@gavdi/cap-mcp 1.1.5 → 1.2.1

package/lib/annotations/parser.js

@@ -125,13 +125,17 @@ function parseAnnotations(definition) {
 function constructResourceAnnotation(serviceName, target, annotations, definition, model) {
     if (!(0, utils_1.isValidResourceAnnotation)(annotations))
         return undefined;
+    const entityTarget = `${serviceName}.${target}`;
     const functionalities = (0, utils_1.determineResourceOptions)(annotations);
-    const foreignKeys = new Map(Object.entries(model.definitions?.[`${serviceName}.${target}`].elements ?? {})
+    const foreignKeys = new Map(Object.entries(model.definitions?.[entityTarget].elements ?? {})
         .filter(([_, v]) => v["@odata.foreignKey4"] !== undefined)
         .map(([k, v]) => [k, v["@odata.foreignKey4"]]));
+    const computedFields = new Set(Object.entries(model.definitions?.[entityTarget].elements ?? {})
+        .filter(([_, v]) => new Map(Object.entries(v).map(([key, value]) => [key.toLowerCase(), value])).get("@core.computed"))
+        .map(([k, _]) => k));
     const { properties, resourceKeys } = (0, utils_1.parseResourceElements)(definition, model);
     const restrictions = (0, utils_1.parseCdsRestrictions)(annotations.restrict, annotations.requires);
-    return new structures_1.McpResourceAnnotation(annotations.name, annotations.description, target, serviceName, functionalities, properties, resourceKeys, foreignKeys, annotations.wrap, restrictions);
+    return new structures_1.McpResourceAnnotation(annotations.name, annotations.description, target, serviceName, functionalities, properties, resourceKeys, foreignKeys, annotations.wrap, restrictions, computedFields);
 }
 /**
  * Constructs a tool annotation from parsed annotation data

package/lib/annotations/structures.js

@@ -84,6 +84,8 @@ class McpResourceAnnotation extends McpAnnotation {
     _wrap;
     /** Map of foreign keys property -> associated entity */
     _foreignKeys;
+    /** Set of computed field names */
+    _computedFields;
     /**
      * Creates a new MCP resource annotation
      * @param name - Unique identifier for this resource
@@ -96,14 +98,16 @@ class McpResourceAnnotation extends McpAnnotation {
      * @param foreignKeys - Map of foreign keys used by entity
      * @param wrap - Wrap usage
      * @param restrictions - Optional restrictions based on CDS roles
+     * @param computedFields - Optional set of fields that are computed and should be ignored in create scenarios
      */
-    constructor(name, description, target, serviceName, functionalities, properties, resourceKeys, foreignKeys, wrap, restrictions) {
+    constructor(name, description, target, serviceName, functionalities, properties, resourceKeys, foreignKeys, wrap, restrictions, computedFields) {
         super(name, description, target, serviceName, restrictions ?? []);
         this._functionalities = functionalities;
         this._properties = properties;
         this._resourceKeys = resourceKeys;
         this._wrap = wrap;
         this._foreignKeys = foreignKeys;
+        this._computedFields = computedFields;
     }
     /**
      * Gets the set of enabled OData query functionalities
@@ -139,6 +143,12 @@ class McpResourceAnnotation extends McpAnnotation {
     get wrap() {
         return this._wrap;
     }
+    /**
+     * Gets the computed fields if any are available
+     */
+    get computedFields() {
+        return this._computedFields;
+    }
 }
 exports.McpResourceAnnotation = McpResourceAnnotation;
 /**

package/lib/annotations/utils.js

@@ -288,10 +288,12 @@ function parseCdsRestrictions(restrictions, requires) {
             });
             continue;
         }
-        const mapped = el.to.map((to) => ({
-            role: to,
-            operations: ops,
-        }));
+        const mapped = Array.isArray(el.to)
+            ? el.to.map((to) => ({
+                role: to,
+                operations: ops,
+            }))
+            : [{ role: el.to, operations: ops }];
         result.push(...mapped);
     }
     return result;
@@ -300,29 +302,30 @@ function parseCdsRestrictions(restrictions, requires) {
  * Maps the "grant" property from CdsRestriction to McpRestriction
  */
 function mapOperationRestriction(cdsRestrictions) {
-    const result = [];
     if (!cdsRestrictions || cdsRestrictions.length <= 0) {
-        result.push("CREATE");
-        result.push("READ");
-        result.push("UPDATE");
-        result.push("DELETE");
-        return result;
+        return ["CREATE", "READ", "UPDATE", "DELETE"];
     }
+    if (!Array.isArray(cdsRestrictions)) {
+        return translateOperationRestriction(cdsRestrictions);
+    }
+    const result = [];
     for (const el of cdsRestrictions) {
-        switch (el) {
-            case "CHANGE":
-                result.push("UPDATE");
-                continue;
-            case "*":
-                result.push("CREATE");
-                result.push("READ");
-                result.push("UPDATE");
-                result.push("DELETE");
-                continue;
-            default:
-                result.push(el);
-                continue;
-        }
+        const translated = translateOperationRestriction(el);
+        if (!translated || translated.length <= 0)
+            continue;
+        result.push(...translated);
     }
     return result;
 }
+function translateOperationRestriction(restrictionType) {
+    switch (restrictionType) {
+        case "CHANGE":
+            return ["UPDATE"];
+        case "WRITE":
+            return ["CREATE", "UPDATE", "DELETE"];
+        case "*":
+            return ["CREATE", "READ", "UPDATE", "DELETE"];
+        default:
+            return [restrictionType];
+    }
+}

package/lib/auth/factory.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.authHandlerFactory = authHandlerFactory;
 exports.errorHandlerFactory = errorHandlerFactory;
 const xsuaa_service_1 = require("./xsuaa-service");
+const utils_1 = require("./utils");
+const logger_1 = require("../logger");
 /** JSON-RPC 2.0 error code for unauthorized requests */
 const RPC_UNAUTHORIZED = 10;
 /* @ts-ignore */
@@ -33,7 +35,8 @@ const cds = global.cds || require("@sap/cds"); // This is a work around for miss
  */
 function authHandlerFactory() {
     const authKind = cds.env.requires.auth.kind;
-    const xsuaaService = new xsuaa_service_1.XSUAAService();
+    const xsuaaService = !(0, utils_1.useMockAuth)(authKind) ? new xsuaa_service_1.XSUAAService() : undefined;
+    logger_1.LOGGER.debug("Authentication kind", authKind);
     return async (req, res, next) => {
         if (!req.headers.authorization && authKind !== "dummy") {
             res.status(401).json({
@@ -47,8 +50,8 @@ function authHandlerFactory() {
             return;
         }
         // For XSUAA/JWT auth types, use @sap/xssec for validation
-        if ((authKind === "jwt" || authKind === "xsuaa") &&
-            xsuaaService.isConfigured()) {
+        if ((authKind === "jwt" || authKind === "xsuaa" || authKind === "ias") &&
+            xsuaaService?.isConfigured()) {
             const securityContext = await xsuaaService.createSecurityContext(req);
             if (!securityContext) {
                 res.status(401).json({

package/lib/auth/handlers.js

@@ -10,7 +10,7 @@ const logger_1 = require("../logger");
 async function handleTokenRequest(req, res, xsuaaService) {
     try {
         const params = { ...req.query, ...req.body };
-        const { grant_type, code, redirect_uri, refresh_token } = params;
+        const { grant_type, code, redirect_uri, refresh_token, code_verifier } = params;
         if (grant_type === "authorization_code") {
             if (!code || !redirect_uri) {
                 res.status(400).json({
@@ -19,9 +19,11 @@ async function handleTokenRequest(req, res, xsuaaService) {
                 });
                 return;
             }
-            const tokenData = await xsuaaService.exchangeCodeForToken(code, redirect_uri);
+            const tokenData = await xsuaaService.exchangeCodeForToken(code, redirect_uri, code_verifier);
+            const scopedToken = await xsuaaService.getApplicationScopes(tokenData);
+            logger_1.LOGGER.debug("Scopes in token:", scopedToken.scope);
             logger_1.LOGGER.debug("[AUTH] Token exchange successful");
-            res.json(tokenData);
+            res.json(scopedToken);
         }
         else if (grant_type === "refresh_token") {
             if (!refresh_token) {

package/lib/auth/utils.js

@@ -8,6 +8,7 @@ exports.getAccessRights = getAccessRights;
 exports.registerAuthMiddleware = registerAuthMiddleware;
 exports.hasToolOperationAccess = hasToolOperationAccess;
 exports.getWrapAccesses = getWrapAccesses;
+exports.useMockAuth = useMockAuth;
 const express_1 = __importDefault(require("express"));
 const helmet_1 = __importDefault(require("helmet"));
 const factory_1 = require("./factory");
@@ -191,7 +192,7 @@ function configureOAuthProxy(expressApp) {
         !credentials.url) {
         throw new Error("Invalid security credentials");
     }
-    registerOAuthEndpoints(expressApp, credentials);
+    registerOAuthEndpoints(expressApp, credentials, kind);
 }
 /**
  * Determines the correct protocol (HTTP/HTTPS) for URL construction.
@@ -213,8 +214,10 @@ function getProtocol(req) {
  * Registers OAuth endpoints for XSUAA integration
  * Only called for jwt/xsuaa/ias auth types with valid credentials
  */
-function registerOAuthEndpoints(expressApp, credentials) {
+function registerOAuthEndpoints(expressApp, credentials, kind) {
     const xsuaaService = new xsuaa_service_1.XSUAAService();
+    // Fetch endpoints from OIDC configuration
+    xsuaaService.discoverOAuthEndpoints();
     // Add JSON and URL-encoded body parsing for OAuth endpoints
     expressApp.use("/oauth", express_1.default.json());
     expressApp.use("/oauth", express_1.default.urlencoded({ extended: true }));
@@ -231,17 +234,17 @@ function registerOAuthEndpoints(expressApp, credentials) {
     }));
     // OAuth Authorization endpoint - stateless redirect to XSUAA
     expressApp.get("/oauth/authorize", (req, res) => {
-        const { state, redirect_uri } = req.query;
+        const { state, redirect_uri, client_id, code_challenge, code_challenge_method, scope, } = req.query;
         // Client validation and redirect URI validation is handled by XSUAA
         // We delegate all client management to XSUAA's built-in OAuth server
         const protocol = getProtocol(req);
         const redirectUri = redirect_uri || `${protocol}://${req.get("host")}/oauth/callback`;
-        const authUrl = xsuaaService.getAuthorizationUrl(redirectUri, state);
+        const authUrl = xsuaaService.getAuthorizationUrl(redirectUri, client_id ?? "", state, code_challenge, code_challenge_method, scope);
         res.redirect(authUrl);
     });
     // OAuth Callback endpoint - stateless token exchange
     expressApp.get("/oauth/callback", async (req, res) => {
-        const { code, state, error, error_description, redirect_uri } = req.query;
+        const { code, state, error, error_description, redirect_uri, code_verifier, } = req.query;
         logger_1.LOGGER.debug("[AUTH] Callback received", code, state);
         if (error) {
             res.status(400).json({
@@ -260,8 +263,10 @@ function registerOAuthEndpoints(expressApp, credentials) {
         try {
             const protocol = getProtocol(req);
             const url = redirect_uri || `${protocol}://${req.get("host")}/oauth/callback`;
-            const tokenData = await xsuaaService.exchangeCodeForToken(code, url);
-            res.json(tokenData);
+            const tokenData = await xsuaaService.exchangeCodeForToken(code, url, code_verifier);
+            const scopedToken = await xsuaaService.getApplicationScopes(tokenData);
+            logger_1.LOGGER.debug("Scopes in token:", scopedToken.scope);
+            res.json(scopedToken);
         }
         catch (error) {
             logger_1.LOGGER.error("OAuth callback error:", error);
@@ -288,13 +293,27 @@ function registerOAuthEndpoints(expressApp, credentials) {
             response_types_supported: ["code"],
             grant_types_supported: ["authorization_code", "refresh_token"],
             code_challenge_methods_supported: ["S256"],
-            // scopes_supported: ["uaa.resource"],
+            scopes_supported: ["openid"],
             token_endpoint_auth_methods_supported: ["client_secret_post"],
             registration_endpoint_auth_methods_supported: ["client_secret_basic"],
         });
     });
     // OAuth Dynamic Client Registration discovery endpoint (GET)
     expressApp.get("/oauth/register", async (req, res) => {
+        // IAS does not support DCR so we will respond with the pre-configured client_id
+        if (kind === "ias") {
+            const protocol = getProtocol(req);
+            const enhancedResponse = {
+                client_id: credentials.clientid, // Add our CAP app's client ID
+                redirect_uris: req.body.redirect_uris || [
+                    `${protocol}://${req.get("host")}/oauth/callback`,
+                ],
+            };
+            logger_1.LOGGER.debug("Provided static client_id during DCR registration process");
+            res.json(enhancedResponse);
+            return;
+        }
+        // Keep original implementation for XSUAA
         try {
             // Simple proxy for discovery - no CSRF needed
             const response = await fetch(`${credentials.url}/oauth/register`, {
@@ -324,6 +343,20 @@ function registerOAuthEndpoints(expressApp, credentials) {
     });
     // OAuth Dynamic Client Registration endpoint (POST) with CSRF handling
     expressApp.post("/oauth/register", async (req, res) => {
+        // IAS does not support DCR so we will respond with the pre-configured client_id
+        if (kind === "ias") {
+            const protocol = getProtocol(req);
+            const enhancedResponse = {
+                client_id: credentials.clientid, // Add our CAP app's client ID
+                redirect_uris: req.body.redirect_uris || [
+                    `${protocol}://${req.get("host")}/oauth/callback`,
+                ],
+            };
+            logger_1.LOGGER.debug("Provided static client_id during DCR registration process");
+            res.json(enhancedResponse);
+            return;
+        }
+        // Keep original implementation for XSUAA
         try {
             // Step 1: Fetch CSRF token from XSUAA
             const csrfResponse = await fetch(`${credentials.url}/oauth/register`, {
@@ -361,7 +394,7 @@ function registerOAuthEndpoints(expressApp, credentials) {
             const enhancedResponse = {
                 ...xsuaaData, // Keep all XSUAA fields
                 client_id: credentials.clientid, // Add our CAP app's client ID
-                client_secret: credentials.clientsecret, // CAP app's client secret
+                // client_secret: credentials.clientsecret, // CAP app's client secret
                 redirect_uris: req.body.redirect_uris || [
                     `${protocol}://${req.get("host")}/oauth/callback`,
                 ], // Use client's redirect URIs
@@ -448,3 +481,10 @@ function getWrapAccesses(user, restrictions) {
     }
     return access;
 }
+/**
+ * Utility method for checking whether auth used is mocked and not live
+ * @returns boolean
+ */
+function useMockAuth(authKind) {
+    return authKind !== "jwt" && authKind !== "ias" && authKind !== "xsuaa";
+}

package/lib/auth/xsuaa-service.js

@@ -45,47 +45,104 @@ const cds = global.cds || require("@sap/cds");
 class XSUAAService {
     credentials;
     xsuaaService;
+    endpoints;
     constructor() {
-        this.credentials = cds.env.requires.auth.credentials;
-        // Initialize XSUAA service from @sap/xssec
-        this.xsuaaService = new xssec.XsuaaService(this.credentials);
+        // In case of IAS, the final token conversion to get application scopes has to be done with XSUAA, so there will be 2 sets of credentials
+        this.credentials = {
+            authProvider: cds.env.requires.auth?.credentials,
+            xsuaa: cds.env.requires.xsuaa?.credentials ||
+                cds.env.requires.auth?.credentials,
+        };
+        // Set default endpoints in case OIDC discovery call fails
+        this.endpoints = {
+            authProvider: {
+                discovery_url: `${this.credentials.authProvider?.url}/.well-known/openid-configuration`,
+                authorization_endpoint: `${this.credentials.authProvider?.url}/oauth/authorize`,
+                token_endpoint: `${this.credentials.authProvider?.url}/oauth/token`,
+            },
+            xsuaa: {
+                discovery_url: `${this.credentials.xsuaa?.url}/.well-known/openid-configuration`,
+                authorization_endpoint: `${this.credentials.xsuaa?.url}/oauth/authorize`,
+                token_endpoint: `${this.credentials.xsuaa?.url}/oauth/token`,
+            },
+        };
+        this.xsuaaService = new xssec.XsuaaService(this.credentials.xsuaa);
     }
     isConfigured() {
-        return !!(this.credentials?.clientid &&
-            this.credentials?.clientsecret &&
-            this.credentials?.url);
+        return !!(this.credentials.authProvider?.clientid &&
+            this.credentials.authProvider?.clientsecret &&
+            this.credentials.authProvider?.url);
+    }
+    /**
+     * Fetch oauth endpoints from the OIDC discovery endpoints from both XSUAA (and IAS).
+     * If none found than the default will be used.
+     */
+    async discoverOAuthEndpoints() {
+        // Do discovery for both 'authProvider' and 'xsuaa' endpoint sets
+        try {
+            const endpointKeys = Object.keys(this.endpoints);
+            for (let key of endpointKeys) {
+                const response = await fetch(this.endpoints[key].discovery_url, {
+                    method: "GET",
+                    headers: {
+                        Accept: "application/json",
+                    },
+                });
+                if (!response.ok) {
+                    const errorData = await response.json();
+                    logger_1.LOGGER.warn(`OAuth endpoints fetch failed: ${response.status} ${errorData.error_description || errorData.error}. Continuing with default configuration.`);
+                }
+                else {
+                    const oidcConfig = await response.json();
+                    this.endpoints[key].authorization_endpoint =
+                        oidcConfig.authorization_endpoint;
+                    this.endpoints[key].token_endpoint = oidcConfig.token_endpoint;
+                    logger_1.LOGGER.debug(`OAuth endpoints for [${key}] set to:`, this.endpoints[key]);
+                }
+            }
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw error;
+            }
+            throw new Error(`OAuth endpoints fetch failed: ${String(error)}`);
+        }
     }
     /**
      * Generates authorization URL using @sap/xssec
      */
-    getAuthorizationUrl(redirectUri, state) {
+    getAuthorizationUrl(redirectUri, client_id, state, code_challenge, code_challenge_method, scope) {
         const params = new URLSearchParams({
             response_type: "code",
-            client_id: this.credentials.clientid,
             redirect_uri: redirectUri,
             // scope: "uaa.resource",
+            client_id,
+            ...(!!code_challenge ? { code_challenge } : {}),
+            ...(!!code_challenge_method ? { code_challenge_method } : {}),
+            ...(!!scope ? { scope } : {}),
         });
         if (state) {
             params.append("state", state);
         }
-        return `${this.credentials.url}/oauth/authorize?${params.toString()}`;
+        return `${this.endpoints.authProvider.authorization_endpoint}?${params.toString()}`;
     }
     /**
      * Exchange authorization code for token using @sap/xssec
      */
-    async exchangeCodeForToken(code, redirectUri) {
+    async exchangeCodeForToken(code, redirectUri, code_verifier) {
         try {
             const tokenOptions = {
                 grant_type: "authorization_code",
                 code,
                 redirect_uri: redirectUri,
+                ...(!!code_verifier ? { code_verifier } : {}),
             };
-            // Use direct XSUAA token endpoint for authorization code exchange
-            const response = await fetch(`${this.credentials.url}/oauth/token`, {
+            // Use direct XSUAA/IAS token endpoint for authorization code exchange
+            const response = await fetch(this.endpoints.authProvider.token_endpoint, {
                 method: "POST",
                 headers: {
                     "Content-Type": "application/x-www-form-urlencoded",
-                    Authorization: `Basic ${Buffer.from(`${this.credentials.clientid}:${this.credentials.clientsecret}`).toString("base64")}`,
+                    Authorization: `Basic ${Buffer.from(`${this.credentials.authProvider?.clientid}:${this.credentials.authProvider?.clientsecret}`).toString("base64")}`,
                 },
                 body: new URLSearchParams(tokenOptions),
             });
@@ -102,16 +159,47 @@ class XSUAAService {
             throw new Error(`Token exchange failed: ${String(error)}`);
         }
     }
+    /**
+     * Convert access_token from authorization code into access_token with application scopes
+     */
+    async getApplicationScopes(token) {
+        try {
+            const tokenOptions = {
+                grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+                reponse_type: "token+id_token",
+                assertion: token.access_token,
+            };
+            const response = await fetch(this.endpoints.xsuaa.token_endpoint, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    Authorization: `Basic ${Buffer.from(`${this.credentials.xsuaa?.clientid}:${this.credentials.xsuaa?.clientsecret}`).toString("base64")}`,
+                },
+                body: new URLSearchParams(tokenOptions),
+            });
+            if (!response.ok) {
+                const errorData = (await response.json());
+                throw new Error(`Token exchange for scopes failed: ${response.status} ${errorData.error_description || errorData.error}`);
+            }
+            return response.json();
+        }
+        catch (error) {
+            if (error instanceof Error) {
+                throw error;
+            }
+            throw new Error(`Token exchange for scopes failed: ${String(error)}`);
+        }
+    }
     /**
      * Refresh access token using @sap/xssec
      */
     async refreshAccessToken(refreshToken) {
         try {
-            const response = await fetch(`${this.credentials.url}/oauth/token`, {
+            const response = await fetch(this.endpoints.xsuaa.token_endpoint, {
                 method: "POST",
                 headers: {
                     "Content-Type": "application/x-www-form-urlencoded",
-                    Authorization: `Basic ${Buffer.from(`${this.credentials.clientid}:${this.credentials.clientsecret}`).toString("base64")}`,
+                    Authorization: `Basic ${Buffer.from(`${this.credentials.xsuaa?.clientid}:${this.credentials.xsuaa?.clientsecret}`).toString("base64")}`,
                 },
                 body: new URLSearchParams({
                     grant_type: "refresh_token",

package/lib/mcp/entity-tools.js

@@ -344,7 +344,8 @@ function registerCreateTool(resAnno, server, authEnabled) {
     const inputSchema = {};
     for (const [propName, cdsType] of resAnno.properties.entries()) {
         const isAssociation = String(cdsType).toLowerCase().includes("association");
-        if (isAssociation) {
+        const isComputed = resAnno.computedFields?.has(propName);
+        if (isAssociation || isComputed) {
             // Association keys are supplied directly from model loading as of v1.1.2
             continue;
         }
@@ -431,8 +432,9 @@ function registerUpdateTool(resAnno, server, authEnabled) {
     for (const [propName, cdsType] of resAnno.properties.entries()) {
         if (resAnno.resourceKeys.has(propName))
             continue;
+        const isComputed = resAnno.computedFields?.has(propName);
         const isAssociation = String(cdsType).toLowerCase().includes("association");
-        if (isAssociation) {
+        if (isAssociation || isComputed) {
             // Association keys are supplied directly from model loading as of v1.1.2
             continue;
         }

package/lib/mcp/session-manager.js

@@ -70,7 +70,7 @@ class McpSessionManager {
             sessionIdGenerator: () => (0, crypto_1.randomUUID)(),
             enableJsonResponse: enableJson,
             onsessioninitialized: (sid) => {
-                logger_1.LOGGER.debug("Session initialized with ID: ", sid);
+                logger_1.LOGGER.info("Session initialized with ID: ", sid);
                 logger_1.LOGGER.debug("Transport mode", { enableJsonResponse: enableJson });
                 this.sessions.set(sid, {
                     server: server,

package/lib/mcp.js

@@ -13,6 +13,7 @@ const loader_1 = require("./config/loader");
 const session_manager_1 = require("./mcp/session-manager");
 const utils_2 = require("./auth/utils");
 const helmet_1 = __importDefault(require("helmet"));
+const cors_1 = __importDefault(require("cors"));
 /* @ts-ignore */
 const cds = global.cds; // Use hosting app's CDS instance exclusively
 /**
@@ -41,6 +42,8 @@ class McpPlugin {
         logger_1.LOGGER.debug("Event received for 'bootstrap'");
         this.expressApp = app;
         this.expressApp.use("/mcp", express_1.default.json());
+        // Only needed to use MCP Inspector in local browser:
+        this.expressApp.use(["/oauth", "/.well-known"], (0, cors_1.default)({ origin: "http://localhost:6274" }));
         // Apply helmet security middleware only to MCP routes
         this.expressApp.use("/mcp", (0, helmet_1.default)({
             contentSecurityPolicy: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gavdi/cap-mcp",
-  "version": "1.1.5",
+  "version": "1.2.1",
   "description": "MCP Pluging for CAP",
   "keywords": [
     "MCP",
@@ -47,6 +47,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.19.1",
     "@sap/xssec": "^4.9.1",
+    "cors": "^2.8.5",
     "helmet": "^8.1.0",
     "zod": "^3.25.67",
     "zod-to-json-schema": "^3.24.5"
@@ -54,6 +55,7 @@
   "devDependencies": {
     "@cap-js/cds-types": "^0.13.0",
     "@release-it/conventional-changelog": "^10.0.1",
+    "@types/cors": "^2.8.19",
     "@types/express": "^5.0.3",
     "@types/jest": "^30.0.0",
     "@types/node": "^24.0.3",