@mcp-abap-adt/auth-broker 0.1.11 → 0.1.12

package/CHANGELOG.md

@@ -11,6 +11,29 @@ Thank you to all contributors! See [CONTRIBUTORS.md](CONTRIBUTORS.md) for the co
 
 ## [Unreleased]
 
+## [0.1.12] - 2025-12-09
+
+### Added
+- **Debugging Environment Variables**: Added comprehensive debugging support via environment variables
+  - `DEBUG_AUTH_BROKER` - Enable/disable logging for auth-broker package (default: `false`)
+  - `LOG_LEVEL` - Control log verbosity: `debug`, `info`, `warn`, `error` (default: `info`)
+  - `DEBUG` - Alternative way to enable debugging (set to `true` or string containing `auth-broker`)
+  - Logging is disabled by default to avoid misleading output in tests
+  - Tests that expect errors use no-op logger to prevent error message output
+
+### Changed
+- **Test Logger Behavior**: Modified `createTestLogger` to require explicit enable via environment variables
+  - No longer enabled by default in test environment (`NODE_ENV === 'test'`)
+  - Requires `DEBUG_AUTH_BROKER=true` or `DEBUG=true` to enable logging
+  - Prevents misleading error output in tests that expect errors
+  - Tests that expect errors now use `noOpLogger` to avoid false error messages
+
+### Fixed
+- **Service URL Handling**: Fixed `serviceUrl` propagation for ABAP sessions
+  - `AuthBroker` now retrieves `serviceUrl` from `serviceKeyStore` if not provided by `tokenProvider`
+  - Ensures ABAP session stores receive required `serviceUrl` even when token provider doesn't return it
+  - Applied to all authentication flows (refresh token, UAA, browser auth)
+
 ## [0.1.11] - 2025-12-07
 
 ### Changed

package/README.md

@@ -63,8 +63,36 @@ const newToken = await broker.refreshToken('TRIAL');
 
 ### Environment Variables
 
+#### Configuration Variables
+
 - `AUTH_BROKER_PATH` - Colon/semicolon-separated paths for searching `.env` and `.json` files (default: current working directory)
-- `DEBUG_AUTH_LOG` - Set to `true` to enable debug logging (default: `false`)
+
+#### Debugging Variables
+
+- `DEBUG_AUTH_BROKER` - Enable debug logging for `auth-broker` package
+  - Set to `true` to enable logging (default: `false`)
+  - When enabled, logs authentication steps, token operations, and error details
+  - Can be explicitly disabled by setting to `false`
+  - Example: `DEBUG_AUTH_BROKER=true npm test`
+  
+- `LOG_LEVEL` - Control log verbosity level
+  - Values: `debug`, `info`, `warn`, `error` (default: `info`)
+  - `debug` - All messages including detailed debug information
+  - `info` - Informational messages, warnings, and errors
+  - `warn` - Warnings and errors only
+  - `error` - Errors only
+  - Example: `LOG_LEVEL=debug DEBUG_AUTH_BROKER=true npm test`
+
+- `DEBUG` - Alternative way to enable debugging
+  - Set to `true` to enable all debug logging
+  - Or set to a string containing `auth-broker` to enable only this package
+  - Example: `DEBUG=true npm test` or `DEBUG=auth-broker npm test`
+
+**Note**: For debugging related packages:
+- `DEBUG_AUTH_STORES` - Enable logging for `@mcp-abap-adt/auth-stores` package
+- `DEBUG_AUTH_PROVIDERS` - Enable logging for `@mcp-abap-adt/auth-providers` package
+
+**Legacy Support**: `DEBUG_AUTH_LOG` is still supported for backward compatibility (equivalent to `DEBUG_AUTH_BROKER=true LOG_LEVEL=debug`)
 
 ### File Structure
 

package/dist/AuthBroker.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC/G,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAY7C;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAU;IACxB,OAAO,CAAC,eAAe,CAAmB;IAC1C,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IAEtC;;;;;;;;;;OAUG;gBAED,MAAM,EAAE;QAAE,eAAe,EAAE,gBAAgB,CAAC;QAAC,YAAY,EAAE,aAAa,CAAC;QAAC,aAAa,EAAE,cAAc,CAAA;KAAE,EACzG,OAAO,CAAC,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,OAAO;IAuBlB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAmIpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuCxD;;;;OAIG;IACG,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAWvF;;;;OAIG;IACG,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;CAWlF"}
+{"version":3,"file":"AuthBroker.d.ts","sourceRoot":"","sources":["../src/AuthBroker.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAW,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC/G,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAY7C;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAqB;IACpC,OAAO,CAAC,MAAM,CAAU;IACxB,OAAO,CAAC,eAAe,CAAmB;IAC1C,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,aAAa,CAAiB;IAEtC;;;;;;;;;;OAUG;gBAED,MAAM,EAAE;QAAE,eAAe,EAAE,gBAAgB,CAAC;QAAC,YAAY,EAAE,aAAa,CAAC;QAAC,aAAa,EAAE,cAAc,CAAA;KAAE,EACzG,OAAO,CAAC,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,OAAO;IA8DlB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACG,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA6KpD;;;;;OAKG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAuDxD;;;;OAIG;IACG,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC;IAsBvF;;;;OAIG;IACG,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;CAoBlF"}

package/dist/AuthBroker.js

@@ -47,11 +47,45 @@ class AuthBroker {
         if (!stores.tokenProvider) {
             throw new Error('AuthBroker: tokenProvider is required');
         }
-        this.serviceKeyStore = stores.serviceKeyStore;
-        this.sessionStore = stores.sessionStore;
-        this.tokenProvider = stores.tokenProvider;
+        // Validate that stores and provider are correctly instantiated (have required methods)
+        const serviceKeyStore = stores.serviceKeyStore;
+        const sessionStore = stores.sessionStore;
+        const tokenProvider = stores.tokenProvider;
+        // Check serviceKeyStore methods
+        if (typeof serviceKeyStore.getServiceKey !== 'function') {
+            throw new Error('AuthBroker: serviceKeyStore.getServiceKey must be a function');
+        }
+        if (typeof serviceKeyStore.getAuthorizationConfig !== 'function') {
+            throw new Error('AuthBroker: serviceKeyStore.getAuthorizationConfig must be a function');
+        }
+        if (typeof serviceKeyStore.getConnectionConfig !== 'function') {
+            throw new Error('AuthBroker: serviceKeyStore.getConnectionConfig must be a function');
+        }
+        // Check sessionStore methods
+        if (typeof sessionStore.getAuthorizationConfig !== 'function') {
+            throw new Error('AuthBroker: sessionStore.getAuthorizationConfig must be a function');
+        }
+        if (typeof sessionStore.getConnectionConfig !== 'function') {
+            throw new Error('AuthBroker: sessionStore.getConnectionConfig must be a function');
+        }
+        if (typeof sessionStore.setAuthorizationConfig !== 'function') {
+            throw new Error('AuthBroker: sessionStore.setAuthorizationConfig must be a function');
+        }
+        if (typeof sessionStore.setConnectionConfig !== 'function') {
+            throw new Error('AuthBroker: sessionStore.setConnectionConfig must be a function');
+        }
+        // Check tokenProvider methods
+        if (typeof tokenProvider.getConnectionConfig !== 'function') {
+            throw new Error('AuthBroker: tokenProvider.getConnectionConfig must be a function');
+        }
+        // validateToken is optional, so we don't check it
+        this.serviceKeyStore = serviceKeyStore;
+        this.sessionStore = sessionStore;
+        this.tokenProvider = tokenProvider;
         this.browser = browser || 'system';
         this.logger = logger || noOpLogger;
+        // Log successful initialization
+        this.logger?.debug('AuthBroker initialized: serviceKeyStore(ok), sessionStore(ok), tokenProvider(ok)');
     }
     /**
      * Get authentication token for destination.
@@ -87,50 +121,71 @@ class AuthBroker {
      * @throws Error if neither session data nor service key found, or if all authentication methods failed
      */
     async getToken(destination) {
+        this.logger?.debug(`Getting token for destination: ${destination}`);
         // Step 1: Check if session exists and token is valid
         const connConfig = await this.sessionStore.getConnectionConfig(destination);
         if (connConfig?.authorizationToken) {
+            this.logger?.debug(`Session found: token(${connConfig.authorizationToken.length} chars), serviceUrl(${connConfig.serviceUrl ? 'yes' : 'no'})`);
             // Validate token if provider supports validation and we have service URL
             if (this.tokenProvider.validateToken && connConfig.serviceUrl) {
+                this.logger?.debug(`Validating token for ${destination}`);
                 const isValid = await this.tokenProvider.validateToken(connConfig.authorizationToken, connConfig.serviceUrl);
                 if (isValid) {
+                    this.logger?.info(`Token valid for ${destination}: token(${connConfig.authorizationToken.length} chars)`);
                     return connConfig.authorizationToken;
                 }
+                this.logger?.debug(`Token invalid for ${destination}, continuing to refresh`);
             }
             else {
                 // No service URL or provider doesn't support validation - just return token
+                this.logger?.info(`Token found for ${destination} (no validation): token(${connConfig.authorizationToken.length} chars)`);
                 return connConfig.authorizationToken;
             }
         }
+        else {
+            this.logger?.debug(`No session found for ${destination}`);
+        }
         // Step 2: No valid session, check if we have service key
+        this.logger?.debug(`Checking service key for ${destination}`);
         const serviceKey = await this.serviceKeyStore.getServiceKey(destination);
         if (!serviceKey) {
-            // No service key and no valid token
+            this.logger?.error(`No service key found for ${destination}`);
             throw new Error(`No authentication found for destination "${destination}". ` +
                 `No session data and no service key found.`);
         }
         // Get authorization config from service key
         const authConfig = await this.serviceKeyStore.getAuthorizationConfig(destination);
         if (!authConfig) {
+            this.logger?.error(`Service key for ${destination} missing UAA credentials`);
             throw new Error(`Service key for destination "${destination}" does not contain UAA credentials`);
         }
+        this.logger?.debug(`Service key loaded for ${destination}: uaaUrl(${authConfig.uaaUrl.substring(0, 40)}...)`);
         // Get refresh token from session (if exists)
         const sessionAuthConfig = await this.sessionStore.getAuthorizationConfig(destination);
         const refreshToken = sessionAuthConfig?.refreshToken || authConfig.refreshToken;
+        this.logger?.debug(`Refresh token check for ${destination}: hasRefreshToken(${!!refreshToken})`);
         let tokenResult;
         let lastError = null;
         // Step 3: Try to refresh using refresh token (if available) via tokenProvider
         if (refreshToken) {
             try {
-                this.logger.debug(`Attempting to refresh token using refresh token for destination "${destination}"...`);
+                this.logger?.debug(`Trying refresh token flow for ${destination}`);
                 const authConfigWithRefresh = { ...authConfig, refreshToken };
                 tokenResult = await this.tokenProvider.getConnectionConfig(authConfigWithRefresh, {
                     browser: this.browser,
                     logger: this.logger,
                 });
-                this.logger.debug(`Token refreshed successfully using refresh token for destination "${destination}"`);
-                // Update session with new token
-                await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
+                const tokenLength = tokenResult.connectionConfig.authorizationToken?.length || 0;
+                this.logger?.info(`Token refreshed for ${destination}: token(${tokenLength} chars), hasRefreshToken(${!!tokenResult.refreshToken})`);
+                // Get serviceUrl from service key store if not in connectionConfig (required for ABAP stores)
+                // For XSUAA service keys, serviceUrl may not exist, which is fine for BTP/XSUAA stores
+                const serviceKeyConnConfig = await this.serviceKeyStore.getConnectionConfig(destination);
+                const connectionConfigWithServiceUrl = {
+                    ...tokenResult.connectionConfig,
+                    serviceUrl: tokenResult.connectionConfig.serviceUrl || serviceKeyConnConfig?.serviceUrl,
+                };
+                // Update or create session with new token (stores handle creation if session doesn't exist)
+                await this.sessionStore.setConnectionConfig(destination, connectionConfigWithServiceUrl);
                 if (tokenResult.refreshToken) {
                     await this.sessionStore.setAuthorizationConfig(destination, {
                         ...authConfig,
@@ -141,22 +196,30 @@ class AuthBroker {
             }
             catch (error) {
                 lastError = error;
-                this.logger.debug(`Token refresh failed for destination "${destination}": ${error.message}. Trying without refresh token...`);
+                this.logger?.debug(`Refresh token flow failed for ${destination}: ${error.message}, trying UAA`);
                 // Continue to next step
             }
         }
         // Step 4: Try UAA (client_credentials) via tokenProvider (without refresh token)
         // TokenProvider should try client_credentials if refresh token is not provided
         try {
-            this.logger.debug(`Attempting to get token using UAA (client_credentials) for destination "${destination}"...`);
+            this.logger?.debug(`Trying UAA (client_credentials) flow for ${destination}`);
             const authConfigWithoutRefresh = { ...authConfig, refreshToken: undefined };
             tokenResult = await this.tokenProvider.getConnectionConfig(authConfigWithoutRefresh, {
                 browser: this.browser,
                 logger: this.logger,
             });
-            this.logger.debug(`Token obtained successfully using UAA for destination "${destination}"`);
-            // Update session with new token
-            await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
+            const tokenLength = tokenResult.connectionConfig.authorizationToken?.length || 0;
+            this.logger?.info(`Token obtained via UAA for ${destination}: token(${tokenLength} chars), hasRefreshToken(${!!tokenResult.refreshToken})`);
+            // Get serviceUrl from service key store if not in connectionConfig (required for ABAP stores)
+            // For XSUAA service keys, serviceUrl may not exist, which is fine for BTP/XSUAA stores
+            const serviceKeyConnConfig = await this.serviceKeyStore.getConnectionConfig(destination);
+            const connectionConfigWithServiceUrl = {
+                ...tokenResult.connectionConfig,
+                serviceUrl: tokenResult.connectionConfig.serviceUrl || serviceKeyConnConfig?.serviceUrl,
+            };
+            // Update or create session with new token (stores handle creation if session doesn't exist)
+            await this.sessionStore.setConnectionConfig(destination, connectionConfigWithServiceUrl);
             if (tokenResult.refreshToken) {
                 await this.sessionStore.setAuthorizationConfig(destination, {
                     ...authConfig,
@@ -167,21 +230,29 @@ class AuthBroker {
         }
         catch (error) {
             lastError = error;
-            this.logger.debug(`UAA authentication failed for destination "${destination}": ${error.message}. Trying browser authentication...`);
+            this.logger?.debug(`UAA flow failed for ${destination}: ${error.message}, trying browser`);
             // Continue to next step
         }
         // Step 5: Try browser authentication via tokenProvider (should be last resort)
         // TokenProvider should use browser auth if refresh token and client_credentials don't work
         try {
-            this.logger.debug(`Starting browser authentication flow for destination "${destination}"...`);
+            this.logger?.debug(`Trying browser authentication flow for ${destination}`);
             const authConfigForBrowser = { ...authConfig, refreshToken: undefined };
             tokenResult = await this.tokenProvider.getConnectionConfig(authConfigForBrowser, {
                 browser: this.browser,
                 logger: this.logger,
             });
-            this.logger.debug(`Token obtained successfully using browser authentication for destination "${destination}"`);
-            // Update session with new token
-            await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
+            const tokenLength = tokenResult.connectionConfig.authorizationToken?.length || 0;
+            this.logger?.info(`Token obtained via browser for ${destination}: token(${tokenLength} chars), hasRefreshToken(${!!tokenResult.refreshToken})`);
+            // Get serviceUrl from service key store if not in connectionConfig (required for ABAP stores)
+            // For XSUAA service keys, serviceUrl may not exist, which is fine for BTP/XSUAA stores
+            const serviceKeyConnConfig = await this.serviceKeyStore.getConnectionConfig(destination);
+            const connectionConfigWithServiceUrl = {
+                ...tokenResult.connectionConfig,
+                serviceUrl: tokenResult.connectionConfig.serviceUrl || serviceKeyConnConfig?.serviceUrl,
+            };
+            // Update or create session with new token (stores handle creation if session doesn't exist)
+            await this.sessionStore.setConnectionConfig(destination, connectionConfigWithServiceUrl);
             if (tokenResult.refreshToken) {
                 await this.sessionStore.setAuthorizationConfig(destination, {
                     ...authConfig,
@@ -197,7 +268,7 @@ class AuthBroker {
                 `Refresh token: ${refreshToken ? 'failed' : 'not available'}. ` +
                 `UAA: ${authConfig.uaaUrl && authConfig.uaaClientId && authConfig.uaaClientSecret ? 'failed' : 'parameters missing'}. ` +
                 `Browser authentication: failed (${error.message})`;
-            this.logger.error(errorMessage);
+            this.logger?.error(`All auth methods failed for ${destination}: refreshToken(${refreshToken ? 'failed' : 'none'}), UAA(${authConfig.uaaUrl && authConfig.uaaClientId && authConfig.uaaClientSecret ? 'failed' : 'missing'}), browser(failed: ${error.message})`);
             throw new Error(errorMessage);
         }
     }
@@ -208,27 +279,40 @@ class AuthBroker {
      * @returns Promise that resolves to new JWT token string
      */
     async refreshToken(destination) {
+        this.logger?.debug(`Force refreshing token for destination: ${destination}`);
         // Load service key
         const serviceKey = await this.serviceKeyStore.getServiceKey(destination);
         if (!serviceKey) {
+            this.logger?.error(`Service key not found for ${destination}`);
             throw new Error(`Service key not found for destination "${destination}".`);
         }
         // Get authorization config from service key
         const authConfig = await this.serviceKeyStore.getAuthorizationConfig(destination);
         if (!authConfig) {
+            this.logger?.error(`Service key for ${destination} missing UAA credentials`);
             throw new Error(`Service key for destination "${destination}" does not contain UAA credentials`);
         }
         // Get refresh token from session
         const sessionAuthConfig = await this.sessionStore.getAuthorizationConfig(destination);
-        const authConfigWithRefresh = { ...authConfig, refreshToken: sessionAuthConfig?.refreshToken || authConfig.refreshToken };
+        const refreshToken = sessionAuthConfig?.refreshToken || authConfig.refreshToken;
+        this.logger?.debug(`Refresh token check for ${destination}: hasRefreshToken(${!!refreshToken})`);
+        const authConfigWithRefresh = { ...authConfig, refreshToken };
         // Get connection config with token from provider
         const tokenResult = await this.tokenProvider.getConnectionConfig(authConfigWithRefresh, {
             browser: this.browser,
             logger: this.logger,
         });
-        // Update session with new token
-        await this.sessionStore.setConnectionConfig(destination, tokenResult.connectionConfig);
-        // Update authorization config with new refresh token if available
+        const tokenLength = tokenResult.connectionConfig.authorizationToken?.length || 0;
+        this.logger?.info(`Token refreshed for ${destination}: token(${tokenLength} chars), hasRefreshToken(${!!tokenResult.refreshToken})`);
+        // Get serviceUrl from service key store if not in connectionConfig (required for ABAP stores)
+        // For XSUAA service keys, serviceUrl may not exist, which is fine for BTP/XSUAA stores
+        const serviceKeyConnConfig = await this.serviceKeyStore.getConnectionConfig(destination);
+        const connectionConfigWithServiceUrl = {
+            ...tokenResult.connectionConfig,
+            serviceUrl: tokenResult.connectionConfig.serviceUrl || serviceKeyConnConfig?.serviceUrl,
+        };
+        // Update or create session with new token (stores handle creation if session doesn't exist)
+        await this.sessionStore.setConnectionConfig(destination, connectionConfigWithServiceUrl);
         if (tokenResult.refreshToken) {
             await this.sessionStore.setAuthorizationConfig(destination, {
                 ...authConfig,
@@ -243,13 +327,24 @@ class AuthBroker {
      * @returns Promise that resolves to IAuthorizationConfig or null if not found
      */
     async getAuthorizationConfig(destination) {
+        this.logger?.debug(`Getting authorization config for ${destination}`);
         // Try session store first (has tokens)
+        this.logger?.debug(`Checking session store for authorization config: ${destination}`);
         const sessionAuthConfig = await this.sessionStore.getAuthorizationConfig(destination);
         if (sessionAuthConfig) {
+            this.logger?.debug(`Authorization config from session for ${destination}: hasUaaUrl(${!!sessionAuthConfig.uaaUrl}), hasRefreshToken(${!!sessionAuthConfig.refreshToken})`);
             return sessionAuthConfig;
         }
         // Fall back to service key store (has UAA credentials)
-        return await this.serviceKeyStore.getAuthorizationConfig(destination);
+        this.logger?.debug(`Checking service key store for authorization config: ${destination}`);
+        const serviceKeyAuthConfig = await this.serviceKeyStore.getAuthorizationConfig(destination);
+        if (serviceKeyAuthConfig) {
+            this.logger?.debug(`Authorization config from service key for ${destination}: hasUaaUrl(${!!serviceKeyAuthConfig.uaaUrl})`);
+        }
+        else {
+            this.logger?.debug(`No authorization config found for ${destination}`);
+        }
+        return serviceKeyAuthConfig;
     }
     /**
      * Get connection configuration for destination
@@ -257,13 +352,22 @@ class AuthBroker {
      * @returns Promise that resolves to IConnectionConfig or null if not found
      */
     async getConnectionConfig(destination) {
+        this.logger?.debug(`Getting connection config for ${destination}`);
         // Try session store first (has tokens and URLs)
         const sessionConnConfig = await this.sessionStore.getConnectionConfig(destination);
         if (sessionConnConfig) {
+            this.logger?.debug(`Connection config from session for ${destination}: token(${sessionConnConfig.authorizationToken?.length || 0} chars), serviceUrl(${sessionConnConfig.serviceUrl ? 'yes' : 'no'})`);
             return sessionConnConfig;
         }
         // Fall back to service key store (has URLs but no tokens)
-        return await this.serviceKeyStore.getConnectionConfig(destination);
+        const serviceKeyConnConfig = await this.serviceKeyStore.getConnectionConfig(destination);
+        if (serviceKeyConnConfig) {
+            this.logger?.debug(`Connection config from service key for ${destination}: serviceUrl(${serviceKeyConnConfig.serviceUrl ? 'yes' : 'no'}), token(none)`);
+        }
+        else {
+            this.logger?.debug(`No connection config found for ${destination}`);
+        }
+        return serviceKeyConnConfig;
     }
 }
 exports.AuthBroker = AuthBroker;

package/dist/__tests__/helpers/configHelpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"configHelpers.d.ts","sourceRoot":"","sources":["../../../src/__tests__/helpers/configHelpers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH,MAAM,WAAW,UAAU;IACzB,WAAW,CAAC,EAAE;QACZ,KAAK,CAAC,EAAE;YACN,gBAAgB,CAAC,EAAE,MAAM,CAAC;YAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;SACvB,CAAC;QACF,IAAI,CAAC,EAAE;YACL,WAAW,CAAC,EAAE,MAAM,CAAC;SACtB,CAAC;QACF,KAAK,CAAC,EAAE;YACN,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;KACH,CAAC;CACH;AAkBD;;;GAGG;AACH,wBAAgB,cAAc,IAAI,UAAU,CA6C3C;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CA2BpF;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAGrE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG;IACzD,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAOA;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAGpE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAGjE"}
+{"version":3,"file":"configHelpers.d.ts","sourceRoot":"","sources":["../../../src/__tests__/helpers/configHelpers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH,MAAM,WAAW,UAAU;IACzB,WAAW,CAAC,EAAE;QACZ,KAAK,CAAC,EAAE;YACN,gBAAgB,CAAC,EAAE,MAAM,CAAC;YAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;SACvB,CAAC;QACF,IAAI,CAAC,EAAE;YACL,WAAW,CAAC,EAAE,MAAM,CAAC;SACtB,CAAC;QACF,KAAK,CAAC,EAAE;YACN,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,OAAO,CAAC,EAAE,MAAM,CAAC;SAClB,CAAC;KACH,CAAC;CACH;AAkBD;;;GAGG;AACH,wBAAgB,cAAc,IAAI,UAAU,CA6C3C;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CA2BpF;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CAGrE;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG;IACzD,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAOA;AAaD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,IAAI,CASjE"}

package/dist/__tests__/helpers/configHelpers.js

@@ -153,17 +153,39 @@ function getXsuaaDestinations(config) {
         mcp_url: xsuaa?.mcp_url || null,
     };
 }
+/**
+ * Expand tilde (~) to home directory
+ */
+function expandTilde(filePath) {
+    if (filePath.startsWith('~')) {
+        const os = require('os');
+        return path.join(os.homedir(), filePath.slice(1));
+    }
+    return filePath;
+}
 /**
  * Get service keys directory from config
  */
 function getServiceKeysDir(config) {
     const cfg = config || loadTestConfig();
-    return cfg.auth_broker?.paths?.service_keys_dir || null;
+    const dir = cfg.auth_broker?.paths?.service_keys_dir;
+    if (!dir) {
+        return null;
+    }
+    // Expand ~ and normalize path
+    const expanded = expandTilde(dir);
+    return path.resolve(expanded);
 }
 /**
  * Get sessions directory from config
  */
 function getSessionsDir(config) {
     const cfg = config || loadTestConfig();
-    return cfg.auth_broker?.paths?.sessions_dir || null;
+    const dir = cfg.auth_broker?.paths?.sessions_dir;
+    if (!dir) {
+        return null;
+    }
+    // Expand ~ and normalize path
+    const expanded = expandTilde(dir);
+    return path.resolve(expanded);
 }

package/dist/__tests__/helpers/testLogger.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Test logger with environment variable control
+ */
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+export declare function createTestLogger(prefix?: string): ILogger;
+//# sourceMappingURL=testLogger.d.ts.map

package/dist/__tests__/helpers/testLogger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testLogger.d.ts","sourceRoot":"","sources":["../../../src/__tests__/helpers/testLogger.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAgBxD,wBAAgB,gBAAgB,CAAC,MAAM,GAAE,MAAe,GAAG,OAAO,CAgEjE"}

package/dist/__tests__/helpers/testLogger.js

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * Test logger with environment variable control
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTestLogger = createTestLogger;
+function getLogLevel() {
+    const level = process.env.LOG_LEVEL?.toLowerCase() || 'info';
+    const levels = ['debug', 'info', 'warn', 'error'];
+    return levels.includes(level) ? level : 'info';
+}
+function shouldLog(level) {
+    const currentLevel = getLogLevel();
+    const levels = ['debug', 'info', 'warn', 'error'];
+    return levels.indexOf(level) >= levels.indexOf(currentLevel);
+}
+function createTestLogger(prefix = 'TEST') {
+    // Check if logging is enabled - requires explicit enable
+    const isEnabled = () => {
+        // Explicitly disabled
+        if (process.env.DEBUG_AUTH_BROKER === 'false') {
+            return false;
+        }
+        // Explicitly enabled
+        if (process.env.DEBUG_AUTH_BROKER === 'true' ||
+            process.env.DEBUG === 'true' ||
+            process.env.DEBUG?.includes('auth-broker') === true) {
+            return true;
+        }
+        // Do not enable by default - require explicit enable
+        return false;
+    };
+    // Format message and meta into single line
+    const formatMessage = (message, meta) => {
+        if (!meta || meta === '') {
+            return message;
+        }
+        // If meta is an object, format it concisely
+        if (typeof meta === 'object' && !Array.isArray(meta)) {
+            const parts = [];
+            for (const [key, value] of Object.entries(meta)) {
+                if (value !== undefined && value !== null) {
+                    if (typeof value === 'string' && value.length > 50) {
+                        parts.push(`${key}(${value.substring(0, 50)}...)`);
+                    }
+                    else if (typeof value === 'boolean') {
+                        parts.push(`${key}(${value})`);
+                    }
+                    else {
+                        parts.push(`${key}(${value})`);
+                    }
+                }
+            }
+            return parts.length > 0 ? `${message} ${parts.join(', ')}` : message;
+        }
+        // If meta is a string or other type, append it
+        return `${message} ${String(meta)}`;
+    };
+    return {
+        debug: (message, meta) => {
+            if (isEnabled() && shouldLog('debug')) {
+                console.debug(`[${prefix}] [DEBUG] ${formatMessage(message, meta)}`);
+            }
+        },
+        info: (message, meta) => {
+            if (isEnabled() && shouldLog('info')) {
+                console.info(`[${prefix}] ${formatMessage(message, meta)}`);
+            }
+        },
+        warn: (message, meta) => {
+            if (isEnabled() && shouldLog('warn')) {
+                console.warn(`[${prefix}] [WARN] ${formatMessage(message, meta)}`);
+            }
+        },
+        error: (message, meta) => {
+            if (isEnabled() && shouldLog('error')) {
+                console.error(`[${prefix}] [ERROR] ${formatMessage(message, meta)}`);
+            }
+        },
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/auth-broker",
-  "version": "0.1.11",
+  "version": "0.1.12",
   "description": "JWT authentication broker for MCP ABAP ADT - manages tokens based on destination headers",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -40,7 +40,7 @@
     "build": "npm run clean --silent && npx tsc -p tsconfig.json",
     "build:fast": "npx tsc -p tsconfig.json",
     "test": "NODE_OPTIONS=--experimental-vm-modules jest",
-    "test:check": "npx tsc --noEmit",
+    "test:check": "npx tsc --noEmit && npx tsc --noEmit -p tsconfig.test.json",
     "prepublishOnly": "npm run build",
     "generate-env": "tsx bin/generate-env-from-service-key.ts"
   },
@@ -55,7 +55,7 @@
   },
   "devDependencies": {
     "@mcp-abap-adt/auth-providers": "^0.1.3",
-    "@mcp-abap-adt/auth-stores": "^0.1.5",
+    "@mcp-abap-adt/auth-stores": "^0.1.7",
     "@types/express": "^5.0.5",
     "@types/jest": "^30.0.0",
     "@types/js-yaml": "^4.0.9",