@gavdi/cap-mcp 0.9.9-alpha.3 → 0.9.9

package/README.md

@@ -550,24 +550,7 @@ npm test -- --testPathPattern=integration
 ## 🚨 Performance & Limitations
 
 ### Known Limitations
-
-#### No Interactive Authentication Support
-**The plugin currently does NOT support interactive OAuth flows** that allow end-users to log in through MCP clients like Claude Desktop, Cursor, or other consumer MCP applications.
-
-**What this means:**
-- ✅ Works with custom MCP clients that can inject pre-obtained bearer tokens
-- ✅ Works in development with `dummy` authentication  
-- ❌ **Does NOT work with Claude Desktop, Cursor, or similar clients expecting OAuth login flows**
-- ❌ End-users cannot authenticate interactively when connecting
-
-**Technical Context:** This limitation exists due to architectural constraints in the current Model Context Protocol SDK. The MCP community is actively working on a solution that would enable proper interactive authentication flows, but no timeline has been announced. This is expected to be resolved in the second half of 2025.
-
-**Workarounds:**
-- **For Development**: Use `"auth": { "kind": "dummy" }` in your CAP configuration
-- **For Production**: Custom MCP clients must obtain valid bearer tokens through your CAP application's existing authentication flow and include them in requests as `Authorization: Bearer <token>`
-
-#### SDK Bug
-- **Dynamic Resource Queries**: Require all query parameters due to `@modelcontextprotocol/sdk` RFC template string issue
+- **SDK Bug**: Dynamic resource queries require all query parameters due to `@modelcontextprotocol/sdk` RFC template string issue
 
 ### Performance Considerations
 - **Large Datasets**: Use `resource: ['top']` or similar constraints for entities with many records

package/lib/auth/handler.js

@@ -2,11 +2,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.authHandlerFactory = authHandlerFactory;
 exports.errorHandlerFactory = errorHandlerFactory;
-const logger_1 = require("../logger");
 /** JSON-RPC 2.0 error code for unauthorized requests */
 const RPC_UNAUTHORIZED = 10;
-/** HTTP Authenticate header **/
-const WWW_AUTHENTICATE = "WWW-Authenticate";
 /* @ts-ignore */
 const cds = global.cds || require("@sap/cds"); // This is a work around for missing cds context
 /**
@@ -34,15 +31,9 @@ const cds = global.cds || require("@sap/cds"); // This is a work around for miss
  * @throws {500} When CAP context is not properly loaded
  */
 function authHandlerFactory() {
+    const authKind = cds.env.requires.auth.kind;
     return (req, res, next) => {
-        const auth = cds.env.requires.auth;
-        const authKind = auth.kind;
-        const credentials = auth.credentials;
         if (!req.headers.authorization && authKind !== "dummy") {
-            logger_1.LOGGER.warn("No valid authorization header provided");
-            // We need to return a WWW-Authenticate response header here with .well-known metadata
-            // Otherwise the MCP client will not be able to figure out the auth flow
-            res.setHeader(WWW_AUTHENTICATE, `Bearer error='"invalid_token", resource_metadata="${credentials?.url}/.well-known/oauth-protected-resource"`);
             res.status(401).json({
                 jsonrpc: "2.0",
                 error: {
@@ -67,9 +58,6 @@ function authHandlerFactory() {
         }
         const user = ctx.user;
         if (!user || user === cds.User.anonymous) {
-            // We need to return a WWW-Authenticate response header here with .well-known metadata
-            // Otherwise the MCP client will not be able to figure out the auth flow
-            res.setHeader(WWW_AUTHENTICATE, `Bearer error='"invalid_token", resource_metadata="${credentials?.url}/.well-known/oauth-protected-resource"`);
             res.status(401).json({
                 jsonrpc: "2.0",
                 error: {

package/lib/auth/utils.js

@@ -6,10 +6,30 @@ exports.registerAuthMiddleware = registerAuthMiddleware;
 exports.hasToolOperationAccess = hasToolOperationAccess;
 exports.getWrapAccesses = getWrapAccesses;
 const handler_1 = require("./handler");
+const proxyProvider_js_1 = require("@modelcontextprotocol/sdk/server/auth/providers/proxyProvider.js");
 const router_js_1 = require("@modelcontextprotocol/sdk/server/auth/router.js");
-const logger_1 = require("../logger");
+/**
+ * @fileoverview Authentication utilities for MCP-CAP integration.
+ *
+ * This module provides utilities for integrating CAP authentication with MCP servers.
+ * It supports all standard CAP authentication types and provides functions for:
+ * - Determining authentication status
+ * - Managing user access rights
+ * - Registering authentication middleware
+ *
+ * Supported CAP authentication types:
+ * - 'dummy': No authentication (privileged access)
+ * - 'mocked': Mock users with predefined credentials
+ * - 'basic': HTTP Basic Authentication
+ * - 'jwt': Generic JWT token validation
+ * - 'xsuaa': SAP BTP XSUAA OAuth2/JWT authentication
+ * - 'ias': SAP Identity Authentication Service
+ * - Custom string types for user-defined authentication strategies
+ *
+ * Access CAP auth configuration via: cds.env.requires.auth.kind
+ */
 /* @ts-ignore */
-const cds = global.cds || require("@sap/cds"); // Use hosting app's CDS instance exclusively
+const cds = global.cds || require("@sap/cds"); // This is a work around for missing cds context
 /**
  * Determines whether authentication is enabled for the MCP plugin.
  *
@@ -97,8 +117,7 @@ function getAccessRights(authEnabled) {
  * @since 1.0.0
  */
 function registerAuthMiddleware(expressApp) {
-    logger_1.LOGGER.debug("Configuring auth middleware");
-    const middlewares = cds.middlewares?.before || []; // Handle missing middlewares gracefully
+    const middlewares = cds.middlewares.before; // No types exists for this part of the CDS library
     // Build array of auth middleware to apply
     const authMiddleware = [];
     // Add CAP middleware
@@ -113,10 +132,8 @@ function registerAuthMiddleware(expressApp) {
     authMiddleware.push((0, handler_1.authHandlerFactory)());
     // Apply auth middleware to all /mcp routes EXCEPT health
     expressApp?.use(/^\/mcp(?!\/health).*/, ...authMiddleware);
-    // Note: .well-known/oauth-authorization-server endpoint is automatically created by mcpAuthRouter
-    // Configure OAuth proxy for enterprise authentication scenarios
+    // Then finally we add the oauth proxy to the xsuaa instance
     configureOAuthProxy(expressApp);
-    logger_1.LOGGER.debug("Auth middleware configured");
 }
 /**
  * Configures OAuth proxy middleware for enterprise authentication scenarios.
@@ -129,7 +146,6 @@ function registerAuthMiddleware(expressApp) {
  * - Access token verification and validation
  * - Client credential management
  * - Integration with CAP authentication configuration
- * - Dynamic client registration for MCP clients
  *
  * The OAuth proxy is only configured for enterprise authentication types
  * (jwt, xsuaa, ias) and skips configuration for basic auth types.
@@ -159,86 +175,42 @@ function configureOAuthProxy(expressApp) {
     const config = cds.env.requires.auth;
     const kind = config.kind;
     const credentials = config.credentials;
-    logger_1.LOGGER.debug("Running auth with configuration kind", kind);
     // Safety guard - skip OAuth proxy for basic auth types
-    if (kind === "dummy" || kind === "mocked" || kind === "basic") {
-        logger_1.LOGGER.debug("Skipping OAuth proxy for auth type:", kind);
+    if (kind === "dummy" || kind === "mocked" || kind === "basic")
         return;
-    }
-    if (!credentials ||
+    else if (!credentials ||
         !credentials.clientid ||
         !credentials.clientsecret ||
         !credentials.url) {
-        logger_1.LOGGER.warn("OAuth proxy skipped - missing required XSUAA credentials");
-        return; // Don't throw error, just skip OAuth proxy
+        throw new Error("Invalid security credentials");
     }
-    logger_1.LOGGER.debug("Configuring OAuth proxy with XSUAA endpoints");
-    const baseUrl = process.env.MCP_BASE_URL ||
-        process.env.MCP_SERVER_URL ||
-        "http://localhost:4004";
-    // const proxyProvider = new ProxyOAuthServerProvider({
-    //   endpoints: {
-    //     authorizationUrl: `${credentials.url}/oauth/authorize`,
-    //     tokenUrl: `${credentials.url}/oauth/token`,
-    //     revocationUrl: `${credentials.url}/oauth/revoke`,
-    //   },
-    //   verifyAccessToken: async (token: string) => {
-    //     try {
-    //       LOGGER.debug("OAuth proxy: verifyAccessToken called");
-    //
-    //       // Use CAP's built-in JWT verification for XSUAA
-    //       const decoded = await cds.auth.jwt.verify(token);
-    //       LOGGER.debug(
-    //         "Token decoded successfully for client:",
-    //         decoded.client_id || decoded.azp,
-    //       );
-    //
-    //       return {
-    //         token,
-    //         clientId: decoded.client_id || decoded.azp,
-    //         scopes: decoded.scope?.split(" ") || [],
-    //         userId: decoded.sub,
-    //         expiresAt: decoded.exp, // Unix timestamp, not Date object
-    //       };
-    //     } catch (error) {
-    //       LOGGER.error("Token verification failed:", error);
-    //       throw new Error("Invalid access token");
-    //     }
-    //   },
-    //   getClient: async (client_id: string) => {
-    //     LOGGER.debug("OAuth proxy: Dynamic client registration requested");
-    //
-    //     return {
-    //       client_secret: credentials.clientsecret as string,
-    //       client_id,
-    //       redirect_uris: [
-    //         `${baseUrl}/oauth/callback`,
-    //         `${baseUrl}/mcp/oauth/callback`,
-    //         "http://localhost:3000/callback", // Claude Desktop default
-    //         "http://localhost:3000/auth/callback", // Alternative format
-    //       ],
-    //     };
-    //   },
-    // });
-    expressApp.use((0, router_js_1.mcpAuthMetadataRouter)({
-        oauthMetadata: {
-            issuer: credentials.url,
-            authorization_endpoint: `${credentials.url}/oauth/authorize`,
-            token_endpoint: `${credentials.url}/oauth/token`,
-            response_types_supported: ["code", "token"],
-            grant_types_supported: [
-                "authorization_code",
-                "client_credentials",
-                "urn:ietf:params:oauth:grant-type:jwt-bearer",
-                "refresh_token"
-            ],
-            token_endpoint_auth_methods_supported: ["client_secret_post", "client_secret_basic"],
-            code_challenge_methods_supported: ["S256"]
+    const proxyProvider = new proxyProvider_js_1.ProxyOAuthServerProvider({
+        endpoints: {
+            authorizationUrl: `${credentials.url}/oauth/authorize`,
+            tokenUrl: `${credentials.url}/oauth/token`,
+            revocationUrl: `${credentials.url}/oauth/revoke`,
+        },
+        verifyAccessToken: async (token) => {
+            return {
+                token,
+                clientId: credentials.clientid,
+                scopes: ["uaa.resource"],
+            };
         },
+        getClient: async (client_id) => {
+            return {
+                client_secret: credentials.clientsecret,
+                client_id,
+                redirect_uris: ["http://localhost:3000/callback"], // Temporary value for now
+            };
+        },
+    });
+    expressApp.use((0, router_js_1.mcpAuthRouter)({
+        provider: proxyProvider,
+        issuerUrl: new URL(credentials.url),
+        //baseUrl: new URL(""), // I have left this out for the time being due to the defaulting to issuer
         serviceDocumentationUrl: new URL("https://docs.cloudfoundry.org/api/uaa/version/77.34.0/index.html#authorization"),
-        resourceServerUrl: new URL(baseUrl),
     }));
-    logger_1.LOGGER.info("OAuth proxy configured successfully for XSUAA integration");
 }
 /**
  * Checks whether the requesting user's access matches that of the roles required

package/lib/mcp/describe-model.js

@@ -61,7 +61,11 @@ function registerDescribeModelTool(server) {
             }));
             const keys = elements.filter((e) => e.key).map((e) => e.name);
             const sampleTop = 5;
-            const shortFields = elements.slice(0, 5).map((e) => e.name);
+            // Prefer scalar fields for sample selects; exclude associations
+            const scalarFields = elements
+                .filter((e) => String(e.type).toLowerCase() !== "cds.association")
+                .map((e) => e.name);
+            const shortFields = scalarFields.slice(0, 5);
             // Match wrapper tool naming: Service_Entity_mode
             const entName = String(ent?.name || "entity");
             const svcPart = service || entName.split(".")[0] || "Service";
@@ -75,7 +79,7 @@ function registerDescribeModelTool(server) {
                 fields: elements,
                 usage: {
                     rationale: "Entity wrapper tools expose CRUD-like operations for LLMs. Prefer query/get globally; create/update must be explicitly enabled by the developer.",
-                    guidance: "Use the *_query tool for retrieval with filters and projections; use *_get with keys for a single record; use *_create/*_update only if enabled and necessary.",
+                    guidance: "Use the *_query tool for retrieval with filters and projections. All fields in select/where are consistent. For associations, use foreign key fields (e.g., author_ID not author). Use *_get with keys for a single record; use *_create/*_update only if enabled and necessary.",
                 },
                 examples: {
                     list_tool: listName,

package/lib/mcp/entity-tools.js

@@ -61,6 +61,45 @@ async function resolveServiceInstance(serviceName) {
 // NOTE: We use plain entity names (service projection) for queries.
 const MAX_TOP = 200;
 const TIMEOUT_MS = 10_000; // Standard timeout for tool calls (ms)
+// Map OData operators to CDS/SQL operators for better performance and readability
+const ODATA_TO_CDS_OPERATORS = new Map([
+    ["eq", "="],
+    ["ne", "!="],
+    ["gt", ">"],
+    ["ge", ">="],
+    ["lt", "<"],
+    ["le", "<="],
+]);
+/**
+ * Builds enhanced query tool description with field types and association examples
+ */
+function buildEnhancedQueryDescription(resAnno) {
+    const associations = Array.from(resAnno.properties.entries())
+        .filter(([, cdsType]) => String(cdsType).toLowerCase().includes("association"))
+        .map(([name]) => `${name}_ID`);
+    const baseDesc = `Query ${resAnno.target} with structured filters, select, orderby, top/skip.`;
+    const assocHint = associations.length > 0
+        ? ` IMPORTANT: For associations, always use foreign key fields (${associations.join(", ")}) - never use association names directly.`
+        : "";
+    return baseDesc + assocHint;
+}
+/**
+ * Builds field documentation for schema descriptions
+ */
+function buildFieldDocumentation(resAnno) {
+    const docs = [];
+    for (const [propName, cdsType] of resAnno.properties.entries()) {
+        const isAssociation = String(cdsType).toLowerCase().includes("association");
+        if (isAssociation) {
+            docs.push(`${propName}(association: compare by key value)`);
+            docs.push(`${propName}_ID(foreign key for ${propName})`);
+        }
+        else {
+            docs.push(`${propName}(${String(cdsType).toLowerCase()})`);
+        }
+    }
+    return docs.join(", ");
+}
 /**
  * Registers CRUD-like MCP tools for an annotated entity (resource).
  * Modes can be controlled globally via configuration and per-entity via @mcp.wrap.
@@ -115,9 +154,27 @@ function nameFor(service, entity, suffix) {
 function registerQueryTool(resAnno, server, authEnabled) {
     const toolName = nameFor(resAnno.serviceName, resAnno.target, "query");
     // Structured input schema for queries with guard for empty property lists
-    const propKeys = Array.from(resAnno.properties.keys());
-    const fieldEnum = (propKeys.length
-        ? zod_1.z.enum(propKeys)
+    const allKeys = Array.from(resAnno.properties.keys());
+    const scalarKeys = Array.from(resAnno.properties.entries())
+        .filter(([, cdsType]) => !String(cdsType).toLowerCase().includes("association"))
+        .map(([name]) => name);
+    // Add foreign key fields for associations to scalar keys for select/orderby
+    for (const [propName, cdsType] of resAnno.properties.entries()) {
+        const isAssociation = String(cdsType).toLowerCase().includes("association");
+        if (isAssociation) {
+            scalarKeys.push(`${propName}_ID`);
+        }
+    }
+    // Build where field enum: use same fields as select (scalar + foreign keys)
+    // This ensures consistency - what you can select, you can filter by
+    const whereKeys = [...scalarKeys];
+    const whereFieldEnum = (whereKeys.length
+        ? zod_1.z.enum(whereKeys)
+        : zod_1.z
+            .enum(["__dummy__"])
+            .transform(() => "__dummy__"));
+    const selectFieldEnum = (scalarKeys.length
+        ? zod_1.z.enum(scalarKeys)
         : zod_1.z
             .enum(["__dummy__"])
             .transform(() => "__dummy__"));
@@ -131,16 +188,21 @@ function registerQueryTool(resAnno, server, authEnabled) {
             .default(25)
             .describe("Rows (default 25)"),
         skip: zod_1.z.number().int().min(0).default(0).describe("Offset"),
-        select: zod_1.z.array(fieldEnum).optional(),
+        select: zod_1.z
+            .array(selectFieldEnum)
+            .optional()
+            .transform((val) => val && val.length > 0 ? val : undefined)
+            .describe(`Select/orderby allow only scalar fields: ${scalarKeys.join(", ")}`),
         orderby: zod_1.z
             .array(zod_1.z.object({
-            field: fieldEnum,
+            field: selectFieldEnum,
             dir: zod_1.z.enum(["asc", "desc"]).default("asc"),
         }))
-            .optional(),
+            .optional()
+            .transform((val) => val && val.length > 0 ? val : undefined),
         where: zod_1.z
             .array(zod_1.z.object({
-            field: fieldEnum,
+            field: whereFieldEnum.describe(`FILTERABLE FIELDS: ${scalarKeys.join(", ")}. For associations use foreign key (author_ID), NOT association name (author).`),
             op: zod_1.z.enum([
                 "eq",
                 "ne",
@@ -160,15 +222,17 @@ function registerQueryTool(resAnno, server, authEnabled) {
                 zod_1.z.array(zod_1.z.union([zod_1.z.string(), zod_1.z.number()])),
             ]),
         }))
-            .optional(),
+            .optional()
+            .transform((val) => val && val.length > 0 ? val : undefined),
         q: zod_1.z.string().optional().describe("Quick text search"),
         return: zod_1.z.enum(["rows", "count", "aggregate"]).default("rows").optional(),
         aggregate: zod_1.z
             .array(zod_1.z.object({
-            field: fieldEnum,
+            field: selectFieldEnum,
             fn: zod_1.z.enum(["sum", "avg", "min", "max", "count"]),
         }))
-            .optional(),
+            .optional()
+            .transform((val) => (val && val.length > 0 ? val : undefined)),
         explain: zod_1.z.boolean().optional(),
     })
         .strict();
@@ -184,7 +248,8 @@ function registerQueryTool(resAnno, server, authEnabled) {
         explain: inputZod.shape.explain,
     };
     const hint = resAnno.wrap?.hint ? ` Hint: ${resAnno.wrap?.hint}` : "";
-    const desc = `List ${resAnno.target}. Use structured filters (where), top/skip/orderby/select. For fields & examples call cap_describe_model.${hint}`;
+    const desc = `${buildEnhancedQueryDescription(resAnno)} CRITICAL: Use foreign key fields (e.g., author_ID) for associations - association names (e.g., author) won't work in filters.` +
+        hint;
     const queryHandler = async (rawArgs) => {
         const parsed = inputZod.safeParse(rawArgs);
         if (!parsed.success) {
@@ -203,7 +268,7 @@ function registerQueryTool(resAnno, server, authEnabled) {
         }
         let q;
         try {
-            q = buildQuery(CDS, args, resAnno, propKeys);
+            q = buildQuery(CDS, args, resAnno, allKeys);
         }
         catch (e) {
             return (0, utils_2.toolError)("FILTER_PARSE_ERROR", e?.message || String(e));
@@ -564,8 +629,9 @@ function buildQuery(CDS, args, resAnno, propKeys) {
     let qy = SELECT.from(resAnno.target).limit(limitTop, limitSkip);
     if ((propKeys?.length ?? 0) === 0)
         return qy;
-    if (args.select?.length)
+    if (args.select?.length) {
         qy = qy.columns(...args.select);
+    }
     if (args.orderby?.length) {
         // Map to CQN-compatible order by fragments
         const orderFragments = args.orderby.map((o) => `${o.field} ${o.dir}`);
@@ -575,29 +641,40 @@ function buildQuery(CDS, args, resAnno, propKeys) {
         const ands = [];
         if (args.q) {
             const textFields = Array.from(resAnno.properties.keys()).filter((k) => /string/i.test(String(resAnno.properties.get(k))));
-            const ors = textFields.map((f) => CDS.parse.expr(`contains(${f}, '${String(args.q).replace(/'/g, "''")}')`));
-            if (ors.length)
-                ands.push(CDS.parse.expr(ors.map((x) => `(${x})`).join(" or ")));
+            const escaped = String(args.q).replace(/'/g, "''");
+            const ors = textFields.map((f) => `contains(${f}, '${escaped}')`);
+            if (ors.length) {
+                const orExpr = ors.map((x) => `(${x})`).join(" or ");
+                ands.push(CDS.parse.expr(orExpr));
+            }
         }
         for (const c of args.where || []) {
             const { field, op, value } = c;
+            // Field names are now consistent - use them directly
+            const actualField = field;
             if (op === "in" && Array.isArray(value)) {
                 const list = value
                     .map((v) => typeof v === "string" ? `'${v.replace(/'/g, "''")}'` : String(v))
                     .join(",");
-                ands.push(CDS.parse.expr(`${field} in (${list})`));
+                ands.push(CDS.parse.expr(`${actualField} in (${list})`));
                 continue;
             }
             const lit = typeof value === "string"
                 ? `'${String(value).replace(/'/g, "''")}'`
                 : String(value);
+            // Map OData operators to CDS/SQL operators
+            const cdsOp = ODATA_TO_CDS_OPERATORS.get(op) ?? op;
             const expr = ["contains", "startswith", "endswith"].includes(op)
-                ? `${op}(${field}, ${lit})`
-                : `${field} ${op} ${lit}`;
+                ? `${op}(${actualField}, ${lit})`
+                : `${actualField} ${cdsOp} ${lit}`;
             ands.push(CDS.parse.expr(expr));
         }
-        if (ands.length)
-            qy = qy.where(ands);
+        if (ands.length) {
+            // Apply each condition individually - CDS will AND them together
+            for (const condition of ands) {
+                qy = qy.where(condition);
+            }
+        }
     }
     return qy;
 }

package/lib/mcp.js

@@ -40,9 +40,7 @@ class McpPlugin {
         logger_1.LOGGER.debug("Event received for 'bootstrap'");
         this.expressApp = app;
         this.expressApp.use("/mcp", express_1.default.json());
-        // To make it more safe, if there is a mispelling we will always implement auth
-        // Users will have to explicitly write none
-        if (this.config.auth !== "none") {
+        if (this.config.auth === "inherit") {
             (0, utils_2.registerAuthMiddleware)(this.expressApp);
         }
         await this.registerApiEndpoints();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gavdi/cap-mcp",
-  "version": "0.9.9-alpha.3",
+  "version": "0.9.9",
   "description": "MCP Pluging for CAP",
   "keywords": [
     "MCP",
@@ -41,7 +41,7 @@
     "express": "^4"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.17.4",
+    "@modelcontextprotocol/sdk": "^1.17.3",
     "zod": "^3.25.67",
     "zod-to-json-schema": "^3.24.5"
   },

package/lib/annotations.js

@@ -1,257 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.McpPromptAnnotation = exports.McpToolAnnotation = exports.McpResourceAnnotation = exports.McpAnnotation = exports.McpAnnotations = exports.McpAnnotationKey = void 0;
-exports.parseAnnotations = parseAnnotations;
-const utils_1 = require("./utils");
-const DEFAULT_ALL_RESOURCE_OPTIONS = new Set([
-    "filter",
-    "sort",
-    "top",
-    "skip",
-    "select",
-]);
-exports.McpAnnotationKey = "@mcp";
-exports.McpAnnotations = {
-    // Resource annotations for MCP
-    MCP_RESOURCE: "@mcp.resource",
-    // Tool annotations for MCP
-    MCP_TOOL_NAME: "@mcp.tool.name",
-    MCP_TOOL_DESCRIPTION: "@mcp.tool.description",
-    // Prompt annotations for MCP
-    MCP_PROMPT: "@mcp.prompt",
-};
-class McpAnnotation {
-    _target;
-    _serviceName;
-    constructor(target, serviceName) {
-        this._target = target;
-        this._serviceName = serviceName;
-    }
-    get target() {
-        return this._target;
-    }
-    get serviceName() {
-        return this._serviceName;
-    }
-}
-exports.McpAnnotation = McpAnnotation;
-class McpResourceAnnotation extends McpAnnotation {
-    _includeAll;
-    _functionalities;
-    _properties;
-    constructor(target, serviceName, includeAll, functionalities, properties) {
-        super(target, serviceName);
-        this._includeAll = includeAll;
-        this._functionalities = functionalities;
-        this._properties = properties;
-    }
-    get includeAll() {
-        return this._includeAll;
-    }
-    get functionalities() {
-        return this._functionalities;
-    }
-    get properties() {
-        return this._properties;
-    }
-}
-exports.McpResourceAnnotation = McpResourceAnnotation;
-class McpToolAnnotation extends McpAnnotation {
-    _name;
-    _description;
-    _parameters;
-    _entityKey;
-    _operationKind;
-    _keyTypeMap;
-    constructor(name, description, operation, serviceName, parameters, entityKey, operationKind, keyTypeMap) {
-        super(operation, serviceName);
-        this._name = name;
-        this._description = description;
-        this._parameters = parameters;
-        this._entityKey = entityKey;
-        this._operationKind = operationKind;
-        this._keyTypeMap = keyTypeMap;
-    }
-    get name() {
-        return this._name;
-    }
-    get description() {
-        return this._description;
-    }
-    get parameters() {
-        return this._parameters;
-    }
-    get entityKey() {
-        return this._entityKey;
-    }
-    get operationKind() {
-        return this._operationKind;
-    }
-    get keyTypeMap() {
-        return this._keyTypeMap;
-    }
-}
-exports.McpToolAnnotation = McpToolAnnotation;
-class McpPromptAnnotation extends McpAnnotation {
-    _name;
-    _template;
-    constructor(target, serviceName, name, template) {
-        super(target, serviceName);
-        this._name = name;
-        this._template = template;
-    }
-    get name() {
-        return this._name;
-    }
-    get template() {
-        return this._template;
-    }
-}
-exports.McpPromptAnnotation = McpPromptAnnotation;
-function parseAnnotations(services) {
-    const annotations = [];
-    for (const serviceName of Object.keys(services)) {
-        const srv = services[serviceName];
-        if (srv.name === "CatalogService") {
-            utils_1.LOGGER.debug("SERVICE: ", srv.model.definitions);
-        }
-        const entities = srv.entities;
-        const operations = srv.operations; // Refers to action and function imports
-        // Find entities
-        for (const entityName of Object.keys(entities)) {
-            const target = entities[entityName];
-            const res = findEntityAnnotations(target, entityName, srv);
-            if (target.actions) {
-                const bound = parseBoundOperations(target.actions, entityName, target, srv);
-                if (bound && bound.length > 0) {
-                    annotations.push(...bound);
-                }
-            }
-            if (!res)
-                continue;
-            annotations.push(res);
-        }
-        // Find operations
-        for (const operationName of Object.keys(operations)) {
-            const op = operations[operationName];
-            const res = findOperationAnnotations(op, operationName, srv);
-            if (!res)
-                continue;
-            annotations.push(res);
-        }
-    }
-    const result = formatAnnotations(annotations);
-    return result;
-}
-function formatAnnotations(annotationList) {
-    const result = new Map();
-    for (const annotation of annotationList) {
-        if (annotation.operation) {
-            if (!annotation.annotations[exports.McpAnnotations.MCP_TOOL_NAME] ||
-                !annotation.annotations[exports.McpAnnotations.MCP_TOOL_DESCRIPTION]) {
-                utils_1.LOGGER.error(`Invalid annotation found for operation`, annotation);
-                throw new Error(`Invalid annotations for operation '${annotation.operation}'`);
-            }
-            else if (typeof annotation.annotations[exports.McpAnnotations.MCP_TOOL_NAME] !==
-                "string" ||
-                typeof annotation.annotations[exports.McpAnnotations.MCP_TOOL_DESCRIPTION] !==
-                    "string") {
-                utils_1.LOGGER.error("Invalid data for annotations", annotation);
-                throw new Error(`Invalid annotation data for operation '${annotation.operation}'`);
-            }
-            const entry = new McpToolAnnotation(annotation.annotations[exports.McpAnnotations.MCP_TOOL_NAME], annotation.annotations[exports.McpAnnotations.MCP_TOOL_DESCRIPTION], annotation.operation, annotation.serviceName, mapOperationInput(annotation.context), // TODO: Parse the parameters from the context and place them in the class
-            annotation.entityKey, annotation.operationKind, annotation.keyTypeMap);
-            result.set(entry.target, entry);
-            continue;
-        }
-        if (!annotation.entityKey) {
-            utils_1.LOGGER.error("Invalid entry", annotation);
-            throw new Error(`Invalid annotated entry found with no target`);
-        }
-        if (!annotation.annotations[exports.McpAnnotations.MCP_RESOURCE]) {
-            utils_1.LOGGER.error("No valid annotations found for entry", annotation);
-            throw new Error(`Invalid annotations for entry target: '${annotation.entityKey}'`);
-        }
-        const includeAll = annotation.annotations[exports.McpAnnotations.MCP_RESOURCE] === true;
-        const functionalities = Array.isArray(annotation.annotations[exports.McpAnnotations.MCP_RESOURCE])
-            ? new Set(annotation.annotations[exports.McpAnnotations.MCP_RESOURCE])
-            : DEFAULT_ALL_RESOURCE_OPTIONS;
-        const entry = new McpResourceAnnotation(annotation.entityKey, annotation.serviceName, includeAll, functionalities, (0, utils_1.parseEntityElements)(annotation.context));
-        result.set(entry.target, entry);
-    }
-    utils_1.LOGGER.debug("Formatted annotations", result);
-    return result;
-}
-function findEntityAnnotations(entry, entityKey, service) {
-    const annotations = findAnnotations(entry);
-    return Object.keys(annotations).length > 0
-        ? {
-            serviceName: service.name,
-            annotations: annotations,
-            entityKey: entityKey,
-            context: entry,
-        }
-        : undefined;
-}
-function findOperationAnnotations(operation, operationName, service) {
-    const annotations = findAnnotations(operation);
-    return Object.keys(annotations).length > 0
-        ? {
-            serviceName: service.name,
-            annotations: annotations,
-            operation: operationName,
-            operationKind: operation.kind,
-            context: operation,
-        }
-        : undefined;
-}
-function parseBoundOperations(operations, entityKey, entity, service) {
-    const res = new Array();
-    for (const [operationName, operation] of Object.entries(operations)) {
-        const annotation = findBoundOperationAnnotations(operation, operationName, entityKey, service);
-        if (!annotation)
-            continue;
-        annotation.keyTypeMap = new Map();
-        for (const [k, v] of Object.entries(entity.keys)) {
-            if (!v.type) {
-                utils_1.LOGGER.error("Invalid key type", k);
-                throw new Error("Invalid key type found for bound operation");
-            }
-            annotation.keyTypeMap.set(k, v.type.replace("cds.", ""));
-        }
-        res.push(annotation);
-    }
-    return res;
-}
-function findBoundOperationAnnotations(operation, operationName, entityKey, service) {
-    const annotations = findAnnotations(operation);
-    return Object.keys(annotations).length > 0
-        ? {
-            serviceName: service.name,
-            annotations: annotations,
-            operation: operationName,
-            operationKind: operation.kind,
-            entityKey: entityKey,
-            context: operation,
-        }
-        : undefined;
-}
-function findAnnotations(entry) {
-    const annotations = {};
-    for (const [k, v] of Object.entries(entry)) {
-        if (!k.includes(exports.McpAnnotationKey))
-            continue;
-        annotations[k] = v;
-    }
-    return annotations;
-}
-function mapOperationInput(ctx) {
-    const params = ctx["params"];
-    if (!params)
-        return undefined;
-    const result = new Map();
-    for (const [k, v] of Object.entries(params)) {
-        result.set(k, v.type.replace("cds.", ""));
-    }
-    return result.size > 0 ? result : undefined;
-}

package/lib/auth/adapter.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/lib/auth/mock.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/lib/auth/types.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/lib/mcp/customResourceTemplate.js

@@ -1,156 +0,0 @@
-"use strict";
-/**
- * Custom URI template implementation that fixes the MCP SDK's broken
- * URI template matching for grouped query parameters.
- *
- * This is duck typing implementation of the ResourceTemplate class.
- * See @modelcontextprotocol/sdk/server/mcp.js
- *
- * This is only a temporary solution, as we should use the official implementation from the SDK
- * Upon the SDK being fixed, we should switch over to that implementation.
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CustomResourceTemplate = exports.CustomUriTemplate = void 0;
-// TODO: Get rid of 'any' typing
-/**
- * Custom URI template class that properly handles grouped query parameters
- * in the format {?param1,param2,param3}
- */
-class CustomUriTemplate {
-    template;
-    baseUri = "";
-    queryParams = [];
-    constructor(template) {
-        this.template = template;
-        this.parseTemplate();
-    }
-    toString() {
-        return this.template;
-    }
-    parseTemplate() {
-        // Extract base URI and query parameters from template
-        // Template format: odata://CatalogService/books{?filter,orderby,select,skip,top}
-        const queryTemplateMatch = this.template.match(/^([^{]+)\{\?([^}]+)\}$/);
-        if (!queryTemplateMatch) {
-            // No query parameters, treat as static URI
-            this.baseUri = this.template;
-            this.queryParams = [];
-            return;
-        }
-        this.baseUri = queryTemplateMatch[1];
-        this.queryParams = queryTemplateMatch[2]
-            .split(",")
-            .map((param) => param.trim())
-            .filter((param) => param.length > 0);
-    }
-    /**
-     * Matches a URI against this template and extracts variables
-     * @param uri The URI to match
-     * @returns Object with extracted variables or null if no match
-     */
-    match(uri) {
-        // Check if base URI matches
-        if (!uri.startsWith(this.baseUri)) {
-            return null;
-        }
-        // Extract query string
-        const queryStart = uri.indexOf("?");
-        if (queryStart === -1) {
-            // No query parameters in URI
-            if (this.queryParams.length === 0) {
-                return {}; // Static URI match
-            }
-            // Template expects query params but URI has none - still valid for optional params
-            return {};
-        }
-        const queryString = uri.substring(queryStart + 1);
-        const queryPairs = queryString.split("&");
-        const extractedVars = {};
-        // Parse query parameters with strict validation
-        for (const pair of queryPairs) {
-            const equalIndex = pair.indexOf("=");
-            if (equalIndex > 0) {
-                const key = pair.substring(0, equalIndex);
-                const value = pair.substring(equalIndex + 1);
-                if (key && value !== undefined) {
-                    const decodedKey = decodeURIComponent(key);
-                    const decodedValue = decodeURIComponent(value);
-                    // SECURITY: Reject entire URI if ANY unauthorized parameter is present
-                    if (!this.queryParams.includes(decodedKey)) {
-                        return null; // Unauthorized parameter found - reject entire URI
-                    }
-                    extractedVars[decodedKey] = decodedValue;
-                }
-            }
-            else if (pair.trim().length > 0) {
-                // Handle malformed parameters (missing = or empty key)
-                // SECURITY: Reject malformed query parameters
-                return null;
-            }
-        }
-        // For static templates (no parameters allowed), reject any query string
-        if (this.queryParams.length === 0 && queryString.trim().length > 0) {
-            return null;
-        }
-        return extractedVars;
-    }
-    /**
-     * Expands the template with given variables
-     * @param variables Object containing variable values
-     * @returns Expanded URI string
-     */
-    expand(variables) {
-        if (this.queryParams.length === 0) {
-            return this.baseUri;
-        }
-        const queryPairs = [];
-        for (const param of this.queryParams) {
-            const value = variables[param];
-            if (value !== undefined && value !== null && value !== "") {
-                queryPairs.push(`${encodeURIComponent(param)}=${encodeURIComponent(value)}`);
-            }
-        }
-        if (queryPairs.length === 0) {
-            return this.baseUri;
-        }
-        return `${this.baseUri}?${queryPairs.join("&")}`;
-    }
-    /**
-     * Gets the variable names from the template
-     */
-    get variableNames() {
-        return [...this.queryParams];
-    }
-}
-exports.CustomUriTemplate = CustomUriTemplate;
-/**
- * Custom ResourceTemplate that uses our CustomUriTemplate for proper URI matching
- * Duck-types the MCP SDK's ResourceTemplate interface for compatibility
- */
-class CustomResourceTemplate {
-    _uriTemplate;
-    _callbacks;
-    constructor(uriTemplate, callbacks) {
-        this._callbacks = callbacks;
-        this._uriTemplate = new CustomUriTemplate(uriTemplate);
-    }
-    /**
-     * Gets the URI template pattern - must match MCP SDK interface
-     */
-    get uriTemplate() {
-        return this._uriTemplate;
-    }
-    /**
-     * Gets the list callback, if one was provided
-     */
-    get listCallback() {
-        return this._callbacks.list;
-    }
-    /**
-     * Gets the callback for completing a specific URI template variable
-     */
-    completeCallback(variable) {
-        return this._callbacks.complete?.[variable];
-    }
-}
-exports.CustomResourceTemplate = CustomResourceTemplate;

package/lib/types.js

@@ -1,2 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });

package/lib/utils.js

@@ -1,136 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.MCP_SESSION_HEADER = exports.LOGGER = void 0;
-exports.createMcpServer = createMcpServer;
-exports.handleMcpSessionRequest = handleMcpSessionRequest;
-exports.parseEntityElements = parseEntityElements;
-const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
-const zod_1 = require("zod");
-const structures_1 = require("./annotations/structures");
-/* @ts-ignore */
-const cds = global.cds || require("@sap/cds"); // This is a work around for missing cds context
-exports.LOGGER = cds.log("cds-mcp");
-exports.MCP_SESSION_HEADER = "mcp-session-id";
-function createMcpServer(annotations) {
-    const packageInfo = require("../package.json");
-    const server = new mcp_js_1.McpServer({
-        name: packageInfo.name,
-        version: packageInfo.version,
-        capabilities: {
-            tools: { listChanged: true },
-            resources: { listChanged: true },
-            prompts: { listChanged: true },
-        },
-    });
-    exports.LOGGER.debug("Annotations found for server = ", annotations);
-    if (!annotations)
-        return server;
-    // TODO: Handle the parsed annotations
-    // TODO: Error handling
-    // TODO: This should only be mapped once, not per each server instance. Maybe this should be pre-packaged on load?
-    for (const [_, v] of annotations.entries()) {
-        switch (v.constructor) {
-            case structures_1.McpToolAnnotation:
-                const model = v;
-                const parameters = buildParameters(model.parameters);
-                exports.LOGGER.debug("Adding tool", model);
-                if (model.entityKey) {
-                    const keys = buildParameters(model.keyTypeMap);
-                    server.tool(model.name, { ...keys, ...parameters }, async (data) => {
-                        const service = cds.services[model.serviceName];
-                        const received = data;
-                        const receivedKeys = {};
-                        const receivedParams = {};
-                        for (const [k, v] of Object.entries(received)) {
-                            if (model.keyTypeMap?.has(k)) {
-                                receivedKeys[k] = v;
-                            }
-                            if (!model.parameters?.has(k))
-                                continue;
-                            receivedParams[k] = v;
-                        }
-                        const response = await service.send({
-                            event: model.target,
-                            entity: model.entityKey,
-                            data: receivedParams,
-                            params: [receivedKeys],
-                        });
-                        return {
-                            content: Array.isArray(response)
-                                ? response.map((el) => ({ type: "text", text: String(el) }))
-                                : [{ type: "text", text: String(response) }], // TODO: This should be dynamic based on the return type
-                        };
-                    });
-                    continue;
-                }
-                server.tool(model.name, parameters, async (data) => {
-                    exports.LOGGER.debug("Tool call received, targeting service: ", model.serviceName, model.target);
-                    const service = cds.services[model.serviceName];
-                    const response = await service.send(model.target, data);
-                    exports.LOGGER.debug("MCP Tool response received and being packaged");
-                    return {
-                        content: Array.isArray(response)
-                            ? response.map((el) => ({ type: "text", text: String(el) }))
-                            : [{ type: "text", text: String(response) }], // TODO: This should be dynamic based on the return type
-                    };
-                });
-                continue;
-            case structures_1.McpResourceAnnotation:
-                exports.LOGGER.debug("This is a resource");
-                continue;
-            case structures_1.McpPromptAnnotation:
-                exports.LOGGER.debug("This is a prompt");
-                continue;
-            default:
-                exports.LOGGER.error("Invalid annotation data type");
-                throw new Error("Invalid annotation");
-        }
-    }
-    return server;
-}
-async function handleMcpSessionRequest(req, res, sessions) {
-    const sessionIdHeader = req.headers[exports.MCP_SESSION_HEADER];
-    if (!sessionIdHeader || !sessions.has(sessionIdHeader)) {
-        res.status(400).send("Invalid or missing session ID");
-        return;
-    }
-    const session = sessions.get(sessionIdHeader);
-    if (!session) {
-        res.status(400).send("Invalid session");
-        return;
-    }
-    await session.transport.handleRequest(req, res);
-}
-function parseEntityElements(entity) {
-    const elements = entity.elements;
-    if (!elements) {
-        exports.LOGGER.error("Invalid object - cannot be parsed", entity);
-        throw new Error("Failed to parse entity object");
-    }
-    const result = new Map();
-    for (const el of elements) {
-        if (!el.type)
-            continue;
-        result.set(el.name, el.type?.replace("cds.", ""));
-    }
-    return result;
-}
-function buildParameters(params) {
-    if (!params || params.size <= 0)
-        return {};
-    const result = {};
-    for (const [k, v] of params.entries()) {
-        result[k] = determineParameterType(v);
-    }
-    return result;
-}
-function determineParameterType(paramType) {
-    switch (paramType) {
-        case "String":
-            return zod_1.z.string();
-        case "Integer":
-            return zod_1.z.number();
-        default:
-            return zod_1.z.number();
-    }
-}