema discovery in parallel, mirroring the standard engagement workflow from the SOC playbook.',
+    arguments: [],
+  },
+];
+
+// ─── MCP envelope helpers ─────────────────────────────────────────────────────
+
+export const SERVER_INFO = {
+  name: 'sentinelone-mcp-server',
+  version: '1.1.0',
+};
+
+export const PROTOCOL_VERSION = '2024-11-05';
+
+export function ok(id, result) {
+  return { jsonrpc: '2.0', id, result };
+}
+
+export function err(id, code, message, data) {
+  return { jsonrpc: '2.0', id, error: { code, message, ...(data ? { data } : {}) } };
+}
+
+function log(...args) {
+  process.stderr.write('[sentinelone-mcp] ' + args.join(' ') + '\n');
+}
+
+// ─── dispatch ────────────────────────────────────────────────────────────────
+
+export async function dispatch(method, params, id) {
+  switch (method) {
+
+    case 'initialize': {
+      return ok(id, {
+        protocolVersion: PROTOCOL_VERSION,
+        capabilities: {
+          resources: { subscribe: false, listChanged: false },
+          tools: { listChanged: false },
+          prompts: { listChanged: false },
+        },
+        serverInfo: SERVER_INFO,
+        instructions: 'SentinelOne MCP server providing PowerQuery, Mgmt Console API, SDL API, and Hyperautomation tools. Load the "soc_analyst" prompt at session start for full operating context.',
+      });
+    }
+
+    case 'ping': {
+      return ok(id, {});
+    }
+
+    case 'resources/list': {
+      return ok(id, { resources: RESOURCES });
+    }
+
+    case 'resources/read': {
+      const uri = params?.uri;
+      if (uri === 'sentinelone://soc-context') {
+        return ok(id, {
+          contents: [{ uri, mimeType: 'text/markdown', text: SOC_CONTEXT }],
+        });
+      }
+      if (uri === 'sentinelone://credentials-status') {
+        const c = getCreds();
+        const status = {
+          s1MgmtApi: {
+            configured: hasS1Creds(),
+            consoleUrl: c.S1_CONSOLE_URL ? c.S1_CONSOLE_URL.replace(/https?:\/\//, '').split('.')[0] + '...' : 'NOT SET',
+            tokenPresent: !!c.S1_CONSOLE_API_TOKEN,
+          },
+          sdlApi: {
+            configured: hasSdlCreds(),
+            xdrUrl: c.SDL_XDR_URL || 'NOT SET',
+            configWriteKey: !!c.SDL_CONFIG_WRITE_KEY,
+          },
+          uamIngestApi: {
+            configured: hasHecCreds(),
+            hecUrl: c.S1_HEC_INGEST_URL || 'NOT SET (add S1_HEC_INGEST_URL to credentials.json)',
+            tokenPresent: !!c.S1_CONSOLE_API_TOKEN,
+          },
+        };
+        return ok(id, {
+          contents: [{ uri, mimeType: 'application/json', text: JSON.stringify(status, null, 2) }],
+        });
+      }
+      return err(id, -32002, `Resource not found: ${uri}`);
+    }
+
+    case 'prompts/list': {
+      return ok(id, { prompts: PROMPTS });
+    }
+
+    case 'prompts/get': {
+      const name = params?.name;
+
+      if (name === 'soc_analyst') {
+        return ok(id, {
+          description: 'Principal SOC Analyst operating instructions from CLAUDE.md',
+          messages: [
+            {
+              role: 'user',
+              content: {
+                type: 'text',
+                text: `You are operating as a Principal SOC Analyst. Load and follow the instructions below precisely.\n\n${SOC_CONTEXT}`,
+              },
+            },
+          ],
+        });
+      }
+
+      if (name === 'session_init') {
+        return ok(id, {
+          description: 'Structured session initialization',
+          messages: [
+            {
+              role: 'user',
+              content: {
+                type: 'text',
+                text: `Begin a new SOC analyst session. Follow this initialization sequence:
+
+1. Call \`powerquery_enumerate_sources\` to discover active SDL data sources (MANDATORY, never assume sources from prior sessions).
+2. In parallel, call \`uam_list_alerts\` with filter="status=OPEN" to pull active alerts.
+3. For each discovered data source not already in the schema registry, plan schema discovery via \`powerquery_schema_discover\`.
+4. Report: (a) active data sources list, (b) open alert count and top 5 by severity, (c) which sources need schema discovery.
+
+Apply the SOC analyst context from the soc_analyst prompt throughout.`,
+              },
+            },
+          ],
+        });
+      }
+
+      return err(id, -32002, `Prompt not found: ${name}`);
+    }
+
+    case 'tools/list': {
+      return ok(id, { tools: TOOL_DEFS });
+    }
+
+    case 'tools/call': {
+      const toolName = params?.name;
+      const args = params?.arguments || {};
+
+      if (!toolName) {
+        return err(id, -32602, 'Missing tool name');
+      }
+
+      const handler = HANDLERS[toolName];
+      if (!handler) {
+        return err(id, -32602, `Tool not found: ${toolName}`);
+      }
+
+      try {
+        const output = await handler(args);
+        const text = typeof output === 'string' ? output : JSON.stringify(output, null, 2);
+        return ok(id, {
+          content: [{ type: 'text', text }],
+          isError: false,
+        });
+      } catch (e) {
+        log(`Tool error [${toolName}]:`, e.message);
+        return ok(id, {
+          content: [{ type: 'text', text: `Error: ${e.message}` }],
+          isError: true,
+        });
+      }
+    }
+
+    case 'notifications/initialized':
+    case 'initialized':
+      return null;
+
+    default: {
+      if (id !== undefined) {
+        return err(id, -32601, `Method not found: ${method}`);
+      }
+      return null;
+    }
+  }
+}

package/lib/stdio-transport.js

@@ -0,0 +1,77 @@
+/**
+ * stdio transport: reads JSON-RPC messages from stdin (one per line),
+ * dispatches via the provided dispatcher, writes responses to stdout.
+ *
+ * This is the default transport and the one used by Claude Desktop,
+ * Claude Code, Claude Cowork, and any other client launched via the
+ * `npx` / `node index.js` invocation pattern.
+ */
+
+import { createInterface } from 'readline';
+import { err as makeErr } from './server-core.js';
+
+function log(...args) {
+  process.stderr.write('[sentinelone-mcp] ' + args.join(' ') + '\n');
+}
+
+function send(obj) {
+  process.stdout.write(JSON.stringify(obj) + '\n');
+}
+
+export async function startStdio(dispatch) {
+  log('Transport: stdio');
+
+  const rl = createInterface({ input: process.stdin, terminal: false });
+
+  let inFlight = 0;
+  let stdinClosed = false;
+
+  function maybeExit() {
+    if (stdinClosed && inFlight === 0) {
+      log('All requests complete, exiting.');
+      process.exit(0);
+    }
+  }
+
+  rl.on('line', async (line) => {
+    const trimmed = line.trim();
+    if (!trimmed) return;
+
+    let msg;
+    try {
+      msg = JSON.parse(trimmed);
+    } catch (e) {
+      send(makeErr(null, -32700, `Parse error: ${e.message}`));
+      return;
+    }
+
+    const isNotification = msg.id === undefined;
+
+    inFlight++;
+    try {
+      const response = await dispatch(msg.method, msg.params, msg.id);
+      if (response !== null && !isNotification) {
+        send(response);
+      }
+    } catch (e) {
+      log('Unhandled dispatch error:', e.message, e.stack);
+      if (!isNotification) {
+        send(makeErr(msg.id ?? null, -32603, `Internal error: ${e.message}`));
+      }
+    } finally {
+      inFlight--;
+      maybeExit();
+    }
+  });
+
+  rl.on('close', () => {
+    log('stdin closed, waiting for in-flight requests...');
+    stdinClosed = true;
+    maybeExit();
+  });
+
+  process.on('SIGINT', () => {
+    log('SIGINT received, exiting.');
+    process.exit(0);
+  });
+}

package/lib/uam-ingest.js

@@ -112,7 +112,7 @@ async function hecPost(path, payloads, scope, retries = 3) {
  *
  * Shape matches the confirmed-working Python build_file_indicator() in
  * sentinelone-mgmt-console-api/scripts/uam_alert_interface.py (tested
- * on usea1-purple 2026-04-22). Key points:
+ * on usea1-acme 2026-04-22). Key points:
  *   - metadata.version "1.6.0-dev" (not "1.6.0")
  *   - metadata.extensions array (not "extension" singular)
  *   - metadata.product omits vendor_name (just name)

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@pmoses-s1/sentinelone-mcp",
-  "version": "1.0.0",
-  "description": "MCP server orchestrating SentinelOne skills, APIs, and SOC analyst context",
+  "version": "1.2.0",
+  "description": "MCP server orchestrating SentinelOne skills, APIs, and SOC analyst context. Stdio or Streamable HTTP transport with per-user bearer auth for team deployments.",
   "type": "module",
   "main": "index.js",
   "bin": {
@@ -11,11 +11,17 @@
     "index.js",
     "lib/",
     "tools/",
-    "README.md"
+    "deploy/",
+    "scripts/",
+    "README.md",
+    "CHANGELOG.md"
   ],
   "scripts": {
     "start": "node index.js",
-    "dev": "node --watch index.js"
+    "start:http": "node index.js --transport http",
+    "dev": "node --watch index.js",
+    "test": "node --test tests/smoke.test.mjs tests/stdio-transport.test.mjs tests/http-transport.test.mjs",
+    "regen:readme": "node scripts/regen-readme-tools-table.mjs"
   },
   "engines": {
     "node": ">=18.0.0"

package/scripts/regen-readme-tools-table.mjs

@@ -0,0 +1,142 @@
+#!/usr/bin/env node
+/**
+ * Regenerate the "What this exposes" tools table in sentinelone-mcp/README.md
+ * directly from the live ALL_TOOLS array in server-core.js.
+ *
+ * This is the guard against the drift that produced the original
+ * 19-vs-21-vs-26 confusion: if the table doesn't match the registered
+ * tools, the build fails (when run via `npm run regen:readme -- --check`).
+ *
+ * Usage:
+ *   node scripts/regen-readme-tools-table.mjs           Rewrite README in place.
+ *   node scripts/regen-readme-tools-table.mjs --check   Exit 1 if table is stale.
+ */
+
+import { readFileSync, writeFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { ALL_TOOLS } from '../lib/server-core.js';
+
+const __dir = dirname(fileURLToPath(import.meta.url));
+const README = resolve(__dir, '..', 'README.md');
+
+// Map each tool to its origin module + originating skill name(s).
+// This is the only hand-maintained mapping; updating it is part of adding a
+// new tool's row to the README.
+const TOOL_SKILL = {
+  // PowerQuery
+  powerquery_enumerate_sources:  'sentinelone-powerquery',
+  powerquery_run:                'sentinelone-powerquery',
+  powerquery_schema_discover:    'sentinelone-powerquery',
+  // Mgmt Console
+  s1_api_get:                    'sentinelone-mgmt-console-api',
+  s1_api_post:                   'sentinelone-mgmt-console-api',
+  s1_api_put:                    'sentinelone-mgmt-console-api',
+  s1_api_delete:                 'sentinelone-mgmt-console-api',
+  s1_api_patch:                  'sentinelone-mgmt-console-api',
+  purple_ai_alert_summary:       'sentinelone-mgmt-console-api',
+  uam_list_alerts:               'sentinelone-mgmt-console-api',
+  uam_get_alert:                 'sentinelone-mgmt-console-api',
+  uam_add_note:                  'sentinelone-mgmt-console-api',
+  uam_set_status:                'sentinelone-mgmt-console-api',
+  // SDL API
+  sdl_list_files:                'sentinelone-sdl-api / sdl-dashboard / sdl-log-parser',
+  sdl_get_file:                  'sentinelone-sdl-api / sdl-dashboard / sdl-log-parser',
+  sdl_put_file:                  'sentinelone-sdl-api / sdl-dashboard / sdl-log-parser',
+  sdl_delete_file:               'sentinelone-sdl-api',
+  hec_ingest:                    'sentinelone-sdl-api / sdl-log-parser',
+  // Hyperautomation
+  ha_list_workflows:             'sentinelone-hyperautomation',
+  ha_get_workflow:               'sentinelone-hyperautomation',
+  ha_archive_workflow:           'sentinelone-hyperautomation',
+  ha_import_workflow:            'sentinelone-hyperautomation',
+  ha_export_workflow:            'sentinelone-hyperautomation',
+  // UAM Ingest
+  uam_ingest_alert:              'sentinelone-mgmt-console-api (UAM Alert Interface)',
+  uam_post_indicators:           'sentinelone-mgmt-console-api (UAM Alert Interface)',
+  uam_post_alert:                'sentinelone-mgmt-console-api (UAM Alert Interface)',
+};
+
+const GROUPS = [
+  { label: 'PowerQuery',       prefix: 'powerquery_' },
+  { label: 'Mgmt Console',     test: n => /^(s1_api_|purple_ai_|uam_(list|get|add|set))/.test(n) },
+  { label: 'SDL API',          prefix: 'sdl_' },
+  { label: 'Hyperautomation',  prefix: 'ha_' },
+  { label: 'UAM Ingest',       test: n => /^(uam_ingest_|uam_post_)/.test(n) },
+];
+
+function groupOf(name) {
+  for (const g of GROUPS) {
+    if (g.prefix && name.startsWith(g.prefix)) return g.label;
+    if (g.test && g.test(name)) return g.label;
+  }
+  return '???';
+}
+
+// Build the new table block. The leading "**N tools**" header is regenerated
+// too so the count and the table can't drift apart.
+function buildTable() {
+  const sorted = [...ALL_TOOLS]
+    .map(t => t.name)
+    .sort((a, b) => {
+      const ga = GROUPS.findIndex(g => groupOf(a) === g.label);
+      const gb = GROUPS.findIndex(g => groupOf(b) === g.label);
+      if (ga !== gb) return ga - gb;
+      return a.localeCompare(b);
+    });
+
+  const lines = [];
+  lines.push(`**${ALL_TOOLS.length} tools** across PowerQuery, Mgmt Console, SDL API, Hyperautomation, and UAM Ingest:`);
+  lines.push('');
+  lines.push('| Group | Tool | Skill |');
+  lines.push('|-------|------|-------|');
+  for (const name of sorted) {
+    const group = groupOf(name);
+    const skill = TOOL_SKILL[name] || '';
+    if (!skill) {
+      throw new Error(`Missing TOOL_SKILL mapping for "${name}". Update scripts/regen-readme-tools-table.mjs.`);
+    }
+    lines.push(`| ${group} | \`${name}\` | ${skill} |`);
+  }
+  return lines.join('\n');
+}
+
+const START = '<!-- BEGIN AUTO-GENERATED TOOLS TABLE -->';
+const END   = '<!-- END AUTO-GENERATED TOOLS TABLE -->';
+
+function spliceTable(readme, table) {
+  const start = readme.indexOf(START);
+  const end   = readme.indexOf(END);
+  if (start < 0 || end < 0 || end < start) {
+    throw new Error(
+      `README is missing the BEGIN/END auto-generated markers:\n  ${START}\n  ${END}\n` +
+      `Add both to README.md around the tools table block before running this script.`
+    );
+  }
+  const head = readme.slice(0, start + START.length);
+  const tail = readme.slice(end);
+  return head + '\n' + table + '\n' + tail;
+}
+
+const args = process.argv.slice(2);
+const checkOnly = args.includes('--check');
+
+const before = readFileSync(README, 'utf-8');
+const table = buildTable();
+const after = spliceTable(before, table);
+
+if (checkOnly) {
+  if (before !== after) {
+    process.stderr.write('README tools table is out of sync with ALL_TOOLS.\n');
+    process.stderr.write('Run `npm run regen:readme` to fix.\n');
+    process.exit(1);
+  }
+  process.stdout.write('README tools table is in sync.\n');
+} else {
+  if (before === after) {
+    process.stdout.write('No changes; README tools table already in sync.\n');
+  } else {
+    writeFileSync(README, after);
+    process.stdout.write(`Updated README tools table (${ALL_TOOLS.length} tools).\n`);
+  }
+}

package/scripts/smoke-test-http.sh

@@ -0,0 +1,122 @@
+#!/usr/bin/env bash
+#
+# smoke-test-http.sh -- generic HTTP smoke test for sentinelone-mcp.
+#
+# Exercises the public contract end-to-end:
+#   1. healthz returns 200 (no auth)
+#   2. initialize returns the expected protocol version and server info
+#   3. tools/list returns 26 tools
+#   4. tools/call s1_api_get works (uses /agents/count as a cheap probe)
+#   5. bad bearer returns HTTP 401
+#   6. unknown method returns JSON-RPC error -32601 inside a 200 envelope
+#
+# Useful for new team members verifying their setup, or for re-checking the
+# deployment after a config change, a cert rotation, or an MCP version bump.
+#
+# Run as:
+#   MCP_HOST=mcp.s1.internal:8764 \
+#   MCP_BEARER=your-bearer-token \
+#     bash sentinelone-mcp/scripts/smoke-test-http.sh
+#
+# Or set defaults at the top of the script and run with no args.
+
+set -uo pipefail
+
+HOST="${MCP_HOST:-}"
+TOKEN="${MCP_BEARER:-}"
+
+if [[ -z "$HOST" || -z "$TOKEN" ]]; then
+  cat >&2 <<EOF
+Usage:
+  MCP_HOST=<host:port> MCP_BEARER=<token> bash $0
+
+Both env vars are required.
+EOF
+  exit 2
+fi
+
+for tool in curl jq; do
+  if ! command -v "$tool" >/dev/null 2>&1; then
+    echo "Missing dependency: $tool" >&2
+    exit 3
+  fi
+done
+
+URL="https://$HOST/mcp"
+AUTH="Authorization: Bearer $TOKEN"
+JSON="Content-Type: application/json"
+
+FAILED=0
+fail() { echo "  FAIL: $*" >&2; FAILED=$((FAILED+1)); }
+pass() { echo "  PASS: $*"; }
+
+echo "=== 1. healthz (no auth) ==="
+HEALTHZ_CODE=$(curl -s -o /dev/null -w "%{http_code}" "https://$HOST/healthz")
+[[ "$HEALTHZ_CODE" == "200" ]] && pass "healthz returned 200" || fail "healthz returned $HEALTHZ_CODE (expected 200)"
+
+echo
+echo "=== 2. initialize ==="
+INIT_BODY=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" -d '{
+  "jsonrpc": "2.0",
+  "id": 1,
+  "method": "initialize",
+  "params": {
+    "protocolVersion": "2024-11-05",
+    "capabilities": {},
+    "clientInfo": { "name": "smoke-test", "version": "1" }
+  }
+}')
+PROTO=$(echo "$INIT_BODY" | jq -r '.result.protocolVersion // "missing"')
+NAME=$( echo "$INIT_BODY" | jq -r '.result.serverInfo.name    // "missing"')
+VER=$(  echo "$INIT_BODY" | jq -r '.result.serverInfo.version // "missing"')
+[[ "$PROTO" == "2024-11-05" ]] && pass "protocolVersion=$PROTO" || fail "protocolVersion=$PROTO"
+[[ "$NAME"  == "sentinelone-mcp-server" ]] && pass "serverInfo.name=$NAME" || fail "serverInfo.name=$NAME"
+[[ "$VER" != "missing" ]] && pass "serverInfo.version=$VER" || fail "serverInfo.version missing"
+
+echo
+echo "=== 3. tools/list count ==="
+TOOLS_COUNT=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" \
+  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list"}' \
+  | jq '.result.tools | length')
+[[ "$TOOLS_COUNT" == "26" ]] && pass "tools/list returned 26 tools" || fail "tools/list returned $TOOLS_COUNT"
+
+echo
+echo "=== 4. tools/call s1_api_get on /agents/count ==="
+AGENTS_TOTAL=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" -d '{
+  "jsonrpc": "2.0",
+  "id": 3,
+  "method": "tools/call",
+  "params": {
+    "name": "s1_api_get",
+    "arguments": { "path": "/web/api/v2.1/agents/count" }
+  }
+}' | jq -r '.result.content[0].text' | jq -r '.data.total // "missing"')
+if [[ "$AGENTS_TOTAL" =~ ^[0-9]+$ ]]; then
+  pass "s1_api_get returned $AGENTS_TOTAL agents"
+else
+  fail "s1_api_get returned data.total=$AGENTS_TOTAL"
+fi
+
+echo
+echo "=== 5. bad bearer (expect HTTP 401) ==="
+BAD_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "$URL" \
+  -H "Authorization: Bearer wrong-token-of-sufficient-length-1234567890" -H "$JSON" \
+  -d '{"jsonrpc":"2.0","id":99,"method":"tools/list"}')
+[[ "$BAD_CODE" == "401" ]] && pass "bad bearer rejected with 401" || fail "bad bearer returned $BAD_CODE (expected 401)"
+
+echo
+echo "=== 6. method not found (expect -32601) ==="
+ERR_CODE=$(curl -s -X POST "$URL" -H "$AUTH" -H "$JSON" \
+  -d '{"jsonrpc":"2.0","id":4,"method":"does/not/exist"}' \
+  | jq -r '.error.code // "missing"')
+[[ "$ERR_CODE" == "-32601" ]] && pass "unknown method returned -32601" || fail "unknown method returned code=$ERR_CODE"
+
+echo
+echo "=== Summary ==="
+if [[ "$FAILED" -eq 0 ]]; then
+  echo "All checks passed."
+  exit 0
+else
+  echo "$FAILED check(s) failed."
+  exit 1
+fi