tandem-editor 0.6.2 → 0.7.0

package/dist/cli/index.js

@@ -10,7 +10,7 @@ var __export = (target, all) => {
 };
 
 // src/shared/constants.ts
-var DEFAULT_MCP_PORT, MAX_FILE_SIZE, MAX_WS_PAYLOAD, IDLE_TIMEOUT, SESSION_MAX_AGE, CHANNEL_MAX_RETRIES, CHANNEL_RETRY_DELAY_MS;
+var DEFAULT_MCP_PORT, MAX_FILE_SIZE, MAX_WS_PAYLOAD, IDLE_TIMEOUT, SESSION_MAX_AGE, CHANNEL_MAX_RETRIES, CHANNEL_RETRY_DELAY_MS, TOKEN_FILE_NAME;
 var init_constants = __esm({
   "src/shared/constants.ts"() {
     "use strict";
@@ -21,6 +21,7 @@ var init_constants = __esm({
     SESSION_MAX_AGE = 30 * 24 * 60 * 60 * 1e3;
     CHANNEL_MAX_RETRIES = 5;
     CHANNEL_RETRY_DELAY_MS = 2e3;
+    TOKEN_FILE_NAME = "auth-token";
   }
 });
 
@@ -42,6 +43,7 @@ var init_skill_content = __esm({
 var setup_exports = {};
 __export(setup_exports, {
   applyConfig: () => applyConfig,
+  applyConfigWithToken: () => applyConfigWithToken,
   buildMcpEntries: () => buildMcpEntries,
   detectTargets: () => detectTargets,
   installSkill: () => installSkill,
@@ -55,14 +57,20 @@ import { homedir } from "os";
 import { basename, dirname as dirname2, join, resolve as resolve2 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function buildMcpEntries(channelPath, opts = {}) {
-  const entries = {
-    tandem: { type: "http", url: `${MCP_URL}/mcp` }
-  };
+  const tandemEntry = { type: "http", url: `${MCP_URL}/mcp` };
+  if (opts.token) {
+    tandemEntry.headers = { Authorization: `Bearer ${opts.token}` };
+  }
+  const entries = { tandem: tandemEntry };
   if (opts.withChannelShim) {
+    const shimEnv = { TANDEM_URL: MCP_URL };
+    if (opts.token) {
+      shimEnv.TANDEM_AUTH_TOKEN = opts.token;
+    }
     entries["tandem-channel"] = {
       command: opts.nodeBinary ?? "node",
       args: [channelPath],
-      env: { TANDEM_URL: MCP_URL }
+      env: shimEnv
     };
   }
   return entries;
@@ -157,6 +165,24 @@ async function installSkill(opts = {}) {
 function validateChannelShimPrereq(channelPath) {
   return existsSync(channelPath);
 }
+async function applyConfigWithToken(token, opts = {}) {
+  const targets = detectTargets({ force: opts.force });
+  const entries = buildMcpEntries(CHANNEL_DIST, {
+    withChannelShim: opts.withChannelShim,
+    token: token ?? void 0
+  });
+  let updated = 0;
+  const errors = [];
+  for (const t of targets) {
+    try {
+      await applyConfig(t.configPath, entries);
+      updated++;
+    } catch (err) {
+      errors.push(`${t.label}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  return { updated, errors };
+}
 async function runSetup(opts = {}) {
   console.error("\nTandem Setup\n");
   if (opts.withChannelShim && !validateChannelShimPrereq(CHANNEL_DIST)) {
@@ -249,15 +275,35 @@ function resolveTandemUrl(override) {
   const raw = override ?? process.env.TANDEM_URL ?? `http://localhost:${DEFAULT_MCP_PORT}`;
   return raw.replace(/\/$/, "");
 }
+async function authFetch(url, init) {
+  const token = process.env.TANDEM_AUTH_TOKEN;
+  if (token !== void 0 && token.trim() !== "") {
+    if (VALID_TOKEN_RE.test(token.trim())) {
+      const headers = new Headers(init?.headers);
+      headers.set("Authorization", `Bearer ${token.trim()}`);
+      return fetch(url, { ...init, headers });
+    }
+    if (!_warnedInvalidToken) {
+      _warnedInvalidToken = true;
+      console.error(
+        "[tandem] authFetch: TANDEM_AUTH_TOKEN is set but invalid (must be 32+ alphanumeric chars [A-Za-z0-9_-]); sending without Authorization header"
+      );
+    }
+  }
+  return fetch(url, init);
+}
+var VALID_TOKEN_RE, _warnedInvalidToken;
 var init_cli_runtime = __esm({
   "src/shared/cli-runtime.ts"() {
     "use strict";
     init_constants();
+    VALID_TOKEN_RE = /^[A-Za-z0-9_\-]{32,}$/;
+    _warnedInvalidToken = false;
   }
 });
 
 // src/cli/preflight.ts
-async function ensureTandemServer(opts = {}) {
+async function probeTandemServer(opts = {}) {
   const url = resolveTandemUrl(opts.url);
   const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
   const controller = new AbortController();
@@ -265,22 +311,36 @@ async function ensureTandemServer(opts = {}) {
   try {
     const res = await fetch(`${url}/health`, { signal: controller.signal });
     if (!res.ok) {
-      fail(url, `health endpoint returned HTTP ${res.status}`);
+      return {
+        ok: false,
+        url,
+        reason: `health endpoint returned HTTP ${res.status}`,
+        kind: "unhealthy"
+      };
     }
+    return { ok: true };
   } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    fail(url, msg);
+    return {
+      ok: false,
+      url,
+      reason: err instanceof Error ? err.message : String(err),
+      kind: "unreachable"
+    };
   } finally {
     clearTimeout(timer);
   }
 }
-function fail(url, detail) {
-  process.stderr.write(
-    `[tandem] Tandem server not reachable at ${url} (${detail}).
-[tandem] Start the Tauri app or run \`tandem start\` on the host, then retry.
+async function ensureTandemServer(opts = {}) {
+  const probe = await probeTandemServer(opts);
+  if (!probe.ok) {
+    const guidance = probe.kind === "unreachable" ? "Start the Tauri app or run `tandem start` on the host, then retry." : "The Tandem server is running but unhealthy \u2014 check the host logs.";
+    process.stderr.write(
+      `[tandem] Tandem server preflight failed at ${probe.url} (${probe.reason}).
+[tandem] ${guidance}
 `
-  );
-  process.exit(1);
+    );
+    process.exit(1);
+  }
 }
 var DEFAULT_TIMEOUT_MS;
 var init_preflight = __esm({
@@ -295,80 +355,237 @@ var init_preflight = __esm({
 var mcp_stdio_exports = {};
 __export(mcp_stdio_exports, {
   getRequestId: () => getRequestId,
+  getResponseId: () => getResponseId,
+  parseTimeoutMs: () => parseTimeoutMs,
+  readAndValidateAuthToken: () => readAndValidateAuthToken,
   runMcpStdio: () => runMcpStdio
 });
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+function parseTimeoutMs(raw) {
+  if (raw !== void 0) {
+    const parsed = parseInt(raw, 10);
+    if (Number.isFinite(parsed) && parsed > 0 && parsed <= MAX_TIMEOUT_MS) {
+      return parsed;
+    }
+    process.stderr.write(
+      `[tandem mcp-stdio] TANDEM_REQUEST_TIMEOUT_MS must be a positive integer \u2264 ${MAX_TIMEOUT_MS}; ignoring "${raw}", using 30000ms default
+`
+    );
+  }
+  return 3e4;
+}
+function readAndValidateAuthToken() {
+  const raw = process.env.TANDEM_AUTH_TOKEN;
+  if (raw === void 0) return null;
+  const trimmed = raw.trim();
+  if (trimmed === "") return null;
+  if (trimmed.startsWith("Bearer ")) {
+    process.stderr.write(
+      "[tandem mcp-stdio] TANDEM_AUTH_TOKEN is invalid (double-prefix: do not include 'Bearer ' prefix \u2014 supply the raw token only)\n"
+    );
+    process.exit(1);
+  }
+  if (!VALID_TOKEN_RE2.test(trimmed)) {
+    process.stderr.write(
+      "[tandem mcp-stdio] TANDEM_AUTH_TOKEN is malformed (must be 32+ URL-safe characters: [A-Za-z0-9_-])\n"
+    );
+    process.exit(1);
+  }
+  return trimmed;
+}
 async function runMcpStdio() {
   const baseUrl = resolveTandemUrl();
-  await ensureTandemServer({ url: baseUrl });
-  const http = new StreamableHTTPClientTransport(new URL(`${baseUrl}/mcp`));
+  const authToken = readAndValidateAuthToken();
+  const http = new StreamableHTTPClientTransport(new URL(`${baseUrl}/mcp`), {
+    requestInit: authToken ? { headers: { Authorization: `Bearer ${authToken}` } } : void 0
+  });
   const stdio = new StdioServerTransport();
+  const pendingRequests = /* @__PURE__ */ new Map();
+  const preReadyBuffer = [];
   let shuttingDown = false;
-  const shutdown = async (code = 0) => {
-    if (!shuttingDown) {
-      shuttingDown = true;
-      await http.close().catch(() => {
-      });
-      await stdio.close().catch(() => {
-      });
+  let httpReady = false;
+  async function sendErrorResponse(id, message, detail) {
+    const errorResponse = {
+      jsonrpc: "2.0",
+      id,
+      error: {
+        // -32000 is the implementation-defined server error range per
+        // JSON-RPC 2.0 §5.1 — upstream unavailability is an application-
+        // level condition, not a generic Internal Error.
+        code: -32e3,
+        message,
+        ...detail !== void 0 ? { data: { detail } } : {}
+      }
+    };
+    try {
+      await stdio.send(errorResponse);
+    } catch (err) {
+      const detail2 = err instanceof Error ? err.message : String(err);
+      process.stderr.write(
+        `[tandem mcp-stdio] failed to send synthesized error for id ${id}: ${detail2}
+`
+      );
+    }
+  }
+  function forwardToUpstream(msg) {
+    if (shuttingDown) return;
+    const requestId = getRequestId(msg);
+    if (requestId !== void 0) {
+      const existing = pendingRequests.get(requestId);
+      if (existing) clearTimeout(existing);
+      const timeoutHandle = setTimeout(() => {
+        if (!pendingRequests.delete(requestId)) return;
+        void sendErrorResponse(
+          requestId,
+          "Tandem HTTP upstream not responding (half-open)",
+          `No response after ${STDIO_REQUEST_TIMEOUT_MS}ms`
+        );
+      }, STDIO_REQUEST_TIMEOUT_MS);
+      pendingRequests.set(requestId, timeoutHandle);
     }
-    process.exit(code);
-  };
-  stdio.onmessage = (msg) => {
     http.send(msg).catch((err) => {
       const detail = err instanceof Error ? err.message : String(err);
       process.stderr.write(`[tandem mcp-stdio] upstream send failed: ${detail}
 `);
-      const requestId = getRequestId(msg);
       if (requestId !== void 0) {
-        const errorResponse = {
-          jsonrpc: "2.0",
-          id: requestId,
-          error: {
-            // -32000 is the implementation-defined server error range per
-            // JSON-RPC 2.0 §5.1 — the upstream being unreachable is an
-            // application-level condition, not a generic Internal Error.
-            code: -32e3,
-            message: "Tandem HTTP upstream unreachable",
-            data: { detail }
-          }
-        };
-        stdio.send(errorResponse).catch(() => {
-        });
+        const handle = pendingRequests.get(requestId);
+        if (handle !== void 0) {
+          pendingRequests.delete(requestId);
+          clearTimeout(handle);
+          void sendErrorResponse(requestId, "Tandem HTTP upstream unreachable", detail);
+        }
       }
     });
+  }
+  async function synthesizeBuffered(message, detail) {
+    const buffered2 = preReadyBuffer.splice(0);
+    const ids = buffered2.map((msg) => getRequestId(msg)).filter((id) => id !== void 0);
+    for (const id of ids) {
+      await sendErrorResponse(id, message, detail);
+    }
+  }
+  async function synthesizePending(message, detail) {
+    if (pendingRequests.size === 0) return;
+    const ids = [...pendingRequests.keys()];
+    for (const handle of pendingRequests.values()) clearTimeout(handle);
+    pendingRequests.clear();
+    await Promise.all(ids.map((id) => sendErrorResponse(id, message, detail)));
+  }
+  const shutdown = async (code = 0, synth) => {
+    if (!shuttingDown) {
+      shuttingDown = true;
+      setTimeout(() => process.exit(code), 2e3).unref();
+      for (const handle of pendingRequests.values()) clearTimeout(handle);
+      if (synth) {
+        await synthesizeBuffered(synth.message, synth.detail);
+        await synthesizePending(synth.message, synth.detail);
+      }
+      await http.close().catch((err) => {
+        const detail = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`[tandem mcp-stdio] http.close failed: ${detail}
+`);
+      });
+      await stdio.close().catch((err) => {
+        const detail = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`[tandem mcp-stdio] stdio.close failed: ${detail}
+`);
+      });
+    }
+    process.exit(code);
+  };
+  function deferredShutdown(synth) {
+    setTimeout(() => void shutdown(1, synth), PREFLIGHT_GRACE_MS);
+  }
+  stdio.onmessage = (msg) => {
+    if (!httpReady) {
+      preReadyBuffer.push(msg);
+      return;
+    }
+    forwardToUpstream(msg);
   };
   http.onmessage = (msg) => {
-    stdio.send(msg).catch((err) => {
+    if (shuttingDown) return;
+    const responseId = getResponseId(msg);
+    if (responseId !== void 0) {
+      const handle = pendingRequests.get(responseId);
+      if (handle !== void 0) {
+        clearTimeout(handle);
+        pendingRequests.delete(responseId);
+      }
+    }
+    const sendHandler = (err) => {
       const detail = err instanceof Error ? err.message : String(err);
-      process.stderr.write(`[tandem mcp-stdio] stdio write failed: ${detail}
-`);
-    });
+      process.stderr.write(
+        `[tandem mcp-stdio] stdio write failed for id ${responseId ?? "<notification>"}: ${detail}
+`
+      );
+      if (responseId !== void 0) {
+        void sendErrorResponse(responseId, "Tandem stdio write failed", detail);
+      }
+      void shutdown(1, {
+        message: "Tandem stdio write failed",
+        detail
+      });
+    };
+    try {
+      stdio.send(msg).catch(sendHandler);
+    } catch (err) {
+      sendHandler(err);
+    }
   };
   stdio.onerror = (err) => {
     process.stderr.write(`[tandem mcp-stdio] stdio error: ${err.message}
+${err.stack ?? ""}
 `);
   };
   http.onerror = (err) => {
-    process.stderr.write(`[tandem mcp-stdio] http error: ${err.message}
-`);
+    const cause = err.cause;
+    process.stderr.write(
+      `[tandem mcp-stdio] http error: ${err.message}
+${err.stack ?? ""}${cause !== void 0 ? `
+cause: ${cause}` : ""}
+`
+    );
   };
   stdio.onclose = () => {
     void shutdown(0);
   };
   http.onclose = () => {
-    void shutdown(0);
+    if (shuttingDown) return;
+    void shutdown(1, {
+      message: "Tandem HTTP upstream closed unexpectedly",
+      detail: "upstream connection dropped mid-session"
+    });
   };
   await stdio.start();
+  process.stdin.once("end", () => {
+    void shutdown(0);
+  });
+  const probe = await probeTandemServer({ url: baseUrl });
+  if (!probe.ok) {
+    const guidance = probe.kind === "unreachable" ? "Start the Tauri app or run `tandem start` on the host, then retry." : "The Tandem server is running but unhealthy \u2014 check the host logs.";
+    process.stderr.write(
+      `[tandem mcp-stdio] Tandem server preflight failed at ${probe.url} (${probe.reason}).
+[tandem mcp-stdio] ${guidance}
+`
+    );
+    const synthMessage = probe.kind === "unreachable" ? "Tandem server not running. Start the Tauri app or run `tandem start`." : "Tandem server unhealthy (check host logs).";
+    deferredShutdown({ message: synthMessage, detail: probe.reason });
+    return;
+  }
   try {
     await http.start();
   } catch (err) {
     const detail = err instanceof Error ? err.message : String(err);
     process.stderr.write(`[tandem mcp-stdio] upstream http start failed: ${detail}
 `);
-    await shutdown(1);
+    deferredShutdown({ message: "Tandem HTTP upstream failed to start", detail });
+    return;
   }
+  httpReady = true;
+  const buffered = preReadyBuffer.splice(0);
+  for (const msg of buffered) forwardToUpstream(msg);
 }
 function getRequestId(msg) {
   const m = msg;
@@ -376,12 +593,37 @@ function getRequestId(msg) {
   if (typeof m.id === "string" || typeof m.id === "number") return m.id;
   return void 0;
 }
+function getResponseId(msg) {
+  const m = msg;
+  if (typeof m.method === "string") return void 0;
+  if (typeof m.id === "string" || typeof m.id === "number") return m.id;
+  return void 0;
+}
+var PREFLIGHT_GRACE_MS, MAX_TIMEOUT_MS, STDIO_REQUEST_TIMEOUT_MS, VALID_TOKEN_RE2;
 var init_mcp_stdio = __esm({
   "src/cli/mcp-stdio.ts"() {
     "use strict";
     init_cli_runtime();
     init_preflight();
     redirectConsoleToStderr();
+    PREFLIGHT_GRACE_MS = 1500;
+    MAX_TIMEOUT_MS = 2147483647;
+    STDIO_REQUEST_TIMEOUT_MS = parseTimeoutMs(process.env.TANDEM_REQUEST_TIMEOUT_MS);
+    process.once("uncaughtException", (err) => {
+      process.stderr.write(
+        `[tandem mcp-stdio] uncaughtException: ${err.message}
+${err.stack ?? ""}
+`
+      );
+      process.exit(1);
+    });
+    process.once("unhandledRejection", (reason) => {
+      const detail = reason instanceof Error ? reason.message : String(reason);
+      process.stderr.write(`[tandem mcp-stdio] unhandledRejection: ${detail}
+`);
+      process.exit(1);
+    });
+    VALID_TOKEN_RE2 = /^[A-Za-z0-9_\-]{32,}$/;
   }
 });
 
@@ -513,7 +755,7 @@ async function startEventBridge(mcp, tandemUrl) {
       if (retries >= CHANNEL_MAX_RETRIES) {
         console.error("[Channel] SSE connection exhausted, reporting error and exiting");
         try {
-          await fetch(`${tandemUrl}/api/channel-error`, {
+          await authFetch(`${tandemUrl}/api/channel-error`, {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify({
@@ -536,7 +778,7 @@ async function startEventBridge(mcp, tandemUrl) {
 async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
   const headers = { Accept: "text/event-stream" };
   if (lastEventId) headers["Last-Event-ID"] = lastEventId;
-  const res = await fetch(`${tandemUrl}/api/events`, { headers });
+  const res = await authFetch(`${tandemUrl}/api/events`, { headers });
   if (!res.ok) throw new Error(`SSE endpoint returned ${res.status}`);
   if (!res.body) throw new Error("SSE endpoint returned no body");
   const reader = res.body.getReader();
@@ -547,7 +789,7 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
   let pendingAwareness = null;
   const AWARENESS_CLEAR_MS = 3e3;
   function clearAwareness(documentId) {
-    fetch(`${tandemUrl}/api/channel-awareness`, {
+    authFetch(`${tandemUrl}/api/channel-awareness`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -562,7 +804,7 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
     if (!pendingAwareness) return;
     const event = pendingAwareness;
     pendingAwareness = null;
-    fetch(`${tandemUrl}/api/channel-awareness`, {
+    authFetch(`${tandemUrl}/api/channel-awareness`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -637,7 +879,7 @@ async function getCachedMode(tandemUrl) {
   const now = Date.now();
   if (now - cachedModeAt < MODE_CACHE_TTL_MS) return cachedMode;
   try {
-    const res = await fetch(`${tandemUrl}/api/mode`);
+    const res = await authFetch(`${tandemUrl}/api/mode`);
     if (res.ok) {
       const { mode } = await res.json();
       cachedMode = mode;
@@ -659,6 +901,7 @@ var init_event_bridge = __esm({
   "src/channel/event-bridge.ts"() {
     "use strict";
     init_types();
+    init_cli_runtime();
     init_constants();
     AWARENESS_DEBOUNCE_MS = 500;
     MODE_CACHE_TTL_MS = 2e3;
@@ -726,7 +969,7 @@ async function runChannel(opts = {}) {
     if (req.params.name === "tandem_reply") {
       const args2 = req.params.arguments;
       try {
-        const res = await fetch(`${tandemUrl}/api/channel-reply`, {
+        const res = await authFetch(`${tandemUrl}/api/channel-reply`, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify(args2)
@@ -774,7 +1017,7 @@ async function runChannel(opts = {}) {
   });
   mcp.setNotificationHandler(PermissionRequestSchema, async ({ params }) => {
     try {
-      const res = await fetch(`${tandemUrl}/api/channel-permission`, {
+      const res = await authFetch(`${tandemUrl}/api/channel-permission`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
@@ -863,6 +1106,163 @@ var init_channel = __esm({
   }
 });
 
+// src/server/auth/token-store.ts
+import envPaths from "env-paths";
+import fs from "fs";
+import path from "path";
+function getTokenFilePath() {
+  return path.join(envPaths("tandem", { suffix: "" }).data, TOKEN_FILE_NAME);
+}
+async function readTokenFromFile() {
+  const filePath = getTokenFilePath();
+  try {
+    const content = await fs.promises.readFile(filePath, "utf8");
+    if (process.platform !== "win32") {
+      try {
+        const stat = await fs.promises.stat(filePath);
+        if ((stat.mode & 63) !== 0) {
+          console.error("[tandem] auth token file has insecure permissions; attempting chmod 0600");
+          await fs.promises.chmod(filePath, 384);
+        }
+      } catch {
+      }
+    }
+    const trimmed = content.trim();
+    return trimmed.length > 0 ? trimmed : null;
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+}
+var init_token_store = __esm({
+  "src/server/auth/token-store.ts"() {
+    "use strict";
+    init_constants();
+  }
+});
+
+// src/cli/rotate-token.ts
+var rotate_token_exports = {};
+__export(rotate_token_exports, {
+  rotateToken: () => rotateToken
+});
+import { createHash, randomBytes } from "crypto";
+import { promises as fsPromises } from "fs";
+import path2 from "path";
+function fingerprint(token) {
+  return createHash("sha256").update(token, "utf8").digest("hex").slice(0, 8);
+}
+function generateToken() {
+  return randomBytes(32).toString("base64url");
+}
+async function rotateToken() {
+  console.error("\n[tandem] Rotating auth token...\n");
+  if (process.env.TANDEM_AUTH_TOKEN) {
+    console.error(
+      "[tandem] Error: TANDEM_AUTH_TOKEN is set in the environment.\n  Token rotation is not supported in env-token mode (used by Tauri).\n  Unset the variable and let Tandem manage the token file, or rotate\n  via your Tauri app's token management instead."
+    );
+    process.exit(1);
+  }
+  const oldToken = await readTokenFromFile();
+  if (!oldToken) {
+    console.error(
+      "[tandem] Error: no token file found. Run `tandem setup` first to initialize the token."
+    );
+    process.exit(1);
+  }
+  const newToken = generateToken();
+  const tokenPath = getTokenFilePath();
+  const dir = path2.dirname(tokenPath);
+  const tmpPath = path2.join(dir, `.auth-token-tmp-${randomBytes(4).toString("hex")}`);
+  try {
+    await fsPromises.writeFile(tmpPath, newToken, { encoding: "utf8", mode: 384 });
+    await fsPromises.rename(tmpPath, tokenPath);
+  } catch (err) {
+    await fsPromises.unlink(tmpPath).catch(() => {
+    });
+    throw err;
+  }
+  const serverUrl = `http://localhost:${DEFAULT_MCP_PORT}`;
+  let graceWindowActive = false;
+  let serverRejected = false;
+  let serverRejectedStatus = 0;
+  try {
+    const resp = await fetch(`${serverUrl}/api/rotate-token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${oldToken}`
+      },
+      body: JSON.stringify({}),
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (resp.ok) {
+      graceWindowActive = true;
+    } else {
+      serverRejected = true;
+      serverRejectedStatus = resp.status;
+    }
+  } catch {
+    console.error(
+      "[tandem] Warning: server is not reachable. The new token is written to disk.\n  Restart the server to activate the grace window; reconnect Claude Code after."
+    );
+  }
+  let updatedCount = 0;
+  let configErrors = [];
+  try {
+    const result = await applyConfigWithToken(newToken);
+    updatedCount = result.updated;
+    configErrors = result.errors;
+  } catch (err) {
+    console.error(
+      `[tandem] Warning: failed to update MCP configs: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (serverRejected) {
+    console.error(
+      `[tandem] WARNING: server rejected the rotation request (status: ${serverRejectedStatus}).`
+    );
+    if (updatedCount > 0) {
+      console.error(
+        `  ${updatedCount} config file(s) updated to the new token, but the server still
+  holds the old token. Restart the server to complete rotation.`
+      );
+    }
+    console.error(`  Old fingerprint: ${fingerprint(oldToken)}`);
+    console.error(`  New fingerprint: ${fingerprint(newToken)}`);
+    for (const e of configErrors) {
+      console.error(`  Warning: could not update config \u2014 ${e}`);
+    }
+    console.error("");
+    return;
+  }
+  console.error("[tandem] Rotated auth token.");
+  console.error(`  Old fingerprint: ${fingerprint(oldToken)}`);
+  console.error(`  New fingerprint: ${fingerprint(newToken)}`);
+  console.error(`  Updated ${updatedCount} config file(s).`);
+  for (const e of configErrors) {
+    console.error(`  Warning: could not update config \u2014 ${e}`);
+  }
+  if (graceWindowActive) {
+    console.error(
+      "  Old token remains valid for 60 seconds; reconnect Claude Code within that window."
+    );
+  } else {
+    console.error(
+      "  Server was not running \u2014 start it with `tandem` and reconnect Claude Code with the new token."
+    );
+  }
+  console.error("");
+}
+var init_rotate_token = __esm({
+  "src/cli/rotate-token.ts"() {
+    "use strict";
+    init_token_store();
+    init_constants();
+    init_setup();
+  }
+});
+
 // src/cli/start.ts
 var start_exports = {};
 __export(start_exports, {
@@ -905,7 +1305,22 @@ var init_start = __esm({
 
 // src/cli/index.ts
 import updateNotifier from "update-notifier";
-var version = true ? "0.6.2" : "0.0.0-dev";
+process.once("uncaughtException", (err) => {
+  const msg = err instanceof Error ? err.stack ?? err.message : String(err);
+  try {
+    process.stderr.write(`[tandem cli] uncaughtException: ${msg}
+`);
+  } catch {
+  }
+  process.exit(1);
+});
+process.once("unhandledRejection", (reason) => {
+  const detail = reason instanceof Error ? reason.message : String(reason);
+  process.stderr.write(`[tandem cli] unhandledRejection: ${detail}
+`);
+  process.exit(1);
+});
+var version = true ? "0.7.0" : "0.0.0-dev";
 var args = process.argv.slice(2);
 var isStdioMode = args[0] === "mcp-stdio" || args[0] === "channel";
 if (!isStdioMode) {
@@ -919,6 +1334,7 @@ Usage:
   tandem setup                      Register MCP tools with Claude Code / Claude Desktop
   tandem setup --force              Register to default paths regardless of detection
   tandem setup --with-channel-shim  Also register the stdio channel shim (legacy opt-in)
+  tandem rotate-token               Rotate the auth token with a 60-second grace window
   tandem mcp-stdio                  Run as a stdio MCP server proxying to local HTTP
                                     (used by the plugin's Cowork bridge; requires
                                     tandem server running on the host)
@@ -946,6 +1362,9 @@ try {
   } else if (args[0] === "channel") {
     const { runChannelCli: runChannelCli2 } = await Promise.resolve().then(() => (init_channel(), channel_exports));
     await runChannelCli2();
+  } else if (args[0] === "rotate-token") {
+    const { rotateToken: rotateToken2 } = await Promise.resolve().then(() => (init_rotate_token(), rotate_token_exports));
+    await rotateToken2();
   } else if (!args[0] || args[0] === "start") {
     const { runStart: runStart2 } = await Promise.resolve().then(() => (init_start(), start_exports));
     runStart2();