tandem-editor 0.6.3 → 0.7.1

package/dist/cli/index.js

@@ -10,7 +10,7 @@ var __export = (target, all) => {
 };
 
 // src/shared/constants.ts
-var DEFAULT_MCP_PORT, MAX_FILE_SIZE, MAX_WS_PAYLOAD, IDLE_TIMEOUT, SESSION_MAX_AGE, CHANNEL_MAX_RETRIES, CHANNEL_RETRY_DELAY_MS;
+var DEFAULT_MCP_PORT, MAX_FILE_SIZE, MAX_WS_PAYLOAD, IDLE_TIMEOUT, SESSION_MAX_AGE, CHANNEL_MAX_RETRIES, CHANNEL_RETRY_DELAY_MS, TOKEN_FILE_NAME;
 var init_constants = __esm({
   "src/shared/constants.ts"() {
     "use strict";
@@ -21,6 +21,7 @@ var init_constants = __esm({
     SESSION_MAX_AGE = 30 * 24 * 60 * 60 * 1e3;
     CHANNEL_MAX_RETRIES = 5;
     CHANNEL_RETRY_DELAY_MS = 2e3;
+    TOKEN_FILE_NAME = "auth-token";
   }
 });
 
@@ -42,6 +43,7 @@ var init_skill_content = __esm({
 var setup_exports = {};
 __export(setup_exports, {
   applyConfig: () => applyConfig,
+  applyConfigWithToken: () => applyConfigWithToken,
   buildMcpEntries: () => buildMcpEntries,
   detectTargets: () => detectTargets,
   installSkill: () => installSkill,
@@ -49,20 +51,40 @@ __export(setup_exports, {
   validateChannelShimPrereq: () => validateChannelShimPrereq
 });
 import { randomUUID } from "crypto";
-import { existsSync, readFileSync as readFileSync2 } from "fs";
+import { existsSync, readdirSync, readFileSync as readFileSync2 } from "fs";
 import { copyFile, mkdir, rename, unlink, writeFile } from "fs/promises";
 import { homedir } from "os";
 import { basename, dirname as dirname2, join, resolve as resolve2 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function buildMcpEntries(channelPath, opts = {}) {
-  const entries = {
-    tandem: { type: "http", url: `${MCP_URL}/mcp` }
-  };
+  const isDesktop = opts.targetKind === "claude-desktop";
+  let tandemEntry;
+  if (isDesktop) {
+    const env = { TANDEM_URL: MCP_URL };
+    if (opts.token) {
+      env.TANDEM_AUTH_TOKEN = opts.token;
+    }
+    tandemEntry = {
+      command: "npx",
+      args: ["-y", "tandem-editor", "mcp-stdio"],
+      env
+    };
+  } else {
+    tandemEntry = { type: "http", url: `${MCP_URL}/mcp` };
+    if (opts.token) {
+      tandemEntry.headers = { Authorization: `Bearer ${opts.token}` };
+    }
+  }
+  const entries = { tandem: tandemEntry };
   if (opts.withChannelShim) {
+    const shimEnv = { TANDEM_URL: MCP_URL };
+    if (opts.token) {
+      shimEnv.TANDEM_AUTH_TOKEN = opts.token;
+    }
     entries["tandem-channel"] = {
       command: opts.nodeBinary ?? "node",
       args: [channelPath],
-      env: { TANDEM_URL: MCP_URL }
+      env: shimEnv
     };
   }
   return entries;
@@ -73,7 +95,7 @@ function detectTargets(opts = {}) {
   const claudeCodeConfig = join(home, ".claude.json");
   const claudeCodeDir = join(home, ".claude");
   if (opts.force || existsSync(claudeCodeConfig) || existsSync(claudeCodeDir)) {
-    targets.push({ label: "Claude Code", configPath: claudeCodeConfig });
+    targets.push({ label: "Claude Code", configPath: claudeCodeConfig, kind: "claude-code" });
   }
   let desktopConfig = null;
   if (process.platform === "win32") {
@@ -91,7 +113,33 @@ function detectTargets(opts = {}) {
     desktopConfig = join(home, ".config", "claude", "claude_desktop_config.json");
   }
   if (desktopConfig && (opts.force || existsSync(desktopConfig))) {
-    targets.push({ label: "Claude Desktop", configPath: desktopConfig });
+    targets.push({ label: "Claude Desktop", configPath: desktopConfig, kind: "claude-desktop" });
+  }
+  if (process.platform === "win32") {
+    const localAppData = opts.localAppDataOverride ?? process.env.LOCALAPPDATA ?? join(home, "AppData", "Local");
+    const packagesDir = join(localAppData, "Packages");
+    try {
+      const entries = readdirSync(packagesDir);
+      for (const pkg of entries.filter((n) => n.startsWith("Claude_"))) {
+        const msixConfig = join(
+          packagesDir,
+          pkg,
+          "LocalCache",
+          "Roaming",
+          "Claude",
+          "claude_desktop_config.json"
+        );
+        if (opts.force || existsSync(msixConfig)) {
+          const suffix = entries.filter((n) => n.startsWith("Claude_")).length > 1 ? ` (${pkg.slice(0, 12)}\u2026)` : "";
+          targets.push({
+            label: `Claude Desktop MSIX${suffix}`,
+            configPath: msixConfig,
+            kind: "claude-desktop"
+          });
+        }
+      }
+    } catch {
+    }
   }
   return targets;
 }
@@ -157,6 +205,25 @@ async function installSkill(opts = {}) {
 function validateChannelShimPrereq(channelPath) {
   return existsSync(channelPath);
 }
+async function applyConfigWithToken(token, opts = {}) {
+  const targets = detectTargets({ force: opts.force });
+  let updated = 0;
+  const errors = [];
+  for (const t of targets) {
+    const entries = buildMcpEntries(CHANNEL_DIST, {
+      withChannelShim: opts.withChannelShim,
+      token: token ?? void 0,
+      targetKind: t.kind
+    });
+    try {
+      await applyConfig(t.configPath, entries);
+      updated++;
+    } catch (err) {
+      errors.push(`${t.label}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  return { updated, errors };
+}
 async function runSetup(opts = {}) {
   console.error("\nTandem Setup\n");
   if (opts.withChannelShim && !validateChannelShimPrereq(CHANNEL_DIST)) {
@@ -178,9 +245,12 @@ Run 'npm run build' first, or drop --with-channel-shim to use the plugin monitor
     console.error(`  Found: ${t.label} (${t.configPath})`);
   }
   console.error("\nWriting MCP configuration...");
-  const entries = buildMcpEntries(CHANNEL_DIST, { withChannelShim: opts.withChannelShim });
   let failures = 0;
   for (const t of targets) {
+    const entries = buildMcpEntries(CHANNEL_DIST, {
+      withChannelShim: opts.withChannelShim,
+      targetKind: t.kind
+    });
     try {
       await applyConfig(t.configPath, entries);
       console.error(`  \x1B[32m\u2713\x1B[0m ${t.label}`);
@@ -249,10 +319,30 @@ function resolveTandemUrl(override) {
   const raw = override ?? process.env.TANDEM_URL ?? `http://localhost:${DEFAULT_MCP_PORT}`;
   return raw.replace(/\/$/, "");
 }
+async function authFetch(url, init) {
+  const token = process.env.TANDEM_AUTH_TOKEN;
+  if (token !== void 0 && token.trim() !== "") {
+    if (VALID_TOKEN_RE.test(token.trim())) {
+      const headers = new Headers(init?.headers);
+      headers.set("Authorization", `Bearer ${token.trim()}`);
+      return fetch(url, { ...init, headers });
+    }
+    if (!_warnedInvalidToken) {
+      _warnedInvalidToken = true;
+      console.error(
+        "[tandem] authFetch: TANDEM_AUTH_TOKEN is set but invalid (must be 32+ alphanumeric chars [A-Za-z0-9_-]); sending without Authorization header"
+      );
+    }
+  }
+  return fetch(url, init);
+}
+var VALID_TOKEN_RE, _warnedInvalidToken;
 var init_cli_runtime = __esm({
   "src/shared/cli-runtime.ts"() {
     "use strict";
     init_constants();
+    VALID_TOKEN_RE = /^[A-Za-z0-9_\-]{32,}$/;
+    _warnedInvalidToken = false;
   }
 });
 
@@ -310,15 +400,52 @@ var mcp_stdio_exports = {};
 __export(mcp_stdio_exports, {
   getRequestId: () => getRequestId,
   getResponseId: () => getResponseId,
+  parseTimeoutMs: () => parseTimeoutMs,
+  readAndValidateAuthToken: () => readAndValidateAuthToken,
   runMcpStdio: () => runMcpStdio
 });
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+function parseTimeoutMs(raw) {
+  if (raw !== void 0) {
+    const parsed = parseInt(raw, 10);
+    if (Number.isFinite(parsed) && parsed > 0 && parsed <= MAX_TIMEOUT_MS) {
+      return parsed;
+    }
+    process.stderr.write(
+      `[tandem mcp-stdio] TANDEM_REQUEST_TIMEOUT_MS must be a positive integer \u2264 ${MAX_TIMEOUT_MS}; ignoring "${raw}", using 30000ms default
+`
+    );
+  }
+  return 3e4;
+}
+function readAndValidateAuthToken() {
+  const raw = process.env.TANDEM_AUTH_TOKEN;
+  if (raw === void 0) return null;
+  const trimmed = raw.trim();
+  if (trimmed === "") return null;
+  if (trimmed.startsWith("Bearer ")) {
+    process.stderr.write(
+      "[tandem mcp-stdio] TANDEM_AUTH_TOKEN is invalid (double-prefix: do not include 'Bearer ' prefix \u2014 supply the raw token only)\n"
+    );
+    process.exit(1);
+  }
+  if (!VALID_TOKEN_RE2.test(trimmed)) {
+    process.stderr.write(
+      "[tandem mcp-stdio] TANDEM_AUTH_TOKEN is malformed (must be 32+ URL-safe characters: [A-Za-z0-9_-])\n"
+    );
+    process.exit(1);
+  }
+  return trimmed;
+}
 async function runMcpStdio() {
   const baseUrl = resolveTandemUrl();
-  const http = new StreamableHTTPClientTransport(new URL(`${baseUrl}/mcp`));
+  const authToken = readAndValidateAuthToken();
+  const http = new StreamableHTTPClientTransport(new URL(`${baseUrl}/mcp`), {
+    requestInit: authToken ? { headers: { Authorization: `Bearer ${authToken}` } } : void 0
+  });
   const stdio = new StdioServerTransport();
-  const pendingIds = /* @__PURE__ */ new Set();
+  const pendingRequests = /* @__PURE__ */ new Map();
   const preReadyBuffer = [];
   let shuttingDown = false;
   let httpReady = false;
@@ -346,14 +473,32 @@ async function runMcpStdio() {
     }
   }
   function forwardToUpstream(msg) {
+    if (shuttingDown) return;
     const requestId = getRequestId(msg);
-    if (requestId !== void 0) pendingIds.add(requestId);
+    if (requestId !== void 0) {
+      const existing = pendingRequests.get(requestId);
+      if (existing) clearTimeout(existing);
+      const timeoutHandle = setTimeout(() => {
+        if (!pendingRequests.delete(requestId)) return;
+        void sendErrorResponse(
+          requestId,
+          "Tandem HTTP upstream not responding (half-open)",
+          `No response after ${STDIO_REQUEST_TIMEOUT_MS}ms`
+        );
+      }, STDIO_REQUEST_TIMEOUT_MS);
+      pendingRequests.set(requestId, timeoutHandle);
+    }
     http.send(msg).catch((err) => {
       const detail = err instanceof Error ? err.message : String(err);
       process.stderr.write(`[tandem mcp-stdio] upstream send failed: ${detail}
 `);
-      if (requestId !== void 0 && pendingIds.delete(requestId)) {
-        void sendErrorResponse(requestId, "Tandem HTTP upstream unreachable", detail);
+      if (requestId !== void 0) {
+        const handle = pendingRequests.get(requestId);
+        if (handle !== void 0) {
+          pendingRequests.delete(requestId);
+          clearTimeout(handle);
+          void sendErrorResponse(requestId, "Tandem HTTP upstream unreachable", detail);
+        }
       }
     });
   }
@@ -365,14 +510,17 @@ async function runMcpStdio() {
     }
   }
   async function synthesizePending(message, detail) {
-    if (pendingIds.size === 0) return;
-    const ids = [...pendingIds];
-    pendingIds.clear();
+    if (pendingRequests.size === 0) return;
+    const ids = [...pendingRequests.keys()];
+    for (const handle of pendingRequests.values()) clearTimeout(handle);
+    pendingRequests.clear();
     await Promise.all(ids.map((id) => sendErrorResponse(id, message, detail)));
   }
   const shutdown = async (code = 0, synth) => {
     if (!shuttingDown) {
       shuttingDown = true;
+      setTimeout(() => process.exit(code), 2e3).unref();
+      for (const handle of pendingRequests.values()) clearTimeout(handle);
       if (synth) {
         await synthesizeBuffered(synth.message, synth.detail);
         await synthesizePending(synth.message, synth.detail);
@@ -401,23 +549,34 @@ async function runMcpStdio() {
     forwardToUpstream(msg);
   };
   http.onmessage = (msg) => {
+    if (shuttingDown) return;
     const responseId = getResponseId(msg);
-    stdio.send(msg).then(
-      () => {
-        if (responseId !== void 0) pendingIds.delete(responseId);
-      },
-      (err) => {
-        const detail = err instanceof Error ? err.message : String(err);
-        process.stderr.write(
-          `[tandem mcp-stdio] stdio write failed for id ${responseId ?? "<notification>"}: ${detail}
+    if (responseId !== void 0) {
+      const handle = pendingRequests.get(responseId);
+      if (handle !== void 0) {
+        clearTimeout(handle);
+        pendingRequests.delete(responseId);
+      }
+    }
+    const sendHandler = (err) => {
+      const detail = err instanceof Error ? err.message : String(err);
+      process.stderr.write(
+        `[tandem mcp-stdio] stdio write failed for id ${responseId ?? "<notification>"}: ${detail}
 `
-        );
-        void shutdown(1, {
-          message: "Tandem stdio write failed",
-          detail
-        });
+      );
+      if (responseId !== void 0) {
+        void sendErrorResponse(responseId, "Tandem stdio write failed", detail);
       }
-    );
+      void shutdown(1, {
+        message: "Tandem stdio write failed",
+        detail
+      });
+    };
+    try {
+      stdio.send(msg).catch(sendHandler);
+    } catch (err) {
+      sendHandler(err);
+    }
   };
   stdio.onerror = (err) => {
     process.stderr.write(`[tandem mcp-stdio] stdio error: ${err.message}
@@ -444,6 +603,9 @@ cause: ${cause}` : ""}
     });
   };
   await stdio.start();
+  process.stdin.once("end", () => {
+    void shutdown(0);
+  });
   const probe = await probeTandemServer({ url: baseUrl });
   if (!probe.ok) {
     const guidance = probe.kind === "unreachable" ? "Start the Tauri app or run `tandem start` on the host, then retry." : "The Tandem server is running but unhealthy \u2014 check the host logs.";
@@ -481,7 +643,7 @@ function getResponseId(msg) {
   if (typeof m.id === "string" || typeof m.id === "number") return m.id;
   return void 0;
 }
-var PREFLIGHT_GRACE_MS;
+var PREFLIGHT_GRACE_MS, MAX_TIMEOUT_MS, STDIO_REQUEST_TIMEOUT_MS, VALID_TOKEN_RE2;
 var init_mcp_stdio = __esm({
   "src/cli/mcp-stdio.ts"() {
     "use strict";
@@ -489,6 +651,8 @@ var init_mcp_stdio = __esm({
     init_preflight();
     redirectConsoleToStderr();
     PREFLIGHT_GRACE_MS = 1500;
+    MAX_TIMEOUT_MS = 2147483647;
+    STDIO_REQUEST_TIMEOUT_MS = parseTimeoutMs(process.env.TANDEM_REQUEST_TIMEOUT_MS);
     process.once("uncaughtException", (err) => {
       process.stderr.write(
         `[tandem mcp-stdio] uncaughtException: ${err.message}
@@ -503,6 +667,7 @@ ${err.stack ?? ""}
 `);
       process.exit(1);
     });
+    VALID_TOKEN_RE2 = /^[A-Za-z0-9_\-]{32,}$/;
   }
 });
 
@@ -634,7 +799,7 @@ async function startEventBridge(mcp, tandemUrl) {
       if (retries >= CHANNEL_MAX_RETRIES) {
         console.error("[Channel] SSE connection exhausted, reporting error and exiting");
         try {
-          await fetch(`${tandemUrl}/api/channel-error`, {
+          await authFetch(`${tandemUrl}/api/channel-error`, {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify({
@@ -657,7 +822,7 @@ async function startEventBridge(mcp, tandemUrl) {
 async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
   const headers = { Accept: "text/event-stream" };
   if (lastEventId) headers["Last-Event-ID"] = lastEventId;
-  const res = await fetch(`${tandemUrl}/api/events`, { headers });
+  const res = await authFetch(`${tandemUrl}/api/events`, { headers });
   if (!res.ok) throw new Error(`SSE endpoint returned ${res.status}`);
   if (!res.body) throw new Error("SSE endpoint returned no body");
   const reader = res.body.getReader();
@@ -668,7 +833,7 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
   let pendingAwareness = null;
   const AWARENESS_CLEAR_MS = 3e3;
   function clearAwareness(documentId) {
-    fetch(`${tandemUrl}/api/channel-awareness`, {
+    authFetch(`${tandemUrl}/api/channel-awareness`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -683,7 +848,7 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
     if (!pendingAwareness) return;
     const event = pendingAwareness;
     pendingAwareness = null;
-    fetch(`${tandemUrl}/api/channel-awareness`, {
+    authFetch(`${tandemUrl}/api/channel-awareness`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
@@ -758,7 +923,7 @@ async function getCachedMode(tandemUrl) {
   const now = Date.now();
   if (now - cachedModeAt < MODE_CACHE_TTL_MS) return cachedMode;
   try {
-    const res = await fetch(`${tandemUrl}/api/mode`);
+    const res = await authFetch(`${tandemUrl}/api/mode`);
     if (res.ok) {
       const { mode } = await res.json();
       cachedMode = mode;
@@ -780,6 +945,7 @@ var init_event_bridge = __esm({
   "src/channel/event-bridge.ts"() {
     "use strict";
     init_types();
+    init_cli_runtime();
     init_constants();
     AWARENESS_DEBOUNCE_MS = 500;
     MODE_CACHE_TTL_MS = 2e3;
@@ -847,7 +1013,7 @@ async function runChannel(opts = {}) {
     if (req.params.name === "tandem_reply") {
       const args2 = req.params.arguments;
       try {
-        const res = await fetch(`${tandemUrl}/api/channel-reply`, {
+        const res = await authFetch(`${tandemUrl}/api/channel-reply`, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify(args2)
@@ -895,7 +1061,7 @@ async function runChannel(opts = {}) {
   });
   mcp.setNotificationHandler(PermissionRequestSchema, async ({ params }) => {
     try {
-      const res = await fetch(`${tandemUrl}/api/channel-permission`, {
+      const res = await authFetch(`${tandemUrl}/api/channel-permission`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
@@ -984,6 +1150,163 @@ var init_channel = __esm({
   }
 });
 
+// src/server/auth/token-store.ts
+import envPaths from "env-paths";
+import fs from "fs";
+import path from "path";
+function getTokenFilePath() {
+  return path.join(envPaths("tandem", { suffix: "" }).data, TOKEN_FILE_NAME);
+}
+async function readTokenFromFile() {
+  const filePath = getTokenFilePath();
+  try {
+    const content = await fs.promises.readFile(filePath, "utf8");
+    if (process.platform !== "win32") {
+      try {
+        const stat = await fs.promises.stat(filePath);
+        if ((stat.mode & 63) !== 0) {
+          console.error("[tandem] auth token file has insecure permissions; attempting chmod 0600");
+          await fs.promises.chmod(filePath, 384);
+        }
+      } catch {
+      }
+    }
+    const trimmed = content.trim();
+    return trimmed.length > 0 ? trimmed : null;
+  } catch (err) {
+    if (err.code === "ENOENT") return null;
+    throw err;
+  }
+}
+var init_token_store = __esm({
+  "src/server/auth/token-store.ts"() {
+    "use strict";
+    init_constants();
+  }
+});
+
+// src/cli/rotate-token.ts
+var rotate_token_exports = {};
+__export(rotate_token_exports, {
+  rotateToken: () => rotateToken
+});
+import { createHash, randomBytes } from "crypto";
+import { promises as fsPromises } from "fs";
+import path2 from "path";
+function fingerprint(token) {
+  return createHash("sha256").update(token, "utf8").digest("hex").slice(0, 8);
+}
+function generateToken() {
+  return randomBytes(32).toString("base64url");
+}
+async function rotateToken() {
+  console.error("\n[tandem] Rotating auth token...\n");
+  if (process.env.TANDEM_AUTH_TOKEN) {
+    console.error(
+      "[tandem] Error: TANDEM_AUTH_TOKEN is set in the environment.\n  Token rotation is not supported in env-token mode (used by Tauri).\n  Unset the variable and let Tandem manage the token file, or rotate\n  via your Tauri app's token management instead."
+    );
+    process.exit(1);
+  }
+  const oldToken = await readTokenFromFile();
+  if (!oldToken) {
+    console.error(
+      "[tandem] Error: no token file found. Run `tandem setup` first to initialize the token."
+    );
+    process.exit(1);
+  }
+  const newToken = generateToken();
+  const tokenPath = getTokenFilePath();
+  const dir = path2.dirname(tokenPath);
+  const tmpPath = path2.join(dir, `.auth-token-tmp-${randomBytes(4).toString("hex")}`);
+  try {
+    await fsPromises.writeFile(tmpPath, newToken, { encoding: "utf8", mode: 384 });
+    await fsPromises.rename(tmpPath, tokenPath);
+  } catch (err) {
+    await fsPromises.unlink(tmpPath).catch(() => {
+    });
+    throw err;
+  }
+  const serverUrl = `http://localhost:${DEFAULT_MCP_PORT}`;
+  let graceWindowActive = false;
+  let serverRejected = false;
+  let serverRejectedStatus = 0;
+  try {
+    const resp = await fetch(`${serverUrl}/api/rotate-token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${oldToken}`
+      },
+      body: JSON.stringify({}),
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (resp.ok) {
+      graceWindowActive = true;
+    } else {
+      serverRejected = true;
+      serverRejectedStatus = resp.status;
+    }
+  } catch {
+    console.error(
+      "[tandem] Warning: server is not reachable. The new token is written to disk.\n  Restart the server to activate the grace window; reconnect Claude Code after."
+    );
+  }
+  let updatedCount = 0;
+  let configErrors = [];
+  try {
+    const result = await applyConfigWithToken(newToken);
+    updatedCount = result.updated;
+    configErrors = result.errors;
+  } catch (err) {
+    console.error(
+      `[tandem] Warning: failed to update MCP configs: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (serverRejected) {
+    console.error(
+      `[tandem] WARNING: server rejected the rotation request (status: ${serverRejectedStatus}).`
+    );
+    if (updatedCount > 0) {
+      console.error(
+        `  ${updatedCount} config file(s) updated to the new token, but the server still
+  holds the old token. Restart the server to complete rotation.`
+      );
+    }
+    console.error(`  Old fingerprint: ${fingerprint(oldToken)}`);
+    console.error(`  New fingerprint: ${fingerprint(newToken)}`);
+    for (const e of configErrors) {
+      console.error(`  Warning: could not update config \u2014 ${e}`);
+    }
+    console.error("");
+    return;
+  }
+  console.error("[tandem] Rotated auth token.");
+  console.error(`  Old fingerprint: ${fingerprint(oldToken)}`);
+  console.error(`  New fingerprint: ${fingerprint(newToken)}`);
+  console.error(`  Updated ${updatedCount} config file(s).`);
+  for (const e of configErrors) {
+    console.error(`  Warning: could not update config \u2014 ${e}`);
+  }
+  if (graceWindowActive) {
+    console.error(
+      "  Old token remains valid for 60 seconds; reconnect Claude Code within that window."
+    );
+  } else {
+    console.error(
+      "  Server was not running \u2014 start it with `tandem` and reconnect Claude Code with the new token."
+    );
+  }
+  console.error("");
+}
+var init_rotate_token = __esm({
+  "src/cli/rotate-token.ts"() {
+    "use strict";
+    init_token_store();
+    init_constants();
+    init_setup();
+  }
+});
+
 // src/cli/start.ts
 var start_exports = {};
 __export(start_exports, {
@@ -1026,7 +1349,22 @@ var init_start = __esm({
 
 // src/cli/index.ts
 import updateNotifier from "update-notifier";
-var version = true ? "0.6.3" : "0.0.0-dev";
+process.once("uncaughtException", (err) => {
+  const msg = err instanceof Error ? err.stack ?? err.message : String(err);
+  try {
+    process.stderr.write(`[tandem cli] uncaughtException: ${msg}
+`);
+  } catch {
+  }
+  process.exit(1);
+});
+process.once("unhandledRejection", (reason) => {
+  const detail = reason instanceof Error ? reason.message : String(reason);
+  process.stderr.write(`[tandem cli] unhandledRejection: ${detail}
+`);
+  process.exit(1);
+});
+var version = true ? "0.7.1" : "0.0.0-dev";
 var args = process.argv.slice(2);
 var isStdioMode = args[0] === "mcp-stdio" || args[0] === "channel";
 if (!isStdioMode) {
@@ -1040,6 +1378,7 @@ Usage:
   tandem setup                      Register MCP tools with Claude Code / Claude Desktop
   tandem setup --force              Register to default paths regardless of detection
   tandem setup --with-channel-shim  Also register the stdio channel shim (legacy opt-in)
+  tandem rotate-token               Rotate the auth token with a 60-second grace window
   tandem mcp-stdio                  Run as a stdio MCP server proxying to local HTTP
                                     (used by the plugin's Cowork bridge; requires
                                     tandem server running on the host)
@@ -1067,6 +1406,9 @@ try {
   } else if (args[0] === "channel") {
     const { runChannelCli: runChannelCli2 } = await Promise.resolve().then(() => (init_channel(), channel_exports));
     await runChannelCli2();
+  } else if (args[0] === "rotate-token") {
+    const { rotateToken: rotateToken2 } = await Promise.resolve().then(() => (init_rotate_token(), rotate_token_exports));
+    await rotateToken2();
   } else if (!args[0] || args[0] === "start") {
     const { runStart: runStart2 } = await Promise.resolve().then(() => (init_start(), start_exports));
     runStart2();