@mcp-abap-adt/calm-server 0.2.1 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,102 @@
 # Changelog
 
+## 0.4.0 — 2026-05-24
+
+Follows `@mcp-abap-adt/calm-client@0.4.0` (connection moved out of the
+client). Combines the auth-broker integration (M19) with a
+server-owned connection layer.
+
+### Changed (BREAKING)
+
+- **The server now owns the CALM connection.** New
+  `src/server/connection/` module on native `fetch`:
+  `AbstractCalmConnection`, `SandboxCalmConnection` (api-key),
+  `OAuth2CalmConnection` (Bearer via `ITokenRefresher`, one-shot
+  refresh+retry on 401/403), and the
+  `createCalmConnection(config, overrides?)` factory. Exposed via the
+  `./connection` subpath export. `@mcp-abap-adt/calm-client` no longer
+  ships `CalmConnection` (peer bumped to `^0.4.0`).
+- **`CALM_BASE_URL` is consumed verbatim** — service routes are appended
+  by plain concatenation; no `/api` injection. Paste `endpoints.Api`
+  from the service-key as-is (it already includes `/api`). Fixes the
+  silent double-`/api` 404 against live tenants.
+
+### Added
+
+- **Token acquisition via `@mcp-abap-adt/auth-broker`** (M19):
+  `buildCalmClient` is `async`, honours `CALM_AUTH_FLOW`
+  (`client_credentials` | `authorization_code`), and sources UAA creds
+  from inline `CALM_UAA_*` (legacy shim) or `./{destination}.env`
+  (produced by the `mcp-auth` CLI). The broker yields the
+  `ITokenRefresher` that is injected into `OAuth2CalmConnection` via the
+  factory's `tokenRefresher` override.
+- **Request-lifecycle logging** in the connection via an optional
+  `ILogger` (debug on request/response/retry, warn on transport
+  failure), threaded from `runStdio` through the stderr-safe
+  `StderrLogger`.
+
+### Fixed
+
+- `dotenv` moved from `devDependencies` to `dependencies` (imported at
+  runtime by `config.ts`).
+
+## 0.3.0 — 2026-05-13
+
+Follows `@mcp-abap-adt/calm-client@0.3.0` (issue / PR #3 / #4 there).
+Closes a wider class of the same bug fixed in 0.2.1: every list
+endpoint whose Spring controller takes `@RequestParam UUID projectId`
+must carry `projectId` on the URL, not in OData `$filter`. After the
+earlier deliverables/workstreams fix, two more came out the moment a
+sandbox `projectId` became available: `listTasks` and `listFeatures`.
+
+### Changed (BREAKING for two tool input schemas)
+
+- **`calm_features_get_by_display_id`** — `projectId` is now
+  `required`. The `getFeatureByDisplayId` endpoint delegates through
+  `listFeatures`, which now needs project scope; and the displayId
+  itself (`6-123`) is project-scoped anyway, so this matches the
+  underlying data model.
+
+### Fixed (internal, no schema impact)
+
+- **`calm_tasks_list` / `calm_features_list`** — projectId is now
+  forwarded positionally to the calm-client (not stuffed into
+  `$filter`), aligning with the server's `?projectId=<uuid>` URL
+  contract.
+- **`calm_tasks_list`** — Tasks service rejects every OData query
+  parameter (`$select`, `$top`, `$filter` all return 400 "not
+  supported yet") despite returning an OData-collection shape. The
+  tool now calls `calm.getTasks().list(projectId)` with no query and
+  performs status/assignee filtering and limit/offset pagination
+  locally. The `fields` arg is kept for API symmetry but accepted as
+  a downstream hint only — the full record comes back from the wire.
+
+### Updated
+
+- Peer dependency `@mcp-abap-adt/calm-client` bumped `^0.2.0` →
+  `^0.3.0`. Required by the projectId-positional signatures on
+  `list` / `getByDisplayId`.
+
+### Discovery / debugging
+
+- The bug was latent until a borrowed sandbox `projectId` (leaked
+  through a public `test_case.projectId`) activated the
+  `describeWithProject` integration gate. Five tests failed with the
+  same HTTP 400 root cause, plus two more Tasks-only "not supported
+  yet" 400s on `$select` / `$top`.
+- The Tasks service's non-OData nature is now documented in the
+  source (and via this entry) — future tools targeting `/tasks/*`
+  should not assume OData semantics.
+
+### Tests
+
+- Updated unit tests for `listFeatures` (URL-based projectId, no
+  `$filter` for it), `listTasks` (no OData query at all, client-side
+  filter), and `getByDisplayId` (projectId+displayId positional args).
+- Integration sandbox suite now exercises five project-scoped reads
+  end-to-end against a borrowed projectId — 230 passed / 2 skipped
+  (oauth2 only) / 1 todo.
+
 ## 0.2.1 — 2026-05-13
 
 Same-day follow-up to 0.2.0: realigns two bonus tools with

package/README.md

@@ -83,6 +83,51 @@ npm run build && node dist/bin/stdio.js
 The server speaks MCP over stdio. Misconfiguration is reported to
 `stderr` with a non-zero exit code.
 
+## Authentication setup
+
+`calm-mcp` supports two OAuth2 flows for live tenants, selectable via
+`CALM_AUTH_FLOW`:
+
+| Flow | Use case | Browser? | Refresh token? |
+|---|---|---|---|
+| `client_credentials` (default) | technical service-binding (`sb-*` client) | no | no |
+| `authorization_code` | end-user dev workflow, full user scope | once | yes |
+
+### Option A — quick CC setup (technical user)
+
+Plain `.env` with inline `CALM_UAA_URL` / `CALM_UAA_CLIENT_ID` /
+`CALM_UAA_CLIENT_SECRET` works as before — no extra steps. The broker uses
+an in-memory session shim for these inline creds.
+
+### Option B — broker-backed setup (CC or AC)
+
+Use the bundled [`mcp-auth`](https://www.npmjs.com/package/@mcp-abap-adt/auth-broker)
+CLI to convert a BTP service key into a token-bearing `.env`:
+
+```bash
+# CC (no browser)
+npx mcp-auth --service-key ./sk.json --output ./DEFAULT.env \
+             --type xsuaa --credential
+
+# AC (browser pops once; refresh_token persists)
+npx mcp-auth --service-key ./sk.json --output ./DEFAULT.env \
+             --type xsuaa --browser auto
+```
+
+Then in your `.env`:
+
+```
+CALM_MODE=oauth2
+CALM_BASE_URL=https://<tenant>.<region>.alm.cloud.sap
+CALM_AUTH_FLOW=authorization_code   # or client_credentials
+CALM_DESTINATION=DEFAULT
+```
+
+The server's runtime auth pipeline is `@mcp-abap-adt/auth-broker`.
+
+> Note: `buildCalmClient` is async since v0.4.0 (was sync in v0.3.x). Library
+> consumers must `await` it.
+
 ### 3. Wire into Claude Desktop
 
 Add to your Claude Desktop config (`~/Library/Application Support/Claude/claude_desktop_config.json`

package/dist/server/auth/buildBroker.d.ts

@@ -0,0 +1,22 @@
+import { AuthBroker } from '@mcp-abap-adt/auth-broker';
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+import type { ICalmServerConfig } from '../config';
+/**
+ * Assemble an `AuthBroker` from server config.
+ *
+ * - Chooses `ClientCredentialsProvider` or `AuthorizationCodeProvider`
+ *   based on `config.authFlow`.
+ * - Chooses session store: legacy `SafeXsuaaSessionStore` shim when the
+ *   `.env` still inlines `CALM_UAA_*`, otherwise file-based
+ *   `XsuaaSessionStore` rooted at cwd (loads `./{destination}.env`).
+ * - `browser: 'none'` always — the runtime server never pops a browser;
+ *   interactive AC login is the job of the `mcp-auth` CLI.
+ * - `allowBrowserAuth` is flow-aware: `true` for CC (broker has a hard
+ *   gate that fires when a session lacks a refresh_token, regardless of
+ *   provider type — CC providers never need a browser anyway, so we let
+ *   the gate pass), `false` for AC (fail fast when refresh_token is
+ *   missing rather than try to launch a browser the stdio process
+ *   cannot show).
+ */
+export declare function buildAuthBroker(config: ICalmServerConfig, logger?: ILogger): Promise<AuthBroker>;
+//# sourceMappingURL=buildBroker.d.ts.map

package/dist/server/auth/buildBroker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildBroker.d.ts","sourceRoot":"","sources":["../../../src/server/auth/buildBroker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAMvD,OAAO,KAAK,EACV,OAAO,EAGR,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAGnD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,iBAAiB,EACzB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,UAAU,CAAC,CA6CrB"}

package/dist/server/auth/buildBroker.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthBroker = buildAuthBroker;
+const auth_broker_1 = require("@mcp-abap-adt/auth-broker");
+const auth_providers_1 = require("@mcp-abap-adt/auth-providers");
+const auth_stores_1 = require("@mcp-abap-adt/auth-stores");
+const legacyEnvShim_1 = require("./legacyEnvShim");
+/**
+ * Assemble an `AuthBroker` from server config.
+ *
+ * - Chooses `ClientCredentialsProvider` or `AuthorizationCodeProvider`
+ *   based on `config.authFlow`.
+ * - Chooses session store: legacy `SafeXsuaaSessionStore` shim when the
+ *   `.env` still inlines `CALM_UAA_*`, otherwise file-based
+ *   `XsuaaSessionStore` rooted at cwd (loads `./{destination}.env`).
+ * - `browser: 'none'` always — the runtime server never pops a browser;
+ *   interactive AC login is the job of the `mcp-auth` CLI.
+ * - `allowBrowserAuth` is flow-aware: `true` for CC (broker has a hard
+ *   gate that fires when a session lacks a refresh_token, regardless of
+ *   provider type — CC providers never need a browser anyway, so we let
+ *   the gate pass), `false` for AC (fail fast when refresh_token is
+ *   missing rather than try to launch a browser the stdio process
+ *   cannot show).
+ */
+async function buildAuthBroker(config, logger) {
+    const shimStore = await (0, legacyEnvShim_1.buildLegacyShimStore)(config);
+    const sessionStore = shimStore ?? new auth_stores_1.XsuaaSessionStore(process.cwd(), config.baseUrl, logger);
+    // Resolve UAA credentials: inline config wins, otherwise read from
+    // session store (populated from `./{destination}.env` by `mcp-auth`).
+    const sessionAuth = await sessionStore.getAuthorizationConfig(config.destination);
+    const uaaUrl = config.uaaUrl || sessionAuth?.uaaUrl;
+    const uaaClientId = config.uaaClientId || sessionAuth?.uaaClientId;
+    const uaaClientSecret = config.uaaClientSecret || sessionAuth?.uaaClientSecret;
+    if (!uaaUrl || !uaaClientId || !uaaClientSecret) {
+        throw new Error(`[calm-mcp] UAA credentials missing for destination "${config.destination}". ` +
+            `Either inline CALM_UAA_URL/CALM_UAA_CLIENT_ID/CALM_UAA_CLIENT_SECRET in .env, ` +
+            `or run 'npx mcp-auth --service-key ./sk.json --output ./${config.destination}.env --type xsuaa' first.`);
+    }
+    const tokenProvider = config.authFlow === 'authorization_code'
+        ? new auth_providers_1.AuthorizationCodeProvider({
+            uaaUrl,
+            clientId: uaaClientId,
+            clientSecret: uaaClientSecret,
+            browser: 'none',
+            logger,
+        })
+        : new auth_providers_1.ClientCredentialsProvider({
+            uaaUrl,
+            clientId: uaaClientId,
+            clientSecret: uaaClientSecret,
+        });
+    const allowBrowserAuth = config.authFlow !== 'authorization_code';
+    return new auth_broker_1.AuthBroker({ sessionStore, tokenProvider, allowBrowserAuth }, 'none', logger);
+}
+//# sourceMappingURL=buildBroker.js.map

package/dist/server/auth/buildBroker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildBroker.js","sourceRoot":"","sources":["../../../src/server/auth/buildBroker.ts"],"names":[],"mappings":";;AA+BA,0CAgDC;AA/ED,2DAAuD;AACvD,iEAGsC;AACtC,2DAA8D;AAO9D,mDAAuD;AAEvD;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,eAAe,CACnC,MAAyB,EACzB,MAAgB;IAEhB,MAAM,SAAS,GAAG,MAAM,IAAA,oCAAoB,EAAC,MAAM,CAAC,CAAC;IACrD,MAAM,YAAY,GAChB,SAAS,IAAI,IAAI,+BAAiB,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,mEAAmE;IACnE,sEAAsE;IACtE,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAC3D,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,WAAW,EAAE,MAAM,CAAC;IACpD,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,WAAW,EAAE,WAAW,CAAC;IACnE,MAAM,eAAe,GACnB,MAAM,CAAC,eAAe,IAAI,WAAW,EAAE,eAAe,CAAC;IAEzD,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,uDAAuD,MAAM,CAAC,WAAW,KAAK;YAC5E,gFAAgF;YAChF,2DAA2D,MAAM,CAAC,WAAW,2BAA2B,CAC3G,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GACjB,MAAM,CAAC,QAAQ,KAAK,oBAAoB;QACtC,CAAC,CAAC,IAAI,0CAAyB,CAAC;YAC5B,MAAM;YACN,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,eAAe;YAC7B,OAAO,EAAE,MAAM;YACf,MAAM;SACP,CAAC;QACJ,CAAC,CAAC,IAAI,0CAAyB,CAAC;YAC5B,MAAM;YACN,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,eAAe;SAC9B,CAAC,CAAC;IAET,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,KAAK,oBAAoB,CAAC;IAElE,OAAO,IAAI,wBAAU,CACnB,EAAE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,EACjD,MAAM,EACN,MAAM,CACP,CAAC;AACJ,CAAC"}

package/dist/server/auth/legacyEnvShim.d.ts

@@ -0,0 +1,10 @@
+import type { ISessionStore } from '@mcp-abap-adt/interfaces';
+import type { ICalmServerConfig } from '../config';
+/**
+ * If the user's `.env` still inlines `CALM_UAA_URL`/`CALM_UAA_CLIENT_ID`/
+ * `CALM_UAA_CLIENT_SECRET` (pre-broker convention), build an in-memory
+ * SafeXsuaaSessionStore preloaded with those creds. Returns null if any
+ * of the three are missing — caller falls back to file-based store.
+ */
+export declare function buildLegacyShimStore(config: ICalmServerConfig): Promise<ISessionStore | null>;
+//# sourceMappingURL=legacyEnvShim.d.ts.map

package/dist/server/auth/legacyEnvShim.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"legacyEnvShim.d.ts","sourceRoot":"","sources":["../../../src/server/auth/legacyEnvShim.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEnD;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAW/B"}

package/dist/server/auth/legacyEnvShim.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildLegacyShimStore = buildLegacyShimStore;
+const auth_stores_1 = require("@mcp-abap-adt/auth-stores");
+/**
+ * If the user's `.env` still inlines `CALM_UAA_URL`/`CALM_UAA_CLIENT_ID`/
+ * `CALM_UAA_CLIENT_SECRET` (pre-broker convention), build an in-memory
+ * SafeXsuaaSessionStore preloaded with those creds. Returns null if any
+ * of the three are missing — caller falls back to file-based store.
+ */
+async function buildLegacyShimStore(config) {
+    const { uaaUrl, uaaClientId, uaaClientSecret, baseUrl, destination } = config;
+    if (!uaaUrl || !uaaClientId || !uaaClientSecret)
+        return null;
+    const store = new auth_stores_1.SafeXsuaaSessionStore(baseUrl);
+    await store.setAuthorizationConfig(destination, {
+        uaaUrl,
+        uaaClientId,
+        uaaClientSecret,
+    });
+    return store;
+}
+//# sourceMappingURL=legacyEnvShim.js.map

package/dist/server/auth/legacyEnvShim.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"legacyEnvShim.js","sourceRoot":"","sources":["../../../src/server/auth/legacyEnvShim.ts"],"names":[],"mappings":";;AAUA,oDAaC;AAvBD,2DAAkE;AAIlE;;;;;GAKG;AACI,KAAK,UAAU,oBAAoB,CACxC,MAAyB;IAEzB,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;IAC9E,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAE7D,MAAM,KAAK,GAAG,IAAI,mCAAqB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,KAAK,CAAC,sBAAsB,CAAC,WAAW,EAAE;QAC9C,MAAM;QACN,WAAW;QACX,eAAe;KAChB,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/server/buildClient.d.ts

@@ -1,10 +1,22 @@
 import { CalmClient } from '@mcp-abap-adt/calm-client';
+import type { ILogger } from '@mcp-abap-adt/interfaces';
 import type { ICalmServerConfig } from './config';
+export interface BuildCalmClientOptions {
+    logger?: ILogger;
+}
 /**
- * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`. Picks
- * OAuth2 or sandbox mode based on config.mode. The returned connection
- * is stateless from the server's perspective — constructing a fresh
- * CalmClient per process is cheap.
+ * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`.
+ *
+ * Connection construction (fetch transport, verbatim base URL, request
+ * logging) lives in `./connection`. Token acquisition is delegated:
+ *
+ * - `oauth2` mode: `@mcp-abap-adt/auth-broker` produces the
+ *   `ITokenRefresher` (honouring `CALM_AUTH_FLOW` + session stores);
+ *   it is injected into the connection via the factory's
+ *   `tokenRefresher` override. Pass `options.logger` (e.g.
+ *   `StderrLogger`) in stdio mode so broker + connection logs go to
+ *   stderr, never the MCP stdout frame stream.
+ * - `sandbox` mode: direct API-key auth, no broker involved.
  */
-export declare function buildCalmClient(config: ICalmServerConfig): CalmClient;
+export declare function buildCalmClient(config: ICalmServerConfig, options?: BuildCalmClientOptions): Promise<CalmClient>;
 //# sourceMappingURL=buildClient.d.ts.map

package/dist/server/buildClient.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"buildClient.d.ts","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAkB,MAAM,2BAA2B,CAAC;AAEvE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAoDlD;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,iBAAiB,GAAG,UAAU,CAoBrE"}
+{"version":3,"file":"buildClient.d.ts","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAGlD,MAAM,WAAW,sBAAsB;IACrC,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,iBAAiB,EACzB,OAAO,GAAE,sBAA2B,GACnC,OAAO,CAAC,UAAU,CAAC,CAcrB"}

package/dist/server/buildClient.js

@@ -2,73 +2,31 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildCalmClient = buildCalmClient;
 const calm_client_1 = require("@mcp-abap-adt/calm-client");
+const buildBroker_1 = require("./auth/buildBroker");
+const createCalmConnection_1 = require("./connection/createCalmConnection");
 /**
- * Minimal XSUAA `client_credentials` refresher — sufficient for
- * standalone-mode servers where no shared auth-broker/session store is
- * configured. Caches the token until explicitly refreshed. Production
- * consumers that already run `@mcp-abap-adt/auth-broker` elsewhere
- * should pass their own `ITokenRefresher` via `buildCalmClient.override`.
+ * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`.
+ *
+ * Connection construction (fetch transport, verbatim base URL, request
+ * logging) lives in `./connection`. Token acquisition is delegated:
+ *
+ * - `oauth2` mode: `@mcp-abap-adt/auth-broker` produces the
+ *   `ITokenRefresher` (honouring `CALM_AUTH_FLOW` + session stores);
+ *   it is injected into the connection via the factory's
+ *   `tokenRefresher` override. Pass `options.logger` (e.g.
+ *   `StderrLogger`) in stdio mode so broker + connection logs go to
+ *   stderr, never the MCP stdout frame stream.
+ * - `sandbox` mode: direct API-key auth, no broker involved.
  */
-class XsuaaRefresher {
-    uaaUrl;
-    clientId;
-    clientSecret;
-    cached;
-    constructor(uaaUrl, clientId, clientSecret) {
-        this.uaaUrl = uaaUrl;
-        this.clientId = clientId;
-        this.clientSecret = clientSecret;
-    }
-    async getToken() {
-        if (!this.cached)
-            return this.refreshToken();
-        return this.cached;
-    }
-    async refreshToken() {
-        const url = `${this.uaaUrl.replace(/\/$/, '')}/oauth/token`;
-        const basic = Buffer.from(`${this.clientId}:${this.clientSecret}`).toString('base64');
-        const response = await fetch(url, {
-            method: 'POST',
-            headers: {
-                Authorization: `Basic ${basic}`,
-                'Content-Type': 'application/x-www-form-urlencoded',
-                Accept: 'application/json',
-            },
-            body: 'grant_type=client_credentials',
-        });
-        if (!response.ok) {
-            const body = await response.text().catch(() => '');
-            throw new Error(`XSUAA token request failed: ${response.status} ${response.statusText} — ${body.slice(0, 200)}`);
-        }
-        const json = (await response.json());
-        if (!json.access_token) {
-            throw new Error('XSUAA token response missing access_token');
-        }
-        this.cached = json.access_token;
-        return this.cached;
-    }
-}
-/**
- * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`. Picks
- * OAuth2 or sandbox mode based on config.mode. The returned connection
- * is stateless from the server's perspective — constructing a fresh
- * CalmClient per process is cheap.
- */
-function buildCalmClient(config) {
+async function buildCalmClient(config, options = {}) {
     if (config.mode === 'oauth2') {
-        const refresher = new XsuaaRefresher(config.uaaUrl, config.uaaClientId, config.uaaClientSecret);
-        const connection = new calm_client_1.CalmConnection({
-            baseUrl: config.baseUrl,
-            tokenRefresher: refresher,
-            defaultTimeout: config.timeoutMs,
-        });
-        return new calm_client_1.CalmClient(connection);
+        const broker = await (0, buildBroker_1.buildAuthBroker)(config, options.logger);
+        const tokenRefresher = broker.createTokenRefresher(config.destination);
+        return new calm_client_1.CalmClient((0, createCalmConnection_1.createCalmConnection)(config, {
+            tokenRefresher,
+            logger: options.logger,
+        }));
     }
-    const connection = new calm_client_1.CalmConnection({
-        baseUrl: config.baseUrl,
-        apiKey: config.apiKey,
-        defaultTimeout: config.timeoutMs,
-    });
-    return new calm_client_1.CalmClient(connection);
+    return new calm_client_1.CalmClient((0, createCalmConnection_1.createCalmConnection)(config, { logger: options.logger }));
 }
 //# sourceMappingURL=buildClient.js.map

package/dist/server/buildClient.js.map

@@ -1 +1 @@
-{"version":3,"file":"buildClient.js","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":";;AA4DA,0CAoBC;AAhFD,2DAAuE;AAIvE;;;;;;GAMG;AACH,MAAM,cAAc;IAIC;IACA;IACA;IALX,MAAM,CAAU;IAExB,YACmB,MAAc,EACd,QAAgB,EAChB,YAAoB;QAFpB,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAQ;QAChB,iBAAY,GAAZ,YAAY,CAAQ;IACpC,CAAC;IAEJ,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,QAAQ,CACzE,QAAQ,CACT,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,SAAS,KAAK,EAAE;gBAC/B,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,+BAA+B;SACtC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAChG,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;QAClE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC;QAChC,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,MAAyB;IACvD,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,IAAI,cAAc,CAClC,MAAM,CAAC,MAAgB,EACvB,MAAM,CAAC,WAAqB,EAC5B,MAAM,CAAC,eAAyB,CACjC,CAAC;QACF,MAAM,UAAU,GAAG,IAAI,4BAAc,CAAC;YACpC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,SAAS;YACzB,cAAc,EAAE,MAAM,CAAC,SAAS;SACjC,CAAC,CAAC;QACH,OAAO,IAAI,wBAAU,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,4BAAc,CAAC;QACpC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM,EAAE,MAAM,CAAC,MAAgB;QAC/B,cAAc,EAAE,MAAM,CAAC,SAAS;KACjC,CAAC,CAAC;IACH,OAAO,IAAI,wBAAU,CAAC,UAAU,CAAC,CAAC;AACpC,CAAC"}
+{"version":3,"file":"buildClient.js","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":";;AAwBA,0CAiBC;AAzCD,2DAAuD;AAEvD,oDAAqD;AAErD,4EAAyE;AAMzE;;;;;;;;;;;;;GAaG;AACI,KAAK,UAAU,eAAe,CACnC,MAAyB,EACzB,UAAkC,EAAE;IAEpC,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7D,MAAM,cAAc,GAAG,MAAM,CAAC,oBAAoB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACvE,OAAO,IAAI,wBAAU,CACnB,IAAA,2CAAoB,EAAC,MAAM,EAAE;YAC3B,cAAc;YACd,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CACH,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,wBAAU,CACnB,IAAA,2CAAoB,EAAC,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CACzD,CAAC;AACJ,CAAC"}

package/dist/server/config.d.ts

@@ -5,6 +5,7 @@
  */
 export declare function loadEnv(): void;
 export type CalmServerMode = 'oauth2' | 'sandbox';
+export type CalmAuthFlow = 'client_credentials' | 'authorization_code';
 export interface ICalmServerConfig {
     mode: CalmServerMode;
     baseUrl: string;
@@ -13,6 +14,8 @@ export interface ICalmServerConfig {
     uaaClientSecret?: string;
     apiKey?: string;
     timeoutMs: number;
+    authFlow: CalmAuthFlow;
+    destination: string;
 }
 export declare function readConfig(): ICalmServerConfig;
 //# sourceMappingURL=config.d.ts.map

package/dist/server/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAMA;;;;GAIG;AACH,wBAAgB,OAAO,IAAI,IAAI,CAU9B;AAED,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,SAAS,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAYD,wBAAgB,UAAU,IAAI,iBAAiB,CAkC9C"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAMA;;;;GAIG;AACH,wBAAgB,OAAO,IAAI,IAAI,CAU9B;AAED,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,SAAS,CAAC;AAClD,MAAM,MAAM,YAAY,GAAG,oBAAoB,GAAG,oBAAoB,CAAC;AAEvE,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;CACrB;AAYD,wBAAgB,UAAU,IAAI,iBAAiB,CAsD9C"}

package/dist/server/config.js

@@ -38,6 +38,18 @@ function readConfig() {
     if (!mode) {
         throw new Error('[calm-mcp] CALM_MODE is required (oauth2 or sandbox). See .env.example.');
     }
+    const rawAuthFlow = process.env.CALM_AUTH_FLOW;
+    let authFlow = 'client_credentials';
+    if (rawAuthFlow) {
+        if (rawAuthFlow === 'client_credentials' ||
+            rawAuthFlow === 'authorization_code') {
+            authFlow = rawAuthFlow;
+        }
+        else {
+            throw new Error(`[calm-mcp] CALM_AUTH_FLOW must be 'client_credentials' or 'authorization_code', got "${rawAuthFlow}".`);
+        }
+    }
+    const destination = process.env.CALM_DESTINATION || 'DEFAULT';
     const timeoutMs = process.env.CALM_TIMEOUT
         ? Number(process.env.CALM_TIMEOUT)
         : 30_000;
@@ -45,10 +57,12 @@ function readConfig() {
         return {
             mode,
             baseUrl: required('CALM_BASE_URL'),
-            uaaUrl: required('CALM_UAA_URL'),
-            uaaClientId: required('CALM_UAA_CLIENT_ID'),
-            uaaClientSecret: required('CALM_UAA_CLIENT_SECRET'),
+            uaaUrl: process.env.CALM_UAA_URL,
+            uaaClientId: process.env.CALM_UAA_CLIENT_ID,
+            uaaClientSecret: process.env.CALM_UAA_CLIENT_SECRET,
             timeoutMs,
+            authFlow,
+            destination,
         };
     }
     if (mode === 'sandbox') {
@@ -57,6 +71,8 @@ function readConfig() {
             baseUrl: process.env.CALM_BASE_URL || 'https://sandbox.api.sap.com/SAPCALM',
             apiKey: required('CALM_API_KEY'),
             timeoutMs,
+            authFlow,
+            destination,
         };
     }
     throw new Error(`[calm-mcp] unknown CALM_MODE "${mode}"`);

package/dist/server/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":";;AAWA,0BAUC;AAwBD,gCAkCC;AA/ED,qCAAqC;AACrC,yCAAoC;AACpC,mCAAgD;AAEhD,IAAI,MAAM,GAAG,KAAK,CAAC;AAEnB;;;;GAIG;AACH,SAAgB,OAAO;IACrB,IAAI,MAAM;QAAE,OAAO;IACnB,MAAM,GAAG,IAAI,CAAC;IACd,qEAAqE;IACrE,mEAAmE;IACnE,kEAAkE;IAClE,2EAA2E;IAC3E,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO;IACvC,MAAM,IAAI,GAAG,IAAA,mBAAO,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5C,IAAI,IAAA,oBAAU,EAAC,IAAI,CAAC;QAAE,IAAA,eAAY,EAAC,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAcD,SAAS,QAAQ,CAAC,IAAY;IAC5B,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,IAAI,KAAK,CACb,sBAAsB,IAAI,6CAA6C,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,UAAU;IACxB,OAAO,EAAE,CAAC;IACV,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,EAElC,CAAC;IACd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY;QACxC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAClC,CAAC,CAAC,MAAM,CAAC;IAEX,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,IAAI;YACJ,OAAO,EAAE,QAAQ,CAAC,eAAe,CAAC;YAClC,MAAM,EAAE,QAAQ,CAAC,cAAc,CAAC;YAChC,WAAW,EAAE,QAAQ,CAAC,oBAAoB,CAAC;YAC3C,eAAe,EAAE,QAAQ,CAAC,wBAAwB,CAAC;YACnD,SAAS;SACV,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO;YACL,IAAI;YACJ,OAAO,EACL,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,qCAAqC;YACpE,MAAM,EAAE,QAAQ,CAAC,cAAc,CAAC;YAChC,SAAS;SACV,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,GAAG,CAAC,CAAC;AAC5D,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":";;AAWA,0BAUC;AA2BD,gCAsDC;AAtGD,qCAAqC;AACrC,yCAAoC;AACpC,mCAAgD;AAEhD,IAAI,MAAM,GAAG,KAAK,CAAC;AAEnB;;;;GAIG;AACH,SAAgB,OAAO;IACrB,IAAI,MAAM;QAAE,OAAO;IACnB,MAAM,GAAG,IAAI,CAAC;IACd,qEAAqE;IACrE,mEAAmE;IACnE,kEAAkE;IAClE,2EAA2E;IAC3E,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO;IACvC,MAAM,IAAI,GAAG,IAAA,mBAAO,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5C,IAAI,IAAA,oBAAU,EAAC,IAAI,CAAC;QAAE,IAAA,eAAY,EAAC,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAiBD,SAAS,QAAQ,CAAC,IAAY;IAC5B,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,IAAI,KAAK,CACb,sBAAsB,IAAI,6CAA6C,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,UAAU;IACxB,OAAO,EAAE,CAAC;IACV,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,EAElC,CAAC;IACd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC/C,IAAI,QAAQ,GAAiB,oBAAoB,CAAC;IAClD,IAAI,WAAW,EAAE,CAAC;QAChB,IACE,WAAW,KAAK,oBAAoB;YACpC,WAAW,KAAK,oBAAoB,EACpC,CAAC;YACD,QAAQ,GAAG,WAAW,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,wFAAwF,WAAW,IAAI,CACxG,CAAC;QACJ,CAAC;IACH,CAAC;IACD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS,CAAC;IAE9D,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY;QACxC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAClC,CAAC,CAAC,MAAM,CAAC;IAEX,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,IAAI;YACJ,OAAO,EAAE,QAAQ,CAAC,eAAe,CAAC;YAClC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;YAChC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;YAC3C,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;YACnD,SAAS;YACT,QAAQ;YACR,WAAW;SACZ,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO;YACL,IAAI;YACJ,OAAO,EACL,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,qCAAqC;YACpE,MAAM,EAAE,QAAQ,CAAC,cAAc,CAAC;YAChC,SAAS;YACT,QAAQ;YACR,WAAW;SACZ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,GAAG,CAAC,CAAC;AAC5D,CAAC"}

package/dist/server/connection/AbstractCalmConnection.d.ts

@@ -0,0 +1,43 @@
+import type { CalmService, ICalmConnection, ICalmRequestOptions, ICalmResponse, ILogger } from '@mcp-abap-adt/interfaces';
+import { type CalmServiceRouteMap } from './serviceRoutes';
+export interface IAbstractCalmConnectionOptions {
+    baseUrl: string;
+    defaultTimeout?: number;
+    serviceRoutes?: Partial<CalmServiceRouteMap>;
+    defaultHeaders?: Record<string, string>;
+    /**
+     * Optional logger. Request lifecycle is logged at `debug`; transport
+     * failures at `warn`. In a stdio MCP runtime this MUST be a
+     * stderr-only logger (see `StderrLogger`) — never one that writes to
+     * stdout.
+     */
+    logger?: ILogger;
+}
+/**
+ * Shared fetch-based transport for Cloud ALM. Subclasses provide
+ * `attachAuth()` and may override `onAuthFailure()`. `baseUrl` is used
+ * verbatim — NO prefix injection.
+ */
+export declare abstract class AbstractCalmConnection implements ICalmConnection {
+    protected readonly baseUrl: string;
+    protected readonly defaultTimeout: number;
+    protected readonly defaultHeaders: Record<string, string>;
+    protected readonly serviceRoutes: CalmServiceRouteMap;
+    protected readonly logger?: ILogger;
+    constructor(options: IAbstractCalmConnectionOptions);
+    /** Subclass: return auth headers for a request. */
+    protected abstract attachAuth(): Promise<Record<string, string>>;
+    /**
+     * Subclass hook on 401/403. Return true to retry once. Default: no
+     * retry.
+     */
+    protected onAuthFailure(_status: number): Promise<boolean>;
+    connect(): Promise<void>;
+    getBaseUrl(): Promise<string>;
+    getServiceUrl(service: CalmService): Promise<string>;
+    makeRequest<T = unknown, D = unknown>(options: ICalmRequestOptions): Promise<ICalmResponse<T, D>>;
+    private logFail;
+    private normalizeError;
+    private execute;
+}
+//# sourceMappingURL=AbstractCalmConnection.d.ts.map

package/dist/server/connection/AbstractCalmConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AbstractCalmConnection.d.ts","sourceRoot":"","sources":["../../../src/server/connection/AbstractCalmConnection.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,WAAW,EACX,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,OAAO,EACR,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,KAAK,mBAAmB,EAEzB,MAAM,iBAAiB,CAAC;AAEzB,MAAM,WAAW,8BAA8B;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC7C,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC;;;;;OAKG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAuBD;;;;GAIG;AACH,8BAAsB,sBAAuB,YAAW,eAAe;IACrE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACnC,SAAS,CAAC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAC1C,SAAS,CAAC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1D,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IACtD,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;gBAExB,OAAO,EAAE,8BAA8B;IAcnD,mDAAmD;IACnD,SAAS,CAAC,QAAQ,CAAC,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEhE;;;OAGG;cACa,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1D,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAExB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAI7B,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC;IAIpD,WAAW,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,GAAG,OAAO,EACxC,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IA+B/B,OAAO,CAAC,OAAO;IAkBf,OAAO,CAAC,cAAc;YAQR,OAAO;CA0CtB"}