@mcp-abap-adt/calm-server 0.3.0 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,45 @@
 # Changelog
 
+## 0.4.0 — 2026-05-24
+
+Follows `@mcp-abap-adt/calm-client@0.4.0` (connection moved out of the
+client). Combines the auth-broker integration (M19) with a
+server-owned connection layer.
+
+### Changed (BREAKING)
+
+- **The server now owns the CALM connection.** New
+  `src/server/connection/` module on native `fetch`:
+  `AbstractCalmConnection`, `SandboxCalmConnection` (api-key),
+  `OAuth2CalmConnection` (Bearer via `ITokenRefresher`, one-shot
+  refresh+retry on 401/403), and the
+  `createCalmConnection(config, overrides?)` factory. Exposed via the
+  `./connection` subpath export. `@mcp-abap-adt/calm-client` no longer
+  ships `CalmConnection` (peer bumped to `^0.4.0`).
+- **`CALM_BASE_URL` is consumed verbatim** — service routes are appended
+  by plain concatenation; no `/api` injection. Paste `endpoints.Api`
+  from the service-key as-is (it already includes `/api`). Fixes the
+  silent double-`/api` 404 against live tenants.
+
+### Added
+
+- **Token acquisition via `@mcp-abap-adt/auth-broker`** (M19):
+  `buildCalmClient` is `async`, honours `CALM_AUTH_FLOW`
+  (`client_credentials` | `authorization_code`), and sources UAA creds
+  from inline `CALM_UAA_*` (legacy shim) or `./{destination}.env`
+  (produced by the `mcp-auth` CLI). The broker yields the
+  `ITokenRefresher` that is injected into `OAuth2CalmConnection` via the
+  factory's `tokenRefresher` override.
+- **Request-lifecycle logging** in the connection via an optional
+  `ILogger` (debug on request/response/retry, warn on transport
+  failure), threaded from `runStdio` through the stderr-safe
+  `StderrLogger`.
+
+### Fixed
+
+- `dotenv` moved from `devDependencies` to `dependencies` (imported at
+  runtime by `config.ts`).
+
 ## 0.3.0 — 2026-05-13
 
 Follows `@mcp-abap-adt/calm-client@0.3.0` (issue / PR #3 / #4 there).

package/README.md

@@ -83,6 +83,51 @@ npm run build && node dist/bin/stdio.js
 The server speaks MCP over stdio. Misconfiguration is reported to
 `stderr` with a non-zero exit code.
 
+## Authentication setup
+
+`calm-mcp` supports two OAuth2 flows for live tenants, selectable via
+`CALM_AUTH_FLOW`:
+
+| Flow | Use case | Browser? | Refresh token? |
+|---|---|---|---|
+| `client_credentials` (default) | technical service-binding (`sb-*` client) | no | no |
+| `authorization_code` | end-user dev workflow, full user scope | once | yes |
+
+### Option A — quick CC setup (technical user)
+
+Plain `.env` with inline `CALM_UAA_URL` / `CALM_UAA_CLIENT_ID` /
+`CALM_UAA_CLIENT_SECRET` works as before — no extra steps. The broker uses
+an in-memory session shim for these inline creds.
+
+### Option B — broker-backed setup (CC or AC)
+
+Use the bundled [`mcp-auth`](https://www.npmjs.com/package/@mcp-abap-adt/auth-broker)
+CLI to convert a BTP service key into a token-bearing `.env`:
+
+```bash
+# CC (no browser)
+npx mcp-auth --service-key ./sk.json --output ./DEFAULT.env \
+             --type xsuaa --credential
+
+# AC (browser pops once; refresh_token persists)
+npx mcp-auth --service-key ./sk.json --output ./DEFAULT.env \
+             --type xsuaa --browser auto
+```
+
+Then in your `.env`:
+
+```
+CALM_MODE=oauth2
+CALM_BASE_URL=https://<tenant>.<region>.alm.cloud.sap
+CALM_AUTH_FLOW=authorization_code   # or client_credentials
+CALM_DESTINATION=DEFAULT
+```
+
+The server's runtime auth pipeline is `@mcp-abap-adt/auth-broker`.
+
+> Note: `buildCalmClient` is async since v0.4.0 (was sync in v0.3.x). Library
+> consumers must `await` it.
+
 ### 3. Wire into Claude Desktop
 
 Add to your Claude Desktop config (`~/Library/Application Support/Claude/claude_desktop_config.json`

package/dist/server/auth/buildBroker.d.ts

@@ -0,0 +1,22 @@
+import { AuthBroker } from '@mcp-abap-adt/auth-broker';
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+import type { ICalmServerConfig } from '../config';
+/**
+ * Assemble an `AuthBroker` from server config.
+ *
+ * - Chooses `ClientCredentialsProvider` or `AuthorizationCodeProvider`
+ *   based on `config.authFlow`.
+ * - Chooses session store: legacy `SafeXsuaaSessionStore` shim when the
+ *   `.env` still inlines `CALM_UAA_*`, otherwise file-based
+ *   `XsuaaSessionStore` rooted at cwd (loads `./{destination}.env`).
+ * - `browser: 'none'` always — the runtime server never pops a browser;
+ *   interactive AC login is the job of the `mcp-auth` CLI.
+ * - `allowBrowserAuth` is flow-aware: `true` for CC (broker has a hard
+ *   gate that fires when a session lacks a refresh_token, regardless of
+ *   provider type — CC providers never need a browser anyway, so we let
+ *   the gate pass), `false` for AC (fail fast when refresh_token is
+ *   missing rather than try to launch a browser the stdio process
+ *   cannot show).
+ */
+export declare function buildAuthBroker(config: ICalmServerConfig, logger?: ILogger): Promise<AuthBroker>;
+//# sourceMappingURL=buildBroker.d.ts.map

package/dist/server/auth/buildBroker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildBroker.d.ts","sourceRoot":"","sources":["../../../src/server/auth/buildBroker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AAMvD,OAAO,KAAK,EACV,OAAO,EAGR,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAGnD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,iBAAiB,EACzB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,UAAU,CAAC,CA6CrB"}

package/dist/server/auth/buildBroker.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAuthBroker = buildAuthBroker;
+const auth_broker_1 = require("@mcp-abap-adt/auth-broker");
+const auth_providers_1 = require("@mcp-abap-adt/auth-providers");
+const auth_stores_1 = require("@mcp-abap-adt/auth-stores");
+const legacyEnvShim_1 = require("./legacyEnvShim");
+/**
+ * Assemble an `AuthBroker` from server config.
+ *
+ * - Chooses `ClientCredentialsProvider` or `AuthorizationCodeProvider`
+ *   based on `config.authFlow`.
+ * - Chooses session store: legacy `SafeXsuaaSessionStore` shim when the
+ *   `.env` still inlines `CALM_UAA_*`, otherwise file-based
+ *   `XsuaaSessionStore` rooted at cwd (loads `./{destination}.env`).
+ * - `browser: 'none'` always — the runtime server never pops a browser;
+ *   interactive AC login is the job of the `mcp-auth` CLI.
+ * - `allowBrowserAuth` is flow-aware: `true` for CC (broker has a hard
+ *   gate that fires when a session lacks a refresh_token, regardless of
+ *   provider type — CC providers never need a browser anyway, so we let
+ *   the gate pass), `false` for AC (fail fast when refresh_token is
+ *   missing rather than try to launch a browser the stdio process
+ *   cannot show).
+ */
+async function buildAuthBroker(config, logger) {
+    const shimStore = await (0, legacyEnvShim_1.buildLegacyShimStore)(config);
+    const sessionStore = shimStore ?? new auth_stores_1.XsuaaSessionStore(process.cwd(), config.baseUrl, logger);
+    // Resolve UAA credentials: inline config wins, otherwise read from
+    // session store (populated from `./{destination}.env` by `mcp-auth`).
+    const sessionAuth = await sessionStore.getAuthorizationConfig(config.destination);
+    const uaaUrl = config.uaaUrl || sessionAuth?.uaaUrl;
+    const uaaClientId = config.uaaClientId || sessionAuth?.uaaClientId;
+    const uaaClientSecret = config.uaaClientSecret || sessionAuth?.uaaClientSecret;
+    if (!uaaUrl || !uaaClientId || !uaaClientSecret) {
+        throw new Error(`[calm-mcp] UAA credentials missing for destination "${config.destination}". ` +
+            `Either inline CALM_UAA_URL/CALM_UAA_CLIENT_ID/CALM_UAA_CLIENT_SECRET in .env, ` +
+            `or run 'npx mcp-auth --service-key ./sk.json --output ./${config.destination}.env --type xsuaa' first.`);
+    }
+    const tokenProvider = config.authFlow === 'authorization_code'
+        ? new auth_providers_1.AuthorizationCodeProvider({
+            uaaUrl,
+            clientId: uaaClientId,
+            clientSecret: uaaClientSecret,
+            browser: 'none',
+            logger,
+        })
+        : new auth_providers_1.ClientCredentialsProvider({
+            uaaUrl,
+            clientId: uaaClientId,
+            clientSecret: uaaClientSecret,
+        });
+    const allowBrowserAuth = config.authFlow !== 'authorization_code';
+    return new auth_broker_1.AuthBroker({ sessionStore, tokenProvider, allowBrowserAuth }, 'none', logger);
+}
+//# sourceMappingURL=buildBroker.js.map

package/dist/server/auth/buildBroker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"buildBroker.js","sourceRoot":"","sources":["../../../src/server/auth/buildBroker.ts"],"names":[],"mappings":";;AA+BA,0CAgDC;AA/ED,2DAAuD;AACvD,iEAGsC;AACtC,2DAA8D;AAO9D,mDAAuD;AAEvD;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,eAAe,CACnC,MAAyB,EACzB,MAAgB;IAEhB,MAAM,SAAS,GAAG,MAAM,IAAA,oCAAoB,EAAC,MAAM,CAAC,CAAC;IACrD,MAAM,YAAY,GAChB,SAAS,IAAI,IAAI,+BAAiB,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,mEAAmE;IACnE,sEAAsE;IACtE,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAC3D,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,WAAW,EAAE,MAAM,CAAC;IACpD,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,WAAW,EAAE,WAAW,CAAC;IACnE,MAAM,eAAe,GACnB,MAAM,CAAC,eAAe,IAAI,WAAW,EAAE,eAAe,CAAC;IAEzD,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,uDAAuD,MAAM,CAAC,WAAW,KAAK;YAC5E,gFAAgF;YAChF,2DAA2D,MAAM,CAAC,WAAW,2BAA2B,CAC3G,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GACjB,MAAM,CAAC,QAAQ,KAAK,oBAAoB;QACtC,CAAC,CAAC,IAAI,0CAAyB,CAAC;YAC5B,MAAM;YACN,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,eAAe;YAC7B,OAAO,EAAE,MAAM;YACf,MAAM;SACP,CAAC;QACJ,CAAC,CAAC,IAAI,0CAAyB,CAAC;YAC5B,MAAM;YACN,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,eAAe;SAC9B,CAAC,CAAC;IAET,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,KAAK,oBAAoB,CAAC;IAElE,OAAO,IAAI,wBAAU,CACnB,EAAE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,EACjD,MAAM,EACN,MAAM,CACP,CAAC;AACJ,CAAC"}

package/dist/server/auth/legacyEnvShim.d.ts

@@ -0,0 +1,10 @@
+import type { ISessionStore } from '@mcp-abap-adt/interfaces';
+import type { ICalmServerConfig } from '../config';
+/**
+ * If the user's `.env` still inlines `CALM_UAA_URL`/`CALM_UAA_CLIENT_ID`/
+ * `CALM_UAA_CLIENT_SECRET` (pre-broker convention), build an in-memory
+ * SafeXsuaaSessionStore preloaded with those creds. Returns null if any
+ * of the three are missing — caller falls back to file-based store.
+ */
+export declare function buildLegacyShimStore(config: ICalmServerConfig): Promise<ISessionStore | null>;
+//# sourceMappingURL=legacyEnvShim.d.ts.map

package/dist/server/auth/legacyEnvShim.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"legacyEnvShim.d.ts","sourceRoot":"","sources":["../../../src/server/auth/legacyEnvShim.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAC9D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEnD;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAW/B"}

package/dist/server/auth/legacyEnvShim.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildLegacyShimStore = buildLegacyShimStore;
+const auth_stores_1 = require("@mcp-abap-adt/auth-stores");
+/**
+ * If the user's `.env` still inlines `CALM_UAA_URL`/`CALM_UAA_CLIENT_ID`/
+ * `CALM_UAA_CLIENT_SECRET` (pre-broker convention), build an in-memory
+ * SafeXsuaaSessionStore preloaded with those creds. Returns null if any
+ * of the three are missing — caller falls back to file-based store.
+ */
+async function buildLegacyShimStore(config) {
+    const { uaaUrl, uaaClientId, uaaClientSecret, baseUrl, destination } = config;
+    if (!uaaUrl || !uaaClientId || !uaaClientSecret)
+        return null;
+    const store = new auth_stores_1.SafeXsuaaSessionStore(baseUrl);
+    await store.setAuthorizationConfig(destination, {
+        uaaUrl,
+        uaaClientId,
+        uaaClientSecret,
+    });
+    return store;
+}
+//# sourceMappingURL=legacyEnvShim.js.map

package/dist/server/auth/legacyEnvShim.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"legacyEnvShim.js","sourceRoot":"","sources":["../../../src/server/auth/legacyEnvShim.ts"],"names":[],"mappings":";;AAUA,oDAaC;AAvBD,2DAAkE;AAIlE;;;;;GAKG;AACI,KAAK,UAAU,oBAAoB,CACxC,MAAyB;IAEzB,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;IAC9E,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC;IAE7D,MAAM,KAAK,GAAG,IAAI,mCAAqB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,KAAK,CAAC,sBAAsB,CAAC,WAAW,EAAE;QAC9C,MAAM;QACN,WAAW;QACX,eAAe;KAChB,CAAC,CAAC;IACH,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/server/buildClient.d.ts

@@ -1,10 +1,22 @@
 import { CalmClient } from '@mcp-abap-adt/calm-client';
+import type { ILogger } from '@mcp-abap-adt/interfaces';
 import type { ICalmServerConfig } from './config';
+export interface BuildCalmClientOptions {
+    logger?: ILogger;
+}
 /**
- * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`. Picks
- * OAuth2 or sandbox mode based on config.mode. The returned connection
- * is stateless from the server's perspective — constructing a fresh
- * CalmClient per process is cheap.
+ * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`.
+ *
+ * Connection construction (fetch transport, verbatim base URL, request
+ * logging) lives in `./connection`. Token acquisition is delegated:
+ *
+ * - `oauth2` mode: `@mcp-abap-adt/auth-broker` produces the
+ *   `ITokenRefresher` (honouring `CALM_AUTH_FLOW` + session stores);
+ *   it is injected into the connection via the factory's
+ *   `tokenRefresher` override. Pass `options.logger` (e.g.
+ *   `StderrLogger`) in stdio mode so broker + connection logs go to
+ *   stderr, never the MCP stdout frame stream.
+ * - `sandbox` mode: direct API-key auth, no broker involved.
  */
-export declare function buildCalmClient(config: ICalmServerConfig): CalmClient;
+export declare function buildCalmClient(config: ICalmServerConfig, options?: BuildCalmClientOptions): Promise<CalmClient>;
 //# sourceMappingURL=buildClient.d.ts.map

package/dist/server/buildClient.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"buildClient.d.ts","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAkB,MAAM,2BAA2B,CAAC;AAEvE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAoDlD;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,iBAAiB,GAAG,UAAU,CAoBrE"}
+{"version":3,"file":"buildClient.d.ts","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAGlD,MAAM,WAAW,sBAAsB;IACrC,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,iBAAiB,EACzB,OAAO,GAAE,sBAA2B,GACnC,OAAO,CAAC,UAAU,CAAC,CAcrB"}

package/dist/server/buildClient.js

@@ -2,73 +2,31 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildCalmClient = buildCalmClient;
 const calm_client_1 = require("@mcp-abap-adt/calm-client");
+const buildBroker_1 = require("./auth/buildBroker");
+const createCalmConnection_1 = require("./connection/createCalmConnection");
 /**
- * Minimal XSUAA `client_credentials` refresher — sufficient for
- * standalone-mode servers where no shared auth-broker/session store is
- * configured. Caches the token until explicitly refreshed. Production
- * consumers that already run `@mcp-abap-adt/auth-broker` elsewhere
- * should pass their own `ITokenRefresher` via `buildCalmClient.override`.
+ * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`.
+ *
+ * Connection construction (fetch transport, verbatim base URL, request
+ * logging) lives in `./connection`. Token acquisition is delegated:
+ *
+ * - `oauth2` mode: `@mcp-abap-adt/auth-broker` produces the
+ *   `ITokenRefresher` (honouring `CALM_AUTH_FLOW` + session stores);
+ *   it is injected into the connection via the factory's
+ *   `tokenRefresher` override. Pass `options.logger` (e.g.
+ *   `StderrLogger`) in stdio mode so broker + connection logs go to
+ *   stderr, never the MCP stdout frame stream.
+ * - `sandbox` mode: direct API-key auth, no broker involved.
  */
-class XsuaaRefresher {
-    uaaUrl;
-    clientId;
-    clientSecret;
-    cached;
-    constructor(uaaUrl, clientId, clientSecret) {
-        this.uaaUrl = uaaUrl;
-        this.clientId = clientId;
-        this.clientSecret = clientSecret;
-    }
-    async getToken() {
-        if (!this.cached)
-            return this.refreshToken();
-        return this.cached;
-    }
-    async refreshToken() {
-        const url = `${this.uaaUrl.replace(/\/$/, '')}/oauth/token`;
-        const basic = Buffer.from(`${this.clientId}:${this.clientSecret}`).toString('base64');
-        const response = await fetch(url, {
-            method: 'POST',
-            headers: {
-                Authorization: `Basic ${basic}`,
-                'Content-Type': 'application/x-www-form-urlencoded',
-                Accept: 'application/json',
-            },
-            body: 'grant_type=client_credentials',
-        });
-        if (!response.ok) {
-            const body = await response.text().catch(() => '');
-            throw new Error(`XSUAA token request failed: ${response.status} ${response.statusText} — ${body.slice(0, 200)}`);
-        }
-        const json = (await response.json());
-        if (!json.access_token) {
-            throw new Error('XSUAA token response missing access_token');
-        }
-        this.cached = json.access_token;
-        return this.cached;
-    }
-}
-/**
- * Build a ready-to-use `CalmClient` from a `ICalmServerConfig`. Picks
- * OAuth2 or sandbox mode based on config.mode. The returned connection
- * is stateless from the server's perspective — constructing a fresh
- * CalmClient per process is cheap.
- */
-function buildCalmClient(config) {
+async function buildCalmClient(config, options = {}) {
     if (config.mode === 'oauth2') {
-        const refresher = new XsuaaRefresher(config.uaaUrl, config.uaaClientId, config.uaaClientSecret);
-        const connection = new calm_client_1.CalmConnection({
-            baseUrl: config.baseUrl,
-            tokenRefresher: refresher,
-            defaultTimeout: config.timeoutMs,
-        });
-        return new calm_client_1.CalmClient(connection);
+        const broker = await (0, buildBroker_1.buildAuthBroker)(config, options.logger);
+        const tokenRefresher = broker.createTokenRefresher(config.destination);
+        return new calm_client_1.CalmClient((0, createCalmConnection_1.createCalmConnection)(config, {
+            tokenRefresher,
+            logger: options.logger,
+        }));
     }
-    const connection = new calm_client_1.CalmConnection({
-        baseUrl: config.baseUrl,
-        apiKey: config.apiKey,
-        defaultTimeout: config.timeoutMs,
-    });
-    return new calm_client_1.CalmClient(connection);
+    return new calm_client_1.CalmClient((0, createCalmConnection_1.createCalmConnection)(config, { logger: options.logger }));
 }
 //# sourceMappingURL=buildClient.js.map

package/dist/server/buildClient.js.map

@@ -1 +1 @@
-{"version":3,"file":"buildClient.js","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":";;AA4DA,0CAoBC;AAhFD,2DAAuE;AAIvE;;;;;;GAMG;AACH,MAAM,cAAc;IAIC;IACA;IACA;IALX,MAAM,CAAU;IAExB,YACmB,MAAc,EACd,QAAgB,EAChB,YAAoB;QAFpB,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAQ;QAChB,iBAAY,GAAZ,YAAY,CAAQ;IACpC,CAAC;IAEJ,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,QAAQ,CACzE,QAAQ,CACT,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,SAAS,KAAK,EAAE;gBAC/B,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,+BAA+B;SACtC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAChG,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;QAClE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC;QAChC,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,MAAyB;IACvD,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,IAAI,cAAc,CAClC,MAAM,CAAC,MAAgB,EACvB,MAAM,CAAC,WAAqB,EAC5B,MAAM,CAAC,eAAyB,CACjC,CAAC;QACF,MAAM,UAAU,GAAG,IAAI,4BAAc,CAAC;YACpC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc,EAAE,SAAS;YACzB,cAAc,EAAE,MAAM,CAAC,SAAS;SACjC,CAAC,CAAC;QACH,OAAO,IAAI,wBAAU,CAAC,UAAU,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,4BAAc,CAAC;QACpC,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM,EAAE,MAAM,CAAC,MAAgB;QAC/B,cAAc,EAAE,MAAM,CAAC,SAAS;KACjC,CAAC,CAAC;IACH,OAAO,IAAI,wBAAU,CAAC,UAAU,CAAC,CAAC;AACpC,CAAC"}
+{"version":3,"file":"buildClient.js","sourceRoot":"","sources":["../../src/server/buildClient.ts"],"names":[],"mappings":";;AAwBA,0CAiBC;AAzCD,2DAAuD;AAEvD,oDAAqD;AAErD,4EAAyE;AAMzE;;;;;;;;;;;;;GAaG;AACI,KAAK,UAAU,eAAe,CACnC,MAAyB,EACzB,UAAkC,EAAE;IAEpC,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7D,MAAM,cAAc,GAAG,MAAM,CAAC,oBAAoB,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACvE,OAAO,IAAI,wBAAU,CACnB,IAAA,2CAAoB,EAAC,MAAM,EAAE;YAC3B,cAAc;YACd,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CACH,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,wBAAU,CACnB,IAAA,2CAAoB,EAAC,MAAM,EAAE,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC,CACzD,CAAC;AACJ,CAAC"}

package/dist/server/config.d.ts

@@ -5,6 +5,7 @@
  */
 export declare function loadEnv(): void;
 export type CalmServerMode = 'oauth2' | 'sandbox';
+export type CalmAuthFlow = 'client_credentials' | 'authorization_code';
 export interface ICalmServerConfig {
     mode: CalmServerMode;
     baseUrl: string;
@@ -13,6 +14,8 @@ export interface ICalmServerConfig {
     uaaClientSecret?: string;
     apiKey?: string;
     timeoutMs: number;
+    authFlow: CalmAuthFlow;
+    destination: string;
 }
 export declare function readConfig(): ICalmServerConfig;
 //# sourceMappingURL=config.d.ts.map

package/dist/server/config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAMA;;;;GAIG;AACH,wBAAgB,OAAO,IAAI,IAAI,CAU9B;AAED,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,SAAS,CAAC;AAElD,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAYD,wBAAgB,UAAU,IAAI,iBAAiB,CAkC9C"}
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAMA;;;;GAIG;AACH,wBAAgB,OAAO,IAAI,IAAI,CAU9B;AAED,MAAM,MAAM,cAAc,GAAG,QAAQ,GAAG,SAAS,CAAC;AAClD,MAAM,MAAM,YAAY,GAAG,oBAAoB,GAAG,oBAAoB,CAAC;AAEvE,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,YAAY,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;CACrB;AAYD,wBAAgB,UAAU,IAAI,iBAAiB,CAsD9C"}

package/dist/server/config.js

@@ -38,6 +38,18 @@ function readConfig() {
     if (!mode) {
         throw new Error('[calm-mcp] CALM_MODE is required (oauth2 or sandbox). See .env.example.');
     }
+    const rawAuthFlow = process.env.CALM_AUTH_FLOW;
+    let authFlow = 'client_credentials';
+    if (rawAuthFlow) {
+        if (rawAuthFlow === 'client_credentials' ||
+            rawAuthFlow === 'authorization_code') {
+            authFlow = rawAuthFlow;
+        }
+        else {
+            throw new Error(`[calm-mcp] CALM_AUTH_FLOW must be 'client_credentials' or 'authorization_code', got "${rawAuthFlow}".`);
+        }
+    }
+    const destination = process.env.CALM_DESTINATION || 'DEFAULT';
     const timeoutMs = process.env.CALM_TIMEOUT
         ? Number(process.env.CALM_TIMEOUT)
         : 30_000;
@@ -45,10 +57,12 @@ function readConfig() {
         return {
             mode,
             baseUrl: required('CALM_BASE_URL'),
-            uaaUrl: required('CALM_UAA_URL'),
-            uaaClientId: required('CALM_UAA_CLIENT_ID'),
-            uaaClientSecret: required('CALM_UAA_CLIENT_SECRET'),
+            uaaUrl: process.env.CALM_UAA_URL,
+            uaaClientId: process.env.CALM_UAA_CLIENT_ID,
+            uaaClientSecret: process.env.CALM_UAA_CLIENT_SECRET,
             timeoutMs,
+            authFlow,
+            destination,
         };
     }
     if (mode === 'sandbox') {
@@ -57,6 +71,8 @@ function readConfig() {
             baseUrl: process.env.CALM_BASE_URL || 'https://sandbox.api.sap.com/SAPCALM',
             apiKey: required('CALM_API_KEY'),
             timeoutMs,
+            authFlow,
+            destination,
         };
     }
     throw new Error(`[calm-mcp] unknown CALM_MODE "${mode}"`);

package/dist/server/config.js.map

@@ -1 +1 @@
-{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":";;AAWA,0BAUC;AAwBD,gCAkCC;AA/ED,qCAAqC;AACrC,yCAAoC;AACpC,mCAAgD;AAEhD,IAAI,MAAM,GAAG,KAAK,CAAC;AAEnB;;;;GAIG;AACH,SAAgB,OAAO;IACrB,IAAI,MAAM;QAAE,OAAO;IACnB,MAAM,GAAG,IAAI,CAAC;IACd,qEAAqE;IACrE,mEAAmE;IACnE,kEAAkE;IAClE,2EAA2E;IAC3E,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO;IACvC,MAAM,IAAI,GAAG,IAAA,mBAAO,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5C,IAAI,IAAA,oBAAU,EAAC,IAAI,CAAC;QAAE,IAAA,eAAY,EAAC,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAcD,SAAS,QAAQ,CAAC,IAAY;IAC5B,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,IAAI,KAAK,CACb,sBAAsB,IAAI,6CAA6C,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,UAAU;IACxB,OAAO,EAAE,CAAC;IACV,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,EAElC,CAAC;IACd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY;QACxC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAClC,CAAC,CAAC,MAAM,CAAC;IAEX,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,IAAI;YACJ,OAAO,EAAE,QAAQ,CAAC,eAAe,CAAC;YAClC,MAAM,EAAE,QAAQ,CAAC,cAAc,CAAC;YAChC,WAAW,EAAE,QAAQ,CAAC,oBAAoB,CAAC;YAC3C,eAAe,EAAE,QAAQ,CAAC,wBAAwB,CAAC;YACnD,SAAS;SACV,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO;YACL,IAAI;YACJ,OAAO,EACL,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,qCAAqC;YACpE,MAAM,EAAE,QAAQ,CAAC,cAAc,CAAC;YAChC,SAAS;SACV,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,GAAG,CAAC,CAAC;AAC5D,CAAC"}
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":";;AAWA,0BAUC;AA2BD,gCAsDC;AAtGD,qCAAqC;AACrC,yCAAoC;AACpC,mCAAgD;AAEhD,IAAI,MAAM,GAAG,KAAK,CAAC;AAEnB;;;;GAIG;AACH,SAAgB,OAAO;IACrB,IAAI,MAAM;QAAE,OAAO;IACnB,MAAM,GAAG,IAAI,CAAC;IACd,qEAAqE;IACrE,mEAAmE;IACnE,kEAAkE;IAClE,2EAA2E;IAC3E,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO;IACvC,MAAM,IAAI,GAAG,IAAA,mBAAO,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5C,IAAI,IAAA,oBAAU,EAAC,IAAI,CAAC;QAAE,IAAA,eAAY,EAAC,EAAE,IAAI,EAAE,CAAC,CAAC;AAC/C,CAAC;AAiBD,SAAS,QAAQ,CAAC,IAAY;IAC5B,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,IAAI,KAAK,CACb,sBAAsB,IAAI,6CAA6C,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,UAAU;IACxB,OAAO,EAAE,CAAC;IACV,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,EAElC,CAAC;IACd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;IACJ,CAAC;IACD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;IAC/C,IAAI,QAAQ,GAAiB,oBAAoB,CAAC;IAClD,IAAI,WAAW,EAAE,CAAC;QAChB,IACE,WAAW,KAAK,oBAAoB;YACpC,WAAW,KAAK,oBAAoB,EACpC,CAAC;YACD,QAAQ,GAAG,WAAW,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,wFAAwF,WAAW,IAAI,CACxG,CAAC;QACJ,CAAC;IACH,CAAC;IACD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,SAAS,CAAC;IAE9D,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY;QACxC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAClC,CAAC,CAAC,MAAM,CAAC;IAEX,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,IAAI;YACJ,OAAO,EAAE,QAAQ,CAAC,eAAe,CAAC;YAClC,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;YAChC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB;YAC3C,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB;YACnD,SAAS;YACT,QAAQ;YACR,WAAW;SACZ,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,OAAO;YACL,IAAI;YACJ,OAAO,EACL,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,qCAAqC;YACpE,MAAM,EAAE,QAAQ,CAAC,cAAc,CAAC;YAChC,SAAS;YACT,QAAQ;YACR,WAAW;SACZ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iCAAiC,IAAI,GAAG,CAAC,CAAC;AAC5D,CAAC"}

package/dist/server/connection/AbstractCalmConnection.d.ts

@@ -0,0 +1,43 @@
+import type { CalmService, ICalmConnection, ICalmRequestOptions, ICalmResponse, ILogger } from '@mcp-abap-adt/interfaces';
+import { type CalmServiceRouteMap } from './serviceRoutes';
+export interface IAbstractCalmConnectionOptions {
+    baseUrl: string;
+    defaultTimeout?: number;
+    serviceRoutes?: Partial<CalmServiceRouteMap>;
+    defaultHeaders?: Record<string, string>;
+    /**
+     * Optional logger. Request lifecycle is logged at `debug`; transport
+     * failures at `warn`. In a stdio MCP runtime this MUST be a
+     * stderr-only logger (see `StderrLogger`) — never one that writes to
+     * stdout.
+     */
+    logger?: ILogger;
+}
+/**
+ * Shared fetch-based transport for Cloud ALM. Subclasses provide
+ * `attachAuth()` and may override `onAuthFailure()`. `baseUrl` is used
+ * verbatim — NO prefix injection.
+ */
+export declare abstract class AbstractCalmConnection implements ICalmConnection {
+    protected readonly baseUrl: string;
+    protected readonly defaultTimeout: number;
+    protected readonly defaultHeaders: Record<string, string>;
+    protected readonly serviceRoutes: CalmServiceRouteMap;
+    protected readonly logger?: ILogger;
+    constructor(options: IAbstractCalmConnectionOptions);
+    /** Subclass: return auth headers for a request. */
+    protected abstract attachAuth(): Promise<Record<string, string>>;
+    /**
+     * Subclass hook on 401/403. Return true to retry once. Default: no
+     * retry.
+     */
+    protected onAuthFailure(_status: number): Promise<boolean>;
+    connect(): Promise<void>;
+    getBaseUrl(): Promise<string>;
+    getServiceUrl(service: CalmService): Promise<string>;
+    makeRequest<T = unknown, D = unknown>(options: ICalmRequestOptions): Promise<ICalmResponse<T, D>>;
+    private logFail;
+    private normalizeError;
+    private execute;
+}
+//# sourceMappingURL=AbstractCalmConnection.d.ts.map

package/dist/server/connection/AbstractCalmConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AbstractCalmConnection.d.ts","sourceRoot":"","sources":["../../../src/server/connection/AbstractCalmConnection.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,WAAW,EACX,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,OAAO,EACR,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,KAAK,mBAAmB,EAEzB,MAAM,iBAAiB,CAAC;AAEzB,MAAM,WAAW,8BAA8B;IAC7C,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC7C,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC;;;;;OAKG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAuBD;;;;GAIG;AACH,8BAAsB,sBAAuB,YAAW,eAAe;IACrE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACnC,SAAS,CAAC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAC1C,SAAS,CAAC,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1D,SAAS,CAAC,QAAQ,CAAC,aAAa,EAAE,mBAAmB,CAAC;IACtD,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;gBAExB,OAAO,EAAE,8BAA8B;IAcnD,mDAAmD;IACnD,SAAS,CAAC,QAAQ,CAAC,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEhE;;;OAGG;cACa,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1D,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAExB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAI7B,aAAa,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC;IAIpD,WAAW,CAAC,CAAC,GAAG,OAAO,EAAE,CAAC,GAAG,OAAO,EACxC,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IA+B/B,OAAO,CAAC,OAAO;IAkBf,OAAO,CAAC,cAAc;YAQR,OAAO;CA0CtB"}

package/dist/server/connection/AbstractCalmConnection.js

@@ -0,0 +1,155 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AbstractCalmConnection = void 0;
+const calm_client_1 = require("@mcp-abap-adt/calm-client");
+const serviceRoutes_1 = require("./serviceRoutes");
+function trimTrailingSlash(v) {
+    return v.endsWith('/') ? v.slice(0, -1) : v;
+}
+function trimLeadingSlash(v) {
+    return v.startsWith('/') ? v.slice(1) : v;
+}
+function joinUrl(base, path) {
+    if (!path)
+        return trimTrailingSlash(base);
+    return `${trimTrailingSlash(base)}/${trimLeadingSlash(path)}`;
+}
+function toQueryString(params) {
+    if (!params || typeof params !== 'object')
+        return '';
+    const usp = new URLSearchParams();
+    for (const [k, v] of Object.entries(params)) {
+        if (v === undefined || v === null)
+            continue;
+        usp.append(k, String(v));
+    }
+    const s = usp.toString();
+    return s ? `?${s}` : '';
+}
+/**
+ * Shared fetch-based transport for Cloud ALM. Subclasses provide
+ * `attachAuth()` and may override `onAuthFailure()`. `baseUrl` is used
+ * verbatim — NO prefix injection.
+ */
+class AbstractCalmConnection {
+    baseUrl;
+    defaultTimeout;
+    defaultHeaders;
+    serviceRoutes;
+    logger;
+    constructor(options) {
+        this.baseUrl = trimTrailingSlash(options.baseUrl);
+        this.defaultTimeout = options.defaultTimeout ?? 30_000;
+        this.defaultHeaders = {
+            Accept: 'application/json',
+            ...options.defaultHeaders,
+        };
+        this.serviceRoutes = {
+            ...serviceRoutes_1.DEFAULT_CALM_SERVICE_ROUTES,
+            ...options.serviceRoutes,
+        };
+        this.logger = options.logger;
+    }
+    /**
+     * Subclass hook on 401/403. Return true to retry once. Default: no
+     * retry.
+     */
+    async onAuthFailure(_status) {
+        return false;
+    }
+    async connect() { }
+    async getBaseUrl() {
+        return this.baseUrl;
+    }
+    async getServiceUrl(service) {
+        return joinUrl(this.baseUrl, this.serviceRoutes[service]);
+    }
+    async makeRequest(options) {
+        const base = options.service
+            ? await this.getServiceUrl(options.service)
+            : this.baseUrl;
+        const url = joinUrl(base, options.url) + toQueryString(options.params);
+        this.logger?.debug(`[calm] ${options.method} ${url}`);
+        try {
+            return await this.execute(url, options);
+        }
+        catch (err) {
+            const status = err instanceof calm_client_1.CalmApiError ? err.status : undefined;
+            if (status !== undefined && (await this.onAuthFailure(status))) {
+                this.logger?.debug(`[calm] ${status} from ${options.method} ${url} — refreshed auth, retrying once`);
+                // Retry once. The retry's own errors (network, abort, HTTP) go
+                // through the same normalization — never escape as a raw error.
+                try {
+                    return await this.execute(url, options);
+                }
+                catch (retryErr) {
+                    throw this.logFail(options.method, url, this.normalizeError(retryErr));
+                }
+            }
+            throw this.logFail(options.method, url, this.normalizeError(err));
+        }
+    }
+    logFail(method, url, err) {
+        // HTTP statuses (403/404/4xx/5xx) are expected operational signals —
+        // log at debug. Transport/network failures (no status) are logged at
+        // warn since they usually indicate misconfiguration or outage.
+        if (err.status === undefined) {
+            this.logger?.warn(`[calm] ${method} ${url} failed: ${err.message}`);
+        }
+        else {
+            this.logger?.debug(`[calm] ${method} ${url} -> ${err.status} (${err.code})`);
+        }
+        return err;
+    }
+    normalizeError(err) {
+        if (err instanceof calm_client_1.CalmApiError)
+            return err;
+        return calm_client_1.CalmApiError.fromNetwork(err, err instanceof Error ? err.message : String(err));
+    }
+    async execute(url, options) {
+        const auth = await this.attachAuth();
+        const headers = { ...this.defaultHeaders, ...auth, ...options.headers };
+        const init = {
+            method: options.method,
+            headers,
+            signal: AbortSignal.timeout(options.timeout ?? this.defaultTimeout),
+        };
+        if (options.data !== undefined) {
+            init.body =
+                typeof options.data === 'string'
+                    ? options.data
+                    : JSON.stringify(options.data);
+            if (!('Content-Type' in headers) && !('content-type' in headers)) {
+                headers['Content-Type'] =
+                    'application/json';
+            }
+        }
+        const response = await fetch(url, init);
+        const raw = await response.text();
+        const parsed = raw ? safeJson(raw) : undefined;
+        if (!response.ok) {
+            throw (0, calm_client_1.calmErrorFromBody)(response.status, parsed ?? raw);
+        }
+        this.logger?.debug(`[calm] ${response.status} ${options.method} ${url}`);
+        const outHeaders = {};
+        response.headers.forEach((v, k) => {
+            outHeaders[k] = v;
+        });
+        return {
+            data: parsed,
+            status: response.status,
+            statusText: response.statusText,
+            headers: outHeaders,
+        };
+    }
+}
+exports.AbstractCalmConnection = AbstractCalmConnection;
+function safeJson(text) {
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return text;
+    }
+}
+//# sourceMappingURL=AbstractCalmConnection.js.map

package/dist/server/connection/AbstractCalmConnection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AbstractCalmConnection.js","sourceRoot":"","sources":["../../../src/server/connection/AbstractCalmConnection.ts"],"names":[],"mappings":";;;AAAA,2DAA4E;AAQ5E,mDAGyB;AAgBzB,SAAS,iBAAiB,CAAC,CAAS;IAClC,OAAO,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AACD,SAAS,gBAAgB,CAAC,CAAS;IACjC,OAAO,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5C,CAAC;AACD,SAAS,OAAO,CAAC,IAAY,EAAE,IAAY;IACzC,IAAI,CAAC,IAAI;QAAE,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC1C,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;AAChE,CAAC;AACD,SAAS,aAAa,CAAC,MAAe;IACpC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IACrD,MAAM,GAAG,GAAG,IAAI,eAAe,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAiC,CAAC,EAAE,CAAC;QACvE,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,IAAI;YAAE,SAAS;QAC5C,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IACzB,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,MAAsB,sBAAsB;IACvB,OAAO,CAAS;IAChB,cAAc,CAAS;IACvB,cAAc,CAAyB;IACvC,aAAa,CAAsB;IACnC,MAAM,CAAW;IAEpC,YAAY,OAAuC;QACjD,IAAI,CAAC,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,MAAM,CAAC;QACvD,IAAI,CAAC,cAAc,GAAG;YACpB,MAAM,EAAE,kBAAkB;YAC1B,GAAG,OAAO,CAAC,cAAc;SAC1B,CAAC;QACF,IAAI,CAAC,aAAa,GAAG;YACnB,GAAG,2CAA2B;YAC9B,GAAG,OAAO,CAAC,aAAa;SACzB,CAAC;QACF,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IAKD;;;OAGG;IACO,KAAK,CAAC,aAAa,CAAC,OAAe;QAC3C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,OAAO,KAAmB,CAAC;IAEjC,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAoB;QACtC,OAAO,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,WAAW,CACf,OAA4B;QAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO;YAC1B,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC;YAC3C,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;QACjB,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAEvE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,OAAO,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,OAAO,CAAO,GAAG,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAG,GAAG,YAAY,0BAAY,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;YACpE,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC/D,IAAI,CAAC,MAAM,EAAE,KAAK,CAChB,UAAU,MAAM,SAAS,OAAO,CAAC,MAAM,IAAI,GAAG,kCAAkC,CACjF,CAAC;gBACF,+DAA+D;gBAC/D,gEAAgE;gBAChE,IAAI,CAAC;oBACH,OAAO,MAAM,IAAI,CAAC,OAAO,CAAO,GAAG,EAAE,OAAO,CAAC,CAAC;gBAChD,CAAC;gBAAC,OAAO,QAAQ,EAAE,CAAC;oBAClB,MAAM,IAAI,CAAC,OAAO,CAChB,OAAO,CAAC,MAAM,EACd,GAAG,EACH,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAC9B,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAEO,OAAO,CACb,MAAc,EACd,GAAW,EACX,GAAiB;QAEjB,qEAAqE;QACrE,qEAAqE;QACrE,+DAA+D;QAC/D,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,MAAM,IAAI,GAAG,YAAY,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,EAAE,KAAK,CAChB,UAAU,MAAM,IAAI,GAAG,OAAO,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,IAAI,GAAG,CACzD,CAAC;QACJ,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAEO,cAAc,CAAC,GAAY;QACjC,IAAI,GAAG,YAAY,0BAAY;YAAE,OAAO,GAAG,CAAC;QAC5C,OAAO,0BAAY,CAAC,WAAW,CAC7B,GAAG,EACH,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CACjD,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,GAAW,EACX,OAA4B;QAE5B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,EAAE,GAAG,IAAI,CAAC,cAAc,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;QACxE,MAAM,IAAI,GAAgB;YACxB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO;YACP,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,cAAc,CAAC;SACpE,CAAC;QACF,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI;gBACP,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ;oBAC9B,CAAC,CAAC,OAAO,CAAC,IAAI;oBACd,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,CAAC,CAAC,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,cAAc,IAAI,OAAO,CAAC,EAAE,CAAC;gBAChE,OAAkC,CAAC,cAAc,CAAC;oBACjD,kBAAkB,CAAC;YACvB,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAE/C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAA,+BAAiB,EAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,IAAI,GAAG,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,QAAQ,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;QACzE,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YAChC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC,CAAC,CAAC;QACH,OAAO;YACL,IAAI,EAAE,MAAW;YACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,OAAO,EAAE,UAAU;SACG,CAAC;IAC3B,CAAC;CACF;AA/ID,wDA+IC;AAED,SAAS,QAAQ,CAAC,IAAY;IAC5B,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/server/connection/OAuth2CalmConnection.d.ts

@@ -0,0 +1,13 @@
+import type { ITokenRefresher } from '@mcp-abap-adt/interfaces';
+import { AbstractCalmConnection, type IAbstractCalmConnectionOptions } from './AbstractCalmConnection';
+export interface IOAuth2CalmConnectionOptions extends IAbstractCalmConnectionOptions {
+    tokenRefresher: ITokenRefresher;
+}
+export declare class OAuth2CalmConnection extends AbstractCalmConnection {
+    private readonly tokenRefresher;
+    constructor(options: IOAuth2CalmConnectionOptions);
+    connect(): Promise<void>;
+    protected attachAuth(): Promise<Record<string, string>>;
+    protected onAuthFailure(status: number): Promise<boolean>;
+}
+//# sourceMappingURL=OAuth2CalmConnection.d.ts.map

package/dist/server/connection/OAuth2CalmConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OAuth2CalmConnection.d.ts","sourceRoot":"","sources":["../../../src/server/connection/OAuth2CalmConnection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,EACL,sBAAsB,EACtB,KAAK,8BAA8B,EACpC,MAAM,0BAA0B,CAAC;AAElC,MAAM,WAAW,4BACf,SAAQ,8BAA8B;IACtC,cAAc,EAAE,eAAe,CAAC;CACjC;AAED,qBAAa,oBAAqB,SAAQ,sBAAsB;IAC9D,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAkB;gBACrC,OAAO,EAAE,4BAA4B;IAK3C,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;cAId,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;cAK7C,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAOhE"}

package/dist/server/connection/OAuth2CalmConnection.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuth2CalmConnection = void 0;
+const AbstractCalmConnection_1 = require("./AbstractCalmConnection");
+class OAuth2CalmConnection extends AbstractCalmConnection_1.AbstractCalmConnection {
+    tokenRefresher;
+    constructor(options) {
+        super(options);
+        this.tokenRefresher = options.tokenRefresher;
+    }
+    async connect() {
+        await this.tokenRefresher.getToken();
+    }
+    async attachAuth() {
+        const token = await this.tokenRefresher.getToken();
+        return { Authorization: `Bearer ${token}` };
+    }
+    async onAuthFailure(status) {
+        if (status === 401 || status === 403) {
+            await this.tokenRefresher.refreshToken();
+            return true;
+        }
+        return false;
+    }
+}
+exports.OAuth2CalmConnection = OAuth2CalmConnection;
+//# sourceMappingURL=OAuth2CalmConnection.js.map

package/dist/server/connection/OAuth2CalmConnection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OAuth2CalmConnection.js","sourceRoot":"","sources":["../../../src/server/connection/OAuth2CalmConnection.ts"],"names":[],"mappings":";;;AACA,qEAGkC;AAOlC,MAAa,oBAAqB,SAAQ,+CAAsB;IAC7C,cAAc,CAAkB;IACjD,YAAY,OAAqC;QAC/C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;IAC/C,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC;IACvC,CAAC;IAES,KAAK,CAAC,UAAU;QACxB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC;QACnD,OAAO,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;IAC9C,CAAC;IAES,KAAK,CAAC,aAAa,CAAC,MAAc;QAC1C,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,EAAE,CAAC;YACrC,MAAM,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAvBD,oDAuBC"}

package/dist/server/connection/SandboxCalmConnection.d.ts

@@ -0,0 +1,10 @@
+import { AbstractCalmConnection, type IAbstractCalmConnectionOptions } from './AbstractCalmConnection';
+export interface ISandboxCalmConnectionOptions extends IAbstractCalmConnectionOptions {
+    apiKey: string;
+}
+export declare class SandboxCalmConnection extends AbstractCalmConnection {
+    private readonly apiKey;
+    constructor(options: ISandboxCalmConnectionOptions);
+    protected attachAuth(): Promise<Record<string, string>>;
+}
+//# sourceMappingURL=SandboxCalmConnection.d.ts.map

package/dist/server/connection/SandboxCalmConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SandboxCalmConnection.d.ts","sourceRoot":"","sources":["../../../src/server/connection/SandboxCalmConnection.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EACtB,KAAK,8BAA8B,EACpC,MAAM,0BAA0B,CAAC;AAElC,MAAM,WAAW,6BACf,SAAQ,8BAA8B;IACtC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,qBAAsB,SAAQ,sBAAsB;IAC/D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;gBACpB,OAAO,EAAE,6BAA6B;cAIlC,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAG9D"}

package/dist/server/connection/SandboxCalmConnection.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SandboxCalmConnection = void 0;
+const AbstractCalmConnection_1 = require("./AbstractCalmConnection");
+class SandboxCalmConnection extends AbstractCalmConnection_1.AbstractCalmConnection {
+    apiKey;
+    constructor(options) {
+        super(options);
+        this.apiKey = options.apiKey;
+    }
+    async attachAuth() {
+        return { APIKey: this.apiKey };
+    }
+}
+exports.SandboxCalmConnection = SandboxCalmConnection;
+//# sourceMappingURL=SandboxCalmConnection.js.map

package/dist/server/connection/SandboxCalmConnection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SandboxCalmConnection.js","sourceRoot":"","sources":["../../../src/server/connection/SandboxCalmConnection.ts"],"names":[],"mappings":";;;AAAA,qEAGkC;AAOlC,MAAa,qBAAsB,SAAQ,+CAAsB;IAC9C,MAAM,CAAS;IAChC,YAAY,OAAsC;QAChD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC/B,CAAC;IACS,KAAK,CAAC,UAAU;QACxB,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC;IACjC,CAAC;CACF;AATD,sDASC"}

package/dist/server/connection/XsuaaRefresher.d.ts

@@ -0,0 +1,18 @@
+import type { ITokenRefresher } from '@mcp-abap-adt/interfaces';
+/**
+ * Minimal XSUAA `client_credentials` refresher — sufficient for
+ * standalone-mode servers without a shared auth-broker. Caches the
+ * token until `refreshToken()` is called. Consumers running
+ * `@mcp-abap-adt/auth-broker` can pass their own ITokenRefresher to
+ * the connection factory instead.
+ */
+export declare class XsuaaRefresher implements ITokenRefresher {
+    private readonly uaaUrl;
+    private readonly clientId;
+    private readonly clientSecret;
+    private cached?;
+    constructor(uaaUrl: string, clientId: string, clientSecret: string);
+    getToken(): Promise<string>;
+    refreshToken(): Promise<string>;
+}
+//# sourceMappingURL=XsuaaRefresher.d.ts.map

package/dist/server/connection/XsuaaRefresher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"XsuaaRefresher.d.ts","sourceRoot":"","sources":["../../../src/server/connection/XsuaaRefresher.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAEhE;;;;;;GAMG;AACH,qBAAa,cAAe,YAAW,eAAe;IAIlD,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,YAAY;IAL/B,OAAO,CAAC,MAAM,CAAC,CAAS;gBAGL,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM;IAGjC,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;IAK3B,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;CA2BtC"}

package/dist/server/connection/XsuaaRefresher.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XsuaaRefresher = void 0;
+/**
+ * Minimal XSUAA `client_credentials` refresher — sufficient for
+ * standalone-mode servers without a shared auth-broker. Caches the
+ * token until `refreshToken()` is called. Consumers running
+ * `@mcp-abap-adt/auth-broker` can pass their own ITokenRefresher to
+ * the connection factory instead.
+ */
+class XsuaaRefresher {
+    uaaUrl;
+    clientId;
+    clientSecret;
+    cached;
+    constructor(uaaUrl, clientId, clientSecret) {
+        this.uaaUrl = uaaUrl;
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+    }
+    async getToken() {
+        if (!this.cached)
+            return this.refreshToken();
+        return this.cached;
+    }
+    async refreshToken() {
+        const url = `${this.uaaUrl.replace(/\/$/, '')}/oauth/token`;
+        const basic = Buffer.from(`${this.clientId}:${this.clientSecret}`).toString('base64');
+        const response = await fetch(url, {
+            method: 'POST',
+            headers: {
+                Authorization: `Basic ${basic}`,
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: 'grant_type=client_credentials',
+        });
+        if (!response.ok) {
+            const body = await response.text().catch(() => '');
+            throw new Error(`XSUAA token request failed: ${response.status} ${response.statusText} — ${body.slice(0, 200)}`);
+        }
+        const json = (await response.json());
+        if (!json.access_token) {
+            throw new Error('XSUAA token response missing access_token');
+        }
+        this.cached = json.access_token;
+        return this.cached;
+    }
+}
+exports.XsuaaRefresher = XsuaaRefresher;
+//# sourceMappingURL=XsuaaRefresher.js.map

package/dist/server/connection/XsuaaRefresher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"XsuaaRefresher.js","sourceRoot":"","sources":["../../../src/server/connection/XsuaaRefresher.ts"],"names":[],"mappings":";;;AAEA;;;;;;GAMG;AACH,MAAa,cAAc;IAIN;IACA;IACA;IALX,MAAM,CAAU;IAExB,YACmB,MAAc,EACd,QAAgB,EAChB,YAAoB;QAFpB,WAAM,GAAN,MAAM,CAAQ;QACd,aAAQ,GAAR,QAAQ,CAAQ;QAChB,iBAAY,GAAZ,YAAY,CAAQ;IACpC,CAAC;IAEJ,KAAK,CAAC,QAAQ;QACZ,IAAI,CAAC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,QAAQ,CACzE,QAAQ,CACT,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,SAAS,KAAK,EAAE;gBAC/B,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,+BAA+B;SACtC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACnD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAChG,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA8B,CAAC;QAClE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC;QAChC,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF;AAzCD,wCAyCC"}

package/dist/server/connection/createCalmConnection.d.ts

@@ -0,0 +1,13 @@
+import type { ICalmConnection, ILogger, ITokenRefresher } from '@mcp-abap-adt/interfaces';
+import type { ICalmServerConfig } from '../config';
+export interface ICreateCalmConnectionOverrides {
+    /** Bring-your-own refresher; overrides the default XsuaaRefresher. */
+    tokenRefresher?: ITokenRefresher;
+    /**
+     * Logger passed through to the connection. In a stdio runtime pass a
+     * stderr-only logger (`StderrLogger`); never one that writes stdout.
+     */
+    logger?: ILogger;
+}
+export declare function createCalmConnection(config: ICalmServerConfig, overrides?: ICreateCalmConnectionOverrides): ICalmConnection;
+//# sourceMappingURL=createCalmConnection.d.ts.map

package/dist/server/connection/createCalmConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createCalmConnection.d.ts","sourceRoot":"","sources":["../../../src/server/connection/createCalmConnection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,OAAO,EACP,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAKnD,MAAM,WAAW,8BAA8B;IAC7C,sEAAsE;IACtE,cAAc,CAAC,EAAE,eAAe,CAAC;IACjC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,iBAAiB,EACzB,SAAS,GAAE,8BAAmC,GAC7C,eAAe,CA2BjB"}

package/dist/server/connection/createCalmConnection.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createCalmConnection = createCalmConnection;
+const OAuth2CalmConnection_1 = require("./OAuth2CalmConnection");
+const SandboxCalmConnection_1 = require("./SandboxCalmConnection");
+const XsuaaRefresher_1 = require("./XsuaaRefresher");
+function createCalmConnection(config, overrides = {}) {
+    if (config.mode === 'oauth2') {
+        const tokenRefresher = overrides.tokenRefresher ??
+            new XsuaaRefresher_1.XsuaaRefresher(config.uaaUrl, config.uaaClientId, config.uaaClientSecret);
+        return new OAuth2CalmConnection_1.OAuth2CalmConnection({
+            baseUrl: config.baseUrl,
+            tokenRefresher,
+            defaultTimeout: config.timeoutMs,
+            logger: overrides.logger,
+        });
+    }
+    if (config.mode === 'sandbox') {
+        return new SandboxCalmConnection_1.SandboxCalmConnection({
+            baseUrl: config.baseUrl,
+            apiKey: config.apiKey,
+            defaultTimeout: config.timeoutMs,
+            logger: overrides.logger,
+        });
+    }
+    throw new Error(`Unsupported CALM mode: ${config.mode}`);
+}
+//# sourceMappingURL=createCalmConnection.js.map

package/dist/server/connection/createCalmConnection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createCalmConnection.js","sourceRoot":"","sources":["../../../src/server/connection/createCalmConnection.ts"],"names":[],"mappings":";;AAoBA,oDA8BC;AA5CD,iEAA8D;AAC9D,mEAAgE;AAChE,qDAAkD;AAYlD,SAAgB,oBAAoB,CAClC,MAAyB,EACzB,YAA4C,EAAE;IAE9C,IAAI,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,MAAM,cAAc,GAClB,SAAS,CAAC,cAAc;YACxB,IAAI,+BAAc,CAChB,MAAM,CAAC,MAAgB,EACvB,MAAM,CAAC,WAAqB,EAC5B,MAAM,CAAC,eAAyB,CACjC,CAAC;QACJ,OAAO,IAAI,2CAAoB,CAAC;YAC9B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,cAAc;YACd,cAAc,EAAE,MAAM,CAAC,SAAS;YAChC,MAAM,EAAE,SAAS,CAAC,MAAM;SACzB,CAAC,CAAC;IACL,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9B,OAAO,IAAI,6CAAqB,CAAC;YAC/B,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,MAAM,EAAE,MAAM,CAAC,MAAgB;YAC/B,cAAc,EAAE,MAAM,CAAC,SAAS;YAChC,MAAM,EAAE,SAAS,CAAC,MAAM;SACzB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,IAAI,KAAK,CACb,0BAA2B,MAA2B,CAAC,IAAI,EAAE,CAC9D,CAAC;AACJ,CAAC"}

package/dist/server/connection/index.d.ts

@@ -0,0 +1,10 @@
+export type { IAbstractCalmConnectionOptions } from './AbstractCalmConnection';
+export { AbstractCalmConnection } from './AbstractCalmConnection';
+export { createCalmConnection, type ICreateCalmConnectionOverrides, } from './createCalmConnection';
+export type { IOAuth2CalmConnectionOptions } from './OAuth2CalmConnection';
+export { OAuth2CalmConnection } from './OAuth2CalmConnection';
+export type { ISandboxCalmConnectionOptions } from './SandboxCalmConnection';
+export { SandboxCalmConnection } from './SandboxCalmConnection';
+export { type CalmServiceRouteMap, DEFAULT_CALM_SERVICE_ROUTES, } from './serviceRoutes';
+export { XsuaaRefresher } from './XsuaaRefresher';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/connection/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/connection/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,8BAA8B,EAAE,MAAM,0BAA0B,CAAC;AAC/E,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EACL,oBAAoB,EACpB,KAAK,8BAA8B,GACpC,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,4BAA4B,EAAE,MAAM,wBAAwB,CAAC;AAC3E,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,YAAY,EAAE,6BAA6B,EAAE,MAAM,yBAAyB,CAAC;AAC7E,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EACL,KAAK,mBAAmB,EACxB,2BAA2B,GAC5B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/server/connection/index.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.XsuaaRefresher = exports.DEFAULT_CALM_SERVICE_ROUTES = exports.SandboxCalmConnection = exports.OAuth2CalmConnection = exports.createCalmConnection = exports.AbstractCalmConnection = void 0;
+var AbstractCalmConnection_1 = require("./AbstractCalmConnection");
+Object.defineProperty(exports, "AbstractCalmConnection", { enumerable: true, get: function () { return AbstractCalmConnection_1.AbstractCalmConnection; } });
+var createCalmConnection_1 = require("./createCalmConnection");
+Object.defineProperty(exports, "createCalmConnection", { enumerable: true, get: function () { return createCalmConnection_1.createCalmConnection; } });
+var OAuth2CalmConnection_1 = require("./OAuth2CalmConnection");
+Object.defineProperty(exports, "OAuth2CalmConnection", { enumerable: true, get: function () { return OAuth2CalmConnection_1.OAuth2CalmConnection; } });
+var SandboxCalmConnection_1 = require("./SandboxCalmConnection");
+Object.defineProperty(exports, "SandboxCalmConnection", { enumerable: true, get: function () { return SandboxCalmConnection_1.SandboxCalmConnection; } });
+var serviceRoutes_1 = require("./serviceRoutes");
+Object.defineProperty(exports, "DEFAULT_CALM_SERVICE_ROUTES", { enumerable: true, get: function () { return serviceRoutes_1.DEFAULT_CALM_SERVICE_ROUTES; } });
+var XsuaaRefresher_1 = require("./XsuaaRefresher");
+Object.defineProperty(exports, "XsuaaRefresher", { enumerable: true, get: function () { return XsuaaRefresher_1.XsuaaRefresher; } });
+//# sourceMappingURL=index.js.map

package/dist/server/connection/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/connection/index.ts"],"names":[],"mappings":";;;AACA,mEAAkE;AAAzD,gIAAA,sBAAsB,OAAA;AAC/B,+DAGgC;AAF9B,4HAAA,oBAAoB,OAAA;AAItB,+DAA8D;AAArD,4HAAA,oBAAoB,OAAA;AAE7B,iEAAgE;AAAvD,8HAAA,qBAAqB,OAAA;AAC9B,iDAGyB;AADvB,4HAAA,2BAA2B,OAAA;AAE7B,mDAAkD;AAAzC,gHAAA,cAAc,OAAA"}

package/dist/server/connection/serviceRoutes.d.ts

@@ -0,0 +1,16 @@
+import type { CalmService } from '@mcp-abap-adt/interfaces';
+export type CalmServiceRouteMap = Record<CalmService, string>;
+/**
+ * Cloud ALM service route suffixes appended to `baseUrl` verbatim.
+ *
+ * Full URL = `joinUrl(baseUrl, serviceRoute)`. `baseUrl` already
+ * includes any tenant mount prefix (for OAuth2 tenants that is the
+ * `/api` that SAP puts in `endpoints.Api`; for sandbox it is the
+ * `/SAPCALM` suffix). The connection layer does NOT inject a prefix.
+ *
+ * Seeded from `sap-cloud-alm-odata-mcp/src/config.rs`; verify against
+ * a live tenant. Override per-connection via the `serviceRoutes` ctor
+ * option.
+ */
+export declare const DEFAULT_CALM_SERVICE_ROUTES: CalmServiceRouteMap;
+//# sourceMappingURL=serviceRoutes.d.ts.map

package/dist/server/connection/serviceRoutes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serviceRoutes.d.ts","sourceRoot":"","sources":["../../../src/server/connection/serviceRoutes.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAE5D,MAAM,MAAM,mBAAmB,GAAG,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;AAE9D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,EAAE,mBAUzC,CAAC"}

package/dist/server/connection/serviceRoutes.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_CALM_SERVICE_ROUTES = void 0;
+/**
+ * Cloud ALM service route suffixes appended to `baseUrl` verbatim.
+ *
+ * Full URL = `joinUrl(baseUrl, serviceRoute)`. `baseUrl` already
+ * includes any tenant mount prefix (for OAuth2 tenants that is the
+ * `/api` that SAP puts in `endpoints.Api`; for sandbox it is the
+ * `/SAPCALM` suffix). The connection layer does NOT inject a prefix.
+ *
+ * Seeded from `sap-cloud-alm-odata-mcp/src/config.rs`; verify against
+ * a live tenant. Override per-connection via the `serviceRoutes` ctor
+ * option.
+ */
+exports.DEFAULT_CALM_SERVICE_ROUTES = {
+    features: '/calm-features/v1',
+    documents: '/calm-documents/v1',
+    tasks: '/calm-tasks/v1',
+    projects: '/calm-projects/v1',
+    testManagement: '/calm-testmanagement/v1',
+    hierarchy: '/calm-processhierarchy/v1',
+    analytics: '/calm-analytics/v1/odata/v4/analytics',
+    processMonitoring: '/calm-processmonitoring/v1',
+    logs: '/calm-logs/v1',
+};
+//# sourceMappingURL=serviceRoutes.js.map

package/dist/server/connection/serviceRoutes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serviceRoutes.js","sourceRoot":"","sources":["../../../src/server/connection/serviceRoutes.ts"],"names":[],"mappings":";;;AAIA;;;;;;;;;;;GAWG;AACU,QAAA,2BAA2B,GAAwB;IAC9D,QAAQ,EAAE,mBAAmB;IAC7B,SAAS,EAAE,oBAAoB;IAC/B,KAAK,EAAE,gBAAgB;IACvB,QAAQ,EAAE,mBAAmB;IAC7B,cAAc,EAAE,yBAAyB;IACzC,SAAS,EAAE,2BAA2B;IACtC,SAAS,EAAE,uCAAuC;IAClD,iBAAiB,EAAE,4BAA4B;IAC/C,IAAI,EAAE,eAAe;CACtB,CAAC"}

package/dist/server/runStdio.js

@@ -20,7 +20,7 @@ const PACKAGE_VERSION = '0.3.0';
 async function runStdio() {
     const logger = new stderrLogger_1.StderrLogger();
     const config = (0, config_1.readConfig)();
-    const calm = (0, buildClient_1.buildCalmClient)(config);
+    const calm = await (0, buildClient_1.buildCalmClient)(config, { logger });
     const server = new BaseCalmMcpServer_1.BaseCalmMcpServer({
         name: PACKAGE_NAME,
         version: PACKAGE_VERSION,

package/dist/server/runStdio.js.map

@@ -1 +1 @@
-{"version":3,"file":"runStdio.js","sourceRoot":"","sources":["../../src/server/runStdio.ts"],"names":[],"mappings":";;AAkBA,4BAwCC;AA1DD,wEAAiF;AACjF,oCAAsC;AACtC,2DAAwD;AACxD,+CAAgD;AAChD,qCAAsC;AACtC,iDAA8C;AAE9C,MAAM,YAAY,GAAG,2BAA2B,CAAC;AACjD,MAAM,eAAe,GAAG,OAAO,CAAC;AAEhC;;;;;;;GAOG;AACI,KAAK,UAAU,QAAQ;IAC5B,MAAM,MAAM,GAAG,IAAI,2BAAY,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,IAAA,mBAAU,GAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,IAAA,6BAAe,EAAC,MAAM,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,IAAI,qCAAiB,CAAC;QACnC,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,eAAe;QACxB,IAAI;QACJ,MAAM;QACN,MAAM,EAAE,CAAC,GAAG,kBAAU,CAAC;KACxB,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE;QAC/B,OAAO,EAAE,YAAY;QACrB,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,KAAK,EAAE,MAAM,CAAC,mBAAmB,EAAE,CAAC,MAAM;KAC3C,CAAC,CAAC;IAEH,mEAAmE;IACnE,0DAA0D;IAC1D,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;IAErC,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAEhD,mEAAmE;IACnE,4DAA4D;IAC5D,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;QACzC,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;gBAAS,CAAC;YACT,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC"}
+{"version":3,"file":"runStdio.js","sourceRoot":"","sources":["../../src/server/runStdio.ts"],"names":[],"mappings":";;AAkBA,4BAwCC;AA1DD,wEAAiF;AACjF,oCAAsC;AACtC,2DAAwD;AACxD,+CAAgD;AAChD,qCAAsC;AACtC,iDAA8C;AAE9C,MAAM,YAAY,GAAG,2BAA2B,CAAC;AACjD,MAAM,eAAe,GAAG,OAAO,CAAC;AAEhC;;;;;;;GAOG;AACI,KAAK,UAAU,QAAQ;IAC5B,MAAM,MAAM,GAAG,IAAI,2BAAY,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,IAAA,mBAAU,GAAE,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,IAAA,6BAAe,EAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,IAAI,qCAAiB,CAAC;QACnC,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,eAAe;QACxB,IAAI;QACJ,MAAM;QACN,MAAM,EAAE,CAAC,GAAG,kBAAU,CAAC;KACxB,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE;QAC/B,OAAO,EAAE,YAAY;QACrB,OAAO,EAAE,eAAe;QACxB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,KAAK,EAAE,MAAM,CAAC,mBAAmB,EAAE,CAAC,MAAM;KAC3C,CAAC,CAAC;IAEH,mEAAmE;IACnE,0DAA0D;IAC1D,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;IAErC,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAEhD,mEAAmE;IACnE,4DAA4D;IAC5D,MAAM,QAAQ,GAAG,KAAK,IAAmB,EAAE;QACzC,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QACjD,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;QACvB,CAAC;gBAAS,CAAC;YACT,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/calm-server",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "MCP server + reusable tool primitives for SAP Cloud ALM, backed by @mcp-abap-adt/calm-client.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -19,6 +19,10 @@
     "./registry": {
       "types": "./dist/registry/index.d.ts",
       "default": "./dist/registry/index.js"
+    },
+    "./connection": {
+      "types": "./dist/server/connection/index.d.ts",
+      "default": "./dist/server/connection/index.js"
     }
   },
   "files": [
@@ -63,16 +67,22 @@
     "tools"
   ],
   "peerDependencies": {
-    "@mcp-abap-adt/calm-client": "^0.3.0",
+    "@mcp-abap-adt/auth-broker": "^1.0.5",
+    "@mcp-abap-adt/auth-providers": "^1.0.5",
+    "@mcp-abap-adt/auth-stores": "^1.0.4",
+    "@mcp-abap-adt/calm-client": "^0.4.0",
     "@mcp-abap-adt/interfaces": "^7.1.0",
     "@modelcontextprotocol/sdk": "^1.0.0"
   },
+  "dependencies": {
+    "dotenv": "^17.3.1"
+  },
   "devDependencies": {
     "@biomejs/biome": "^2.4.4",
     "@mcp-abap-adt/auth-broker": "^1.0.5",
     "@mcp-abap-adt/auth-providers": "^1.0.5",
     "@mcp-abap-adt/auth-stores": "^1.0.4",
-    "@mcp-abap-adt/calm-client": "^0.3.0",
+    "@mcp-abap-adt/calm-client": "^0.4.0",
     "@mcp-abap-adt/interfaces": "^7.1.0",
     "@mcp-abap-adt/logger": "^0.1.4",
     "@modelcontextprotocol/sdk": "^1.0.0",