@mcp-abap-adt/core 2.1.3 → 2.1.6

package/dist/server/v1/legacy-server.js

@@ -0,0 +1,2099 @@
+#!/usr/bin/env node
+"use strict";
+// Simple stdio mode detection (like reference implementation)
+// No output suppression needed - dotenv removed, manual .env parsing used
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mcp_abap_adt_server = exports.createDefaultHandlerExporter = exports.HandlerExporter = exports.getConfig = exports.setSapConfigOverride = void 0;
+exports.setAbapConnectionOverride = setAbapConnectionOverride;
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const mcp_handlers_1 = require("./mcp_handlers");
+const path_1 = __importDefault(require("path"));
+const os = __importStar(require("os"));
+const crypto_1 = require("crypto");
+const header_validator_1 = require("@mcp-abap-adt/header-validator");
+const interfaces_1 = require("@mcp-abap-adt/interfaces");
+const index_1 = require("../../lib/auth/index");
+const AuthBrokerConfig_js_1 = require("./AuthBrokerConfig.js");
+const platformPaths_1 = require("../../lib/stores/platformPaths");
+const runtimeConfig_1 = require("../../lib/config/runtimeConfig");
+const yamlConfig_1 = require("../../lib/config/yamlConfig");
+const index_2 = require("../../lib/config/index");
+// Import handler functions
+// Import handler functions
+// New low-level handlers imports
+// Import shared utility functions and types
+const utils_1 = require("../../lib/utils");
+const config_js_1 = require("../../lib/config.js");
+Object.defineProperty(exports, "getConfig", { enumerable: true, get: function () { return config_js_1.getConfig; } });
+Object.defineProperty(exports, "setSapConfigOverride", { enumerable: true, get: function () { return config_js_1.setSapConfigOverride; } });
+const connection_1 = require("@mcp-abap-adt/connection");
+const loggerAdapter_1 = require("../../lib/loggerAdapter");
+// Import logger
+const logger_1 = require("../../lib/logger");
+// import { defaultLogger as logger } from "@mcp-abap-adt/logger";
+// Import tool registry
+// Import TOOL_DEFINITION from handlers
+// New low-level handlers TOOL_DEFINITION imports
+// --- ENV FILE LOADING LOGIC ---
+const fs_1 = __importDefault(require("fs"));
+/**
+ * Additional help sections specific to v1 server
+ */
+const V1_HELP_SECTIONS = `
+ENVIRONMENT VARIABLES:
+  DEBUG_AUTH_LOG                   Enable debug logging for auth-broker (true|false)
+                                   Default: false (only info messages shown)
+  DEBUG_AUTH_BROKER                Alias for DEBUG_AUTH_LOG
+  DEBUG_HTTP_REQUESTS              Enable logging of HTTP requests (true|false)
+  DEBUG_CONNECTORS                 Enable debug logging for connection layer (true|false)
+  DEBUG_HANDLERS                   Enable debug logging for MCP handlers (true|false)
+  AUTH_BROKER_PATH                 Custom paths for service keys and sessions
+                                   Unix: colon-separated (e.g., /path1:/path2)
+                                   Windows: semicolon-separated (e.g., C:\\\\path1;C:\\\\path2)
+
+SAP CONNECTION (.env file):
+  SAP_URL                          SAP system URL (required)
+  SAP_CLIENT                       SAP client number (required)
+  SAP_AUTH_TYPE                    Authentication type: basic|jwt (default: basic)
+  SAP_USERNAME                     SAP username (required for basic auth)
+  SAP_PASSWORD                     SAP password (required for basic auth)
+  SAP_JWT_TOKEN                    JWT token (required for jwt auth)
+
+GENERATING .ENV FROM SERVICE KEY:
+  Install connection package: npm install -g @mcp-abap-adt/connection
+  Generate .env: sap-abap-auth auth -k path/to/service-key.json
+
+SERVICE KEYS (Destination-Based Authentication):
+  Store service keys in platform-specific locations:
+    Linux/macOS: ~/.config/mcp-abap-adt/service-keys/{destination}.json
+    Windows:     %USERPROFILE%\\\\Documents\\\\mcp-abap-adt\\\\service-keys\\\\{destination}.json
+
+  Using Destinations:
+    In HTTP headers: x-mcp-destination: TRIAL
+    Or via CLI:      mcp-abap-adt --mcp=TRIAL
+
+CLINE CONFIGURATION EXAMPLES (~/.cline/mcp.json):
+
+  1. Stdio with .env file:
+    {
+      "mcpServers": {
+        "mcp-abap-adt": {
+          "type": "stdio",
+          "command": "mcp-abap-adt",
+          "args": ["--env=/path/to/.env"]
+        }
+      }
+    }
+
+  2. Stdio with MCP destination (service key):
+    {
+      "mcpServers": {
+        "mcp-abap-adt": {
+          "type": "stdio",
+          "command": "mcp-abap-adt",
+          "args": ["--mcp=TRIAL"]
+        }
+      }
+    }
+
+  3. SSE transport:
+    {
+      "mcpServers": {
+        "mcp-abap-adt": {
+          "type": "sse",
+          "url": "http://localhost:3001/sse"
+        }
+      }
+    }
+
+DOCUMENTATION:
+  https://github.com/fr0ster/mcp-abap-adt
+  Installation:    docs/installation/INSTALLATION.md
+  Configuration:   docs/user-guide/CLIENT_CONFIGURATION.md
+  Available Tools: docs/user-guide/AVAILABLE_TOOLS.md
+`;
+/**
+ * Display help message using unified ServerConfigManager
+ */
+function showHelp() {
+    console.log(index_2.ServerConfigManager.generateHelp(V1_HELP_SECTIONS));
+    process.exit(0);
+}
+// Check for version/help flags
+if (process.argv.includes("--version") || process.argv.includes("-v")) {
+    const packageJsonPath = path_1.default.join(__dirname, "..", "..", "..", "package.json");
+    const packageJson = JSON.parse(fs_1.default.readFileSync(packageJsonPath, "utf8"));
+    console.log(packageJson.version);
+    process.exit(0);
+}
+if (process.argv.includes("--help") || process.argv.includes("-h")) {
+    showHelp();
+}
+// Load YAML config if --config parameter is provided
+// YAML config values are applied to process.argv (command-line args override YAML)
+const configPath = (0, yamlConfig_1.parseConfigArg)();
+if (configPath) {
+    try {
+        // Generate template if file doesn't exist
+        const templateGenerated = (0, yamlConfig_1.generateConfigTemplateIfNeeded)(configPath);
+        // If template was just generated, exit successfully
+        // User needs to edit the file before running the server
+        if (templateGenerated) {
+            if (process.platform === 'win32') {
+                setTimeout(() => process.exit(0), 100);
+            }
+            else {
+                process.exit(0);
+            }
+        }
+        // Load and apply YAML config (only if file exists)
+        const yamlConfig = (0, yamlConfig_1.loadYamlConfig)(configPath);
+        if (yamlConfig) {
+            (0, yamlConfig_1.applyYamlConfigToArgs)(yamlConfig);
+            // Only write to stderr if not in stdio mode (stdio mode requires clean JSON only)
+            const isStdioMode = process.env.MCP_TRANSPORT === "stdio" || !process.stdin.isTTY;
+            if (!isStdioMode) {
+                process.stderr.write(`[MCP-CONFIG] Loaded and validated configuration from: ${configPath}\n`);
+            }
+        }
+    }
+    catch (error) {
+        const errorMsg = `Failed to load YAML config: ${error instanceof Error ? error.message : String(error)}`;
+        process.stderr.write(`[MCP-CONFIG] ✗ ERROR: ${errorMsg}\n`);
+        if (process.platform === 'win32') {
+            setTimeout(() => process.exit(1), 100);
+        }
+        else {
+            process.exit(1);
+        }
+    }
+}
+// Runtime config (shared, no side-effects)
+const { useAuthBroker, isTestEnv, authBrokerPath, defaultMcpDestination, browser, unsafe, explicitTransportType, transportType, isHttp, isSse, isStdio, isEnvMandatory, envFilePath: initialEnvFilePath, } = (0, runtimeConfig_1.buildRuntimeConfig)();
+// Skip .env autoload under explicit instructions, auth-broker, mcp default, or test env
+const skipEnvAutoload = process.env.MCP_SKIP_ENV_LOAD === "true" ||
+    process.env.MCP_ENV_LOADED_BY_LAUNCHER === "true" ||
+    useAuthBroker ||
+    !!defaultMcpDestination ||
+    isTestEnv;
+// If using auth-broker (--mcp or --auth-broker), clear SAP_* env vars to prevent .env from being used
+// This ensures that even if .env was loaded earlier or vars are set in system, they won't be used
+if (skipEnvAutoload && (useAuthBroker || !!defaultMcpDestination)) {
+    const sapEnvKeys = Object.keys(process.env).filter(key => key.startsWith('SAP_'));
+    for (const key of sapEnvKeys) {
+        delete process.env[key];
+    }
+    if (sapEnvKeys.length > 0 && !isStdio) {
+        process.stderr.write(`[MCP-ENV] Cleared ${sapEnvKeys.length} SAP_* environment variables (using auth-broker)\n`);
+    }
+}
+let envFilePath = initialEnvFilePath;
+// Debug: Always log on Windows to help diagnose issues
+if (process.platform === 'win32' && !isStdio) {
+    process.stderr.write(`[MCP-ENV] parseEnvArg() returned: ${envFilePath || '(undefined)'}\n`);
+    process.stderr.write(`[MCP-ENV] MCP_ENV_PATH: ${process.env.MCP_ENV_PATH || '(not set)'}\n`);
+    process.stderr.write(`[MCP-ENV] Final envFilePath: ${envFilePath || '(will search for .env)'}\n`);
+}
+if (!skipEnvAutoload) {
+    if (!envFilePath) {
+        // Default behavior: search in current working directory (where user runs the command)
+        // If .env exists, use it; otherwise will use auth-broker
+        const cwdEnvPath = path_1.default.resolve(process.cwd(), ".env");
+        if (fs_1.default.existsSync(cwdEnvPath)) {
+            envFilePath = cwdEnvPath;
+            // Only write to stderr if not in stdio mode (stdio mode requires clean JSON only)
+            if (!isStdio) {
+                process.stderr.write(`[MCP-ENV] Found .env file: ${envFilePath}\n`);
+            }
+        }
+    }
+    else {
+        // Only write to stderr if not in stdio mode
+        if (!isStdio) {
+            process.stderr.write(`[MCP-ENV] Using .env from argument/env: ${envFilePath}\n`);
+            // On Windows, also log the resolved path for debugging
+            if (process.platform === 'win32') {
+                const resolvedPath = path_1.default.isAbsolute(envFilePath)
+                    ? envFilePath
+                    : path_1.default.resolve(process.cwd(), envFilePath);
+                process.stderr.write(`[MCP-ENV] Will resolve to: ${resolvedPath}\n`);
+            }
+        }
+    }
+    if (envFilePath) {
+        // Normalize path separators for Windows compatibility
+        // On Windows, backslashes in paths need special handling
+        // path.resolve() and path.normalize() should handle this, but let's be explicit
+        // First, normalize all backslashes to forward slashes for consistent processing
+        // Then use path methods which handle platform-specific separators correctly
+        const normalizedPath = envFilePath.replace(/\\/g, '/');
+        if (!path_1.default.isAbsolute(normalizedPath)) {
+            // For relative paths, use path.resolve which handles .\ and ./ correctly on all platforms
+            // path.resolve automatically handles both .\mdd.env and ./mdd.env formats
+            envFilePath = path_1.default.resolve(process.cwd(), normalizedPath);
+            // Only write to stderr if not in stdio mode
+            if (!isStdio) {
+                process.stderr.write(`[MCP-ENV] Resolved relative path to: ${envFilePath}\n`);
+            }
+        }
+        else {
+            // For absolute paths, normalize using path.normalize
+            envFilePath = path_1.default.normalize(envFilePath);
+        }
+        // Verify file exists before attempting to load
+        if (!fs_1.default.existsSync(envFilePath)) {
+            const errorMsg = `[MCP-ENV] ✗ ERROR: .env file not found at: ${envFilePath}\n` +
+                `[MCP-ENV]   Current working directory: ${process.cwd()}\n` +
+                `[MCP-ENV]   Please check the path and try again.\n`;
+            process.stderr.write(errorMsg);
+            if (process.platform === 'win32') {
+                setTimeout(() => process.exit(1), 100);
+            }
+            else {
+                process.exit(1);
+            }
+        }
+        if (fs_1.default.existsSync(envFilePath)) {
+            // For stdio mode, load .env manually to avoid any output from dotenv library
+            if (isStdio) {
+                // Manual .env parsing for stdio mode (no library output)
+                try {
+                    const envContent = fs_1.default.readFileSync(envFilePath, "utf8");
+                    const lines = envContent.split(/\r?\n/);
+                    for (const line of lines) {
+                        const trimmed = line.trim();
+                        // Skip empty lines and comments
+                        if (!trimmed || trimmed.startsWith("#")) {
+                            continue;
+                        }
+                        // Parse KEY=VALUE format
+                        const eqIndex = trimmed.indexOf("=");
+                        if (eqIndex === -1) {
+                            continue;
+                        }
+                        const key = trimmed.substring(0, eqIndex).trim();
+                        let value = trimmed.substring(eqIndex + 1);
+                        // Remove inline comments (everything after #)
+                        // This handles cases like: KEY=value # comment or KEY=value#comment
+                        // Find first # and remove everything after it (including the #)
+                        const commentIndex = value.indexOf('#');
+                        if (commentIndex !== -1) {
+                            // Remove everything from # onwards, then trim trailing whitespace
+                            const beforeComment = value.substring(0, commentIndex);
+                            value = beforeComment.trim();
+                        }
+                        else {
+                            value = value.trim();
+                        }
+                        // Parse value: remove quotes and trim
+                        let unquotedValue = value.trim();
+                        unquotedValue = unquotedValue.replace(/^["']+|["']+$/g, '').trim();
+                        // URLs from .env files are expected to be clean - just use as-is
+                        if (key === 'SAP_URL') {
+                            // No special processing needed
+                            // Debug logging for Windows
+                            if (process.platform === 'win32' && !isStdio) {
+                                process.stderr.write(`[MCP-ENV] Parsed SAP_URL: "${unquotedValue}" (length: ${unquotedValue.length})\n`);
+                            }
+                        }
+                        // Only set if not already in process.env (don't override launcher's cleaned values)
+                        if (key && !process.env[key]) {
+                            process.env[key] = unquotedValue;
+                        }
+                    }
+                }
+                catch (error) {
+                    // Silent fail for stdio mode - just exit
+                    process.exit(1);
+                }
+            }
+            else {
+                // For non-stdio modes, use manual parsing (dotenv removed to avoid stdout pollution)
+                try {
+                    const envContent = fs_1.default.readFileSync(envFilePath, "utf8");
+                    const lines = envContent.split(/\r?\n/);
+                    for (const line of lines) {
+                        const trimmed = line.trim();
+                        if (!trimmed || trimmed.startsWith("#")) {
+                            continue;
+                        }
+                        const eqIndex = trimmed.indexOf("=");
+                        if (eqIndex === -1) {
+                            continue;
+                        }
+                        const key = trimmed.substring(0, eqIndex).trim();
+                        let value = trimmed.substring(eqIndex + 1);
+                        // Remove inline comments (everything after #)
+                        // This handles cases like: KEY=value # comment or KEY=value#comment
+                        // Find first # and remove everything after it (including the #)
+                        const commentIndex = value.indexOf('#');
+                        if (commentIndex !== -1) {
+                            // Remove everything from # onwards, then trim trailing whitespace
+                            const beforeComment = value.substring(0, commentIndex);
+                            value = beforeComment.trim();
+                        }
+                        else {
+                            value = value.trim();
+                        }
+                        // Parse value: remove quotes and trim
+                        let unquotedValue = value.trim();
+                        unquotedValue = unquotedValue.replace(/^["']+|["']+$/g, '').trim();
+                        // URLs from .env files are expected to be clean - just use as-is
+                        if (key === 'SAP_URL') {
+                            // No special processing needed
+                            // Debug logging for Windows
+                            if (process.platform === 'win32' && !isStdio) {
+                                process.stderr.write(`[MCP-ENV] Parsed SAP_URL: "${unquotedValue}" (length: ${unquotedValue.length})\n`);
+                            }
+                        }
+                        // Only set if not already in process.env (don't override launcher's cleaned values)
+                        if (key && !process.env[key]) {
+                            process.env[key] = unquotedValue;
+                        }
+                    }
+                    process.stderr.write(`[MCP-ENV] ✓ Successfully loaded: ${envFilePath}\n`);
+                    // Debug: log SAP_URL if loaded (for troubleshooting on Windows)
+                    if (process.env.SAP_URL) {
+                        const urlHex = Buffer.from(process.env.SAP_URL, 'utf8').toString('hex');
+                        process.stderr.write(`[MCP-ENV] SAP_URL loaded: "${process.env.SAP_URL}" (length: ${process.env.SAP_URL.length})\n`);
+                        if (process.platform === 'win32') {
+                            process.stderr.write(`[MCP-ENV] SAP_URL (hex): ${urlHex.substring(0, 60)}...\n`);
+                            // Check for comments
+                            if (process.env.SAP_URL.includes('#')) {
+                                process.stderr.write(`[MCP-ENV] ⚠ WARNING: SAP_URL contains # character (comment not removed?)\n`);
+                            }
+                        }
+                    }
+                    else {
+                        process.stderr.write(`[MCP-ENV] ⚠ WARNING: SAP_URL not found in .env file\n`);
+                    }
+                }
+                catch (error) {
+                    process.stderr.write(`[MCP-ENV] ✗ Failed to load: ${envFilePath}\n`);
+                    if (error instanceof Error) {
+                        process.stderr.write(`[MCP-ENV] Error: ${error.message}\n`);
+                    }
+                }
+            }
+        }
+        else {
+            // .env file specified but not found
+            if (isEnvMandatory) {
+                // Always write error to stderr (stderr is safe even in stdio mode, unlike stdout)
+                logger_1.logger?.error(".env file not found", { path: envFilePath });
+                process.stderr.write(`[MCP-ENV] ✗ ERROR: .env file not found at: ${envFilePath}\n`);
+                process.stderr.write(`[MCP-ENV]   Current working directory: ${process.cwd()}\n`);
+                process.stderr.write(`[MCP-ENV]   Transport mode '${transportType}' requires .env file.\n`);
+                process.stderr.write(`[MCP-ENV]   Use --env=/path/to/.env to specify custom location\n`);
+                // On Windows, add a small delay before exit to allow error message to be visible
+                if (process.platform === 'win32') {
+                    setTimeout(() => process.exit(1), 100);
+                }
+                else {
+                    process.exit(1);
+                }
+            }
+            else {
+                // Always write error to stderr (stderr is safe even in stdio mode)
+                process.stderr.write(`[MCP-ENV] ✗ ERROR: .env file not found at: ${envFilePath}\n`);
+                process.stderr.write(`[MCP-ENV]   Transport mode '${transportType}' was explicitly specified but .env file is missing.\n`);
+                process.stderr.write(`[MCP-ENV]   Use --env=/path/to/.env to specify custom location\n`);
+                // On Windows, add a small delay before exit to allow error message to be visible
+                if (process.platform === 'win32') {
+                    setTimeout(() => process.exit(1), 100);
+                }
+                else {
+                    process.exit(1);
+                }
+            }
+        }
+    }
+    else {
+        // No .env file found and none specified
+        if (isEnvMandatory) {
+            // Transport explicitly set to stdio/sse but no .env found
+            const cwdEnvPath = path_1.default.resolve(process.cwd(), ".env");
+            // Always write error to stderr (stderr is safe even in stdio mode)
+            logger_1.logger?.error(".env file not found", { path: cwdEnvPath });
+            process.stderr.write(`[MCP-ENV] ✗ ERROR: .env file not found in current directory: ${process.cwd()}\n`);
+            process.stderr.write(`[MCP-ENV]   Transport mode '${transportType}' requires .env file.\n`);
+            process.stderr.write(`[MCP-ENV]   Use --env=/path/to/.env to specify custom location\n`);
+            // On Windows, add a small delay before exit to allow error message to be visible
+            if (process.platform === 'win32') {
+                setTimeout(() => process.exit(1), 100);
+            }
+            else {
+                process.exit(1);
+            }
+        }
+        else {
+            // No .env found, but transport is stdio (default) - this is OK for HTTP/SSE, but stdio requires .env or --mcp
+            if (explicitTransportType === null) {
+                // Transport not specified, using default (stdio)
+                // For stdio mode, don't write to stderr
+                if (!isStdio) {
+                    process.stderr.write(`[MCP-ENV] NOTE: No .env file found in current directory: ${process.cwd()}\n`);
+                    process.stderr.write(`[MCP-ENV]   Starting in HTTP mode (no .env file required)\n`);
+                }
+            }
+            else {
+                // Transport explicitly set to HTTP - this is OK
+                // For stdio mode, don't write to stderr
+                if (!isStdio) {
+                    process.stderr.write(`[MCP-ENV] NOTE: No .env file found, continuing in ${transportType} mode\n`);
+                }
+            }
+        }
+    }
+}
+else if (envFilePath) {
+    if (!path_1.default.isAbsolute(envFilePath)) {
+        envFilePath = path_1.default.resolve(process.cwd(), envFilePath);
+    }
+    // For stdio mode, don't write to stderr
+    if (!isStdio) {
+        process.stderr.write(`[MCP-ENV] Environment autoload skipped; using provided path reference: ${envFilePath}\n`);
+    }
+}
+else {
+    // For stdio mode, don't write to stderr
+    if (!isStdio) {
+        process.stderr.write(`[MCP-ENV] Environment autoload skipped (MCP_SKIP_ENV_LOAD=true).\n`);
+    }
+}
+// --- END ENV FILE LOADING LOGIC ---
+// Debug: Log loaded SAP_URL and SAP_CLIENT using the MCP-compatible logger
+// Skip logging in stdio mode (MCP protocol requires clean JSON only)
+if (!isStdio) {
+    const envLogPath = envFilePath ?? "(skipped)";
+    logger_1.logger?.info("SAP configuration loaded", {
+        type: "CONFIG_INFO",
+        SAP_URL: process.env.SAP_URL,
+        SAP_CLIENT: process.env.SAP_CLIENT || "(not set)",
+        SAP_AUTH_TYPE: process.env.SAP_AUTH_TYPE || "(not set)",
+        SAP_JWT_TOKEN: process.env.SAP_JWT_TOKEN ? "[set]" : "(not set)",
+        ENV_PATH: envLogPath,
+        CWD: process.cwd(),
+        DIRNAME: __dirname,
+        TRANSPORT: transportType
+    });
+}
+function getArgValue(name) {
+    const args = process.argv;
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg.startsWith(`${name}=`)) {
+            return arg.slice(name.length + 1);
+        }
+        if (arg === name && i + 1 < args.length) {
+            return args[i + 1];
+        }
+    }
+    return undefined;
+}
+function hasFlag(name) {
+    return process.argv.includes(name);
+}
+function parseBoolean(value) {
+    if (!value) {
+        return false;
+    }
+    const normalized = value.trim().toLowerCase();
+    return normalized === "1" || normalized === "true" || normalized === "yes" || normalized === "on";
+}
+function resolvePortOption(argName, envName, defaultValue) {
+    const rawValue = getArgValue(argName) ?? process.env[envName];
+    if (!rawValue) {
+        return defaultValue;
+    }
+    const port = Number.parseInt(rawValue, 10);
+    if (!Number.isInteger(port) || port <= 0 || port > 65535) {
+        throw new Error(`Invalid port value for ${argName}: ${rawValue}`);
+    }
+    return port;
+}
+function resolveBooleanOption(argName, envName, defaultValue) {
+    const argValue = getArgValue(argName);
+    if (argValue !== undefined) {
+        return parseBoolean(argValue);
+    }
+    if (hasFlag(argName)) {
+        return true;
+    }
+    const envValue = process.env[envName];
+    if (envValue !== undefined) {
+        return parseBoolean(envValue);
+    }
+    return defaultValue;
+}
+function resolveListOption(argName, envName) {
+    const rawValue = getArgValue(argName) ?? process.env[envName];
+    if (!rawValue) {
+        return undefined;
+    }
+    const items = rawValue
+        .split(",")
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+    return items.length > 0 ? items : undefined;
+}
+function parseTransportConfig() {
+    // Use the transport type we already determined (handles explicit args, env vars, and defaults)
+    const normalized = transportType;
+    if (normalized &&
+        normalized !== "stdio" &&
+        normalized !== "http" &&
+        normalized !== "streamable-http" &&
+        normalized !== "server" &&
+        normalized !== "sse") {
+        throw new Error(`Unsupported transport: ${normalized}`);
+    }
+    const sseRequested = normalized === "sse" ||
+        hasFlag("--sse");
+    if (sseRequested) {
+        const port = resolvePortOption("--sse-port", "MCP_SSE_PORT", 3001);
+        // Default to localhost (127.0.0.1) for security - only accepts local connections
+        // Use 0.0.0.0 to accept connections from all interfaces (less secure)
+        const host = getArgValue("--sse-host") ?? process.env.MCP_SSE_HOST ?? "127.0.0.1";
+        const allowedOrigins = resolveListOption("--sse-allowed-origins", "MCP_SSE_ALLOWED_ORIGINS");
+        const allowedHosts = resolveListOption("--sse-allowed-hosts", "MCP_SSE_ALLOWED_HOSTS");
+        const enableDnsRebindingProtection = resolveBooleanOption("--sse-enable-dns-protection", "MCP_SSE_ENABLE_DNS_PROTECTION", false);
+        return {
+            type: "sse",
+            host,
+            port,
+            allowedOrigins,
+            allowedHosts,
+            enableDnsRebindingProtection,
+        };
+    }
+    const httpRequested = normalized === "http" ||
+        normalized === "streamable-http" ||
+        normalized === "server" ||
+        hasFlag("--http") ||
+        // Note: Default is stdio (set in runtimeConfig), so this only applies if explicitly requested
+        (!sseRequested && normalized !== "stdio");
+    if (httpRequested) {
+        const port = resolvePortOption("--http-port", "MCP_HTTP_PORT", 3000);
+        // Default to localhost (127.0.0.1) for security - only accepts local connections
+        // Use 0.0.0.0 to accept connections from all interfaces (less secure)
+        const host = getArgValue("--http-host") ?? process.env.MCP_HTTP_HOST ?? "127.0.0.1";
+        const enableJsonResponse = resolveBooleanOption("--http-json-response", "MCP_HTTP_ENABLE_JSON_RESPONSE", false);
+        const allowedOrigins = resolveListOption("--http-allowed-origins", "MCP_HTTP_ALLOWED_ORIGINS");
+        const allowedHosts = resolveListOption("--http-allowed-hosts", "MCP_HTTP_ALLOWED_HOSTS");
+        const enableDnsRebindingProtection = resolveBooleanOption("--http-enable-dns-protection", "MCP_HTTP_ENABLE_DNS_PROTECTION", false);
+        return {
+            type: "streamable-http",
+            host,
+            port,
+            enableJsonResponse,
+            allowedOrigins,
+            allowedHosts,
+            enableDnsRebindingProtection,
+        };
+    }
+    return { type: "stdio" };
+}
+function setAbapConnectionOverride(connection) {
+    (0, utils_1.setConnectionOverride)(connection);
+}
+/**
+ * Retrieves SAP configuration from environment variables.
+ * Reads configuration from process.env (caller is responsible for loading .env file if needed).
+ *
+ * @returns {SapConfig} The SAP configuration object.
+ * @throws {Error} If any required environment variable is missing.
+ */
+// Helper function for Windows-compatible logging
+// Only logs when DEBUG_CONNECTORS, DEBUG_TESTS, or DEBUG_ADT_TESTS is enabled
+function debugLog(message) {
+    const debugEnabled = process.env.DEBUG_CONNECTORS === 'true' ||
+        process.env.DEBUG_TESTS === 'true' ||
+        process.env.DEBUG_ADT_TESTS === 'true';
+    if (!debugEnabled) {
+        return; // Suppress debug logs when not in debug mode
+    }
+    // Try stderr first
+    try {
+        process.stderr.write(message);
+    }
+    catch (e) {
+        // Fallback to console.error for Windows
+        console.error(message.trim());
+    }
+    // Also try to write to a debug file on Windows
+    if (process.platform === 'win32') {
+        try {
+            const fs = require('fs');
+            const path = require('path');
+            const debugFile = path.join(process.cwd(), 'mcp-debug.log');
+            fs.appendFileSync(debugFile, `${new Date().toISOString()} ${message}`, 'utf8');
+        }
+        catch (e) {
+            // Ignore file write errors
+        }
+    }
+}
+// Re-export header constants from interfaces package
+__exportStar(require("@mcp-abap-adt/interfaces"), exports);
+// Re-export handler exporter for external server integration
+var index_js_1 = require("../../lib/handlers/index.js");
+Object.defineProperty(exports, "HandlerExporter", { enumerable: true, get: function () { return index_js_1.HandlerExporter; } });
+Object.defineProperty(exports, "createDefaultHandlerExporter", { enumerable: true, get: function () { return index_js_1.createDefaultHandlerExporter; } });
+/**
+ * Server class for interacting with ABAP systems via ADT.
+ */
+class mcp_abap_adt_server {
+    allowProcessExit;
+    registerSignalHandlers;
+    mcpServer; // MCP server for all transports
+    sapConfig; // SAP configuration
+    hasEnvFile; // Track if .env file was found at startup
+    transportConfig;
+    httpServer;
+    shuttingDown = false;
+    defaultMcpDestination; // Default MCP destination from --mcp parameter
+    defaultDestination; // Default destination (from --mcp or .env, used when client doesn't specify)
+    mcpHandlers;
+    exposition = ['readonly', 'high']; // Default exposition
+    // Client session tracking for StreamableHTTP (like the example)
+    streamableHttpSessions = new Map();
+    // Map sessionId -> client key (streamable HTTP) for quick lookups
+    streamableSessionIndex = new Map();
+    // AuthBroker factory for creating and managing AuthBroker instances
+    authBrokerFactory;
+    // Path to .env file (used to create SessionStore when --mcp is not specified)
+    envFilePath;
+    /**
+     * Initialize default broker on server startup (for stdio/SSE transports)
+     * Creates broker with default destination from --mcp parameter or .env file
+     */
+    /**
+     * Initialize default broker using unified AuthBrokerFactory logic
+     * Sets defaultDestination based on what broker was created
+     */
+    async initializeDefaultBroker() {
+        // Use unified AuthBrokerFactory logic to initialize default broker
+        await this.authBrokerFactory.initializeDefaultBroker();
+        // Get default broker to determine default destination
+        const defaultBroker = this.authBrokerFactory.getDefaultBroker();
+        console.error("[DEBUG v1] initializeDefaultBroker result:", {
+            hasBroker: !!defaultBroker,
+            defaultMcpDestination: this.defaultMcpDestination,
+            envFilePath: this.envFilePath,
+        });
+        if (defaultBroker) {
+            // If we have --mcp, use that as default destination
+            if (this.defaultMcpDestination) {
+                this.defaultDestination = this.defaultMcpDestination;
+            }
+            else {
+                // Otherwise use 'default' as destination name
+                this.defaultDestination = 'default';
+            }
+            logger_1.logger?.info("Default broker initialized", {
+                type: "DEFAULT_BROKER_INITIALIZED",
+                destination: this.defaultDestination,
+                transport: this.transportConfig.type,
+            });
+        }
+        else {
+            logger_1.logger?.debug("No default broker created (no conditions met)", {
+                type: "NO_DEFAULT_BROKER",
+                transport: this.transportConfig.type,
+            });
+        }
+    }
+    /**
+     * Get or create AuthBroker for a specific destination (lazy initialization)
+     * If destination is not specified, returns default broker
+     */
+    async getOrCreateAuthBroker(destination, clientKey) {
+        // clientKey is ignored in unified logic (one broker per destination)
+        return this.authBrokerFactory.getOrCreateAuthBroker(destination);
+    }
+    async applyAuthHeaders(headers, sessionId, clientKey) {
+        // Security: If server is listening on non-local interface (0.0.0.0), don't use default destination
+        // Client must provide all connection parameters in headers - server only proxies to ABAP
+        const isNonLocalInterface = this.isListeningOnNonLocalInterface();
+        if (isNonLocalInterface) {
+            // Non-local interface: use only what client provides in headers, no default destination
+            if (!headers || Object.keys(headers).length === 0) {
+                logger_1.logger?.info("No headers provided - server listening on non-local interface requires all headers from client", {
+                    type: "NO_HEADERS_NON_LOCAL_INTERFACE",
+                    sessionId: sessionId?.substring(0, 8),
+                    hint: `Server is listening on 0.0.0.0 - client must provide all connection parameters in headers. Server will not use default destination for security.`,
+                });
+                return;
+            }
+            // Use headers as-is, no default destination
+            logger_1.logger?.debug("Non-local interface: using only client-provided headers", {
+                type: "NON_LOCAL_INTERFACE_HEADERS_ONLY",
+                sessionId: sessionId?.substring(0, 8),
+            });
+        }
+        else {
+            // Local interface (127.0.0.1): can use default destination if no headers
+            // If no headers but defaultDestination is set, use it
+            // Client values have priority (Q10), but if no headers at all, use default
+            if (!headers || Object.keys(headers).length === 0) {
+                if (this.defaultDestination) {
+                    // Use default destination to get connection config from broker
+                    const authBroker = await this.getOrCreateAuthBroker(this.defaultDestination, clientKey || sessionId);
+                    if (authBroker) {
+                        try {
+                            const connConfig = await authBroker.getConnectionConfig(this.defaultDestination);
+                            if (connConfig?.serviceUrl) {
+                                // Check authType from connection config BEFORE calling getToken()
+                                const isBasicAuth = connConfig.authType === 'basic' || (connConfig.username && connConfig.password);
+                                if (isBasicAuth) {
+                                    // Basic auth for on-premise
+                                    if (connConfig.username && connConfig.password) {
+                                        this.processBasicAuthConfigUpdate(connConfig.serviceUrl, connConfig.username, connConfig.password, sessionId);
+                                        logger_1.logger?.info("No headers provided, using default destination with basic auth", {
+                                            type: "NO_HEADERS_DEFAULT_DESTINATION_BASIC_AUTH",
+                                            destination: this.defaultDestination,
+                                            sessionId: sessionId?.substring(0, 8),
+                                        });
+                                    }
+                                }
+                                else {
+                                    // JWT auth for cloud
+                                    const jwtToken = await authBroker.getToken(this.defaultDestination);
+                                    if (jwtToken) {
+                                        // Create headers object with default destination
+                                        headers = {
+                                            [interfaces_1.HEADER_MCP_DESTINATION]: this.defaultDestination,
+                                            [interfaces_1.HEADER_SAP_URL]: connConfig.serviceUrl,
+                                            [interfaces_1.HEADER_SAP_JWT_TOKEN]: jwtToken,
+                                        };
+                                        logger_1.logger?.info("No headers provided, using default destination", {
+                                            type: "NO_HEADERS_DEFAULT_DESTINATION_USED",
+                                            destination: this.defaultDestination,
+                                            sessionId: sessionId?.substring(0, 8),
+                                        });
+                                    }
+                                }
+                            }
+                        }
+                        catch (error) {
+                            logger_1.logger?.warn("Failed to get connection config from default destination", {
+                                type: "DEFAULT_DESTINATION_CONFIG_FAILED",
+                                destination: this.defaultDestination,
+                                sessionId: sessionId?.substring(0, 8),
+                                error: error instanceof Error ? error.message : String(error),
+                            });
+                        }
+                    }
+                }
+                // If still no headers after trying default destination, log and return
+                if (!headers || Object.keys(headers).length === 0) {
+                    logger_1.logger?.info("No headers provided in request and no default destination available", {
+                        type: "NO_HEADERS_PROVIDED",
+                        sessionId: sessionId?.substring(0, 8),
+                        hint: `Provide authentication headers (${interfaces_1.HEADER_SAP_DESTINATION_SERVICE}, ${interfaces_1.HEADER_SAP_URL}, ${interfaces_1.HEADER_SAP_AUTH_TYPE}, etc.) or use --mcp parameter or .env file`,
+                    });
+                    return;
+                }
+            }
+            // Apply default destination if not provided in headers (client values have priority)
+            // Only for local interface
+            if (this.defaultDestination && !headers[interfaces_1.HEADER_MCP_DESTINATION] && !headers['X-MCP-Destination']) {
+                headers[interfaces_1.HEADER_MCP_DESTINATION] = this.defaultDestination;
+                logger_1.logger?.info("Using default destination (client didn't specify)", {
+                    type: "DEFAULT_DESTINATION_APPLIED",
+                    destination: this.defaultDestination,
+                    sessionId: sessionId?.substring(0, 8),
+                });
+            }
+        }
+        // Ensure headers is set for processing below
+        if (!headers) {
+            headers = {};
+        }
+        const headersWithDefault = { ...headers };
+        // Log which auth headers are present (for debugging)
+        // Check headers in both cases (Node.js normalizes to lowercase, but check both for safety)
+        const authHeaders = {
+            [interfaces_1.HEADER_SAP_DESTINATION_SERVICE]: headersWithDefault[interfaces_1.HEADER_SAP_DESTINATION_SERVICE] || headersWithDefault['X-SAP-Destination'],
+            [interfaces_1.HEADER_MCP_DESTINATION]: headersWithDefault[interfaces_1.HEADER_MCP_DESTINATION] || headersWithDefault['X-MCP-Destination'],
+            [interfaces_1.HEADER_SAP_URL]: (headersWithDefault[interfaces_1.HEADER_SAP_URL] || headersWithDefault['X-SAP-URL']) ? '[present]' : undefined,
+            [interfaces_1.HEADER_SAP_AUTH_TYPE]: headersWithDefault[interfaces_1.HEADER_SAP_AUTH_TYPE] || headersWithDefault['X-SAP-Auth-Type'],
+            [interfaces_1.HEADER_SAP_JWT_TOKEN]: (headersWithDefault[interfaces_1.HEADER_SAP_JWT_TOKEN] || headersWithDefault['X-SAP-JWT-Token']) ? '[present]' : undefined,
+            [interfaces_1.HEADER_SAP_LOGIN]: (headersWithDefault[interfaces_1.HEADER_SAP_LOGIN] || headersWithDefault['X-SAP-Login']) ? '[present]' : undefined,
+        };
+        logger_1.logger?.info("Processing authentication headers", {
+            type: "AUTH_HEADERS_PROCESSING",
+            headers: authHeaders,
+            platform: process.platform,
+            sessionId: sessionId?.substring(0, 8),
+            allHeaderKeys: Object.keys(headersWithDefault).filter(k => {
+                const lowerKey = k.toLowerCase();
+                return lowerKey.startsWith('x-sap') || lowerKey.startsWith('x-mcp');
+            }),
+        });
+        // Use header validator to validate and prioritize authentication methods
+        const validationResult = (0, header_validator_1.validateAuthHeaders)(headersWithDefault);
+        // Log warnings if any
+        if (validationResult.warnings.length > 0) {
+            logger_1.logger?.debug("Header validation warnings", {
+                type: "HEADER_VALIDATION_WARNINGS",
+                warnings: validationResult.warnings,
+                sessionId: sessionId?.substring(0, 8),
+            });
+        }
+        // If validation failed, log info (not error) and return
+        // This is not an error - user may be using .env file or base config
+        if (!validationResult.isValid || !validationResult.config) {
+            if (validationResult.errors.length > 0) {
+                logger_1.logger?.debug("Header validation failed - will use .env file or base config", {
+                    type: "HEADER_VALIDATION_FAILED",
+                    errors: validationResult.errors,
+                    sessionId: sessionId?.substring(0, 8),
+                    hint: "No valid headers found. Will use .env file or base config if available.",
+                });
+            }
+            else {
+                logger_1.logger?.debug("No valid authentication headers found - will use .env file or base config", {
+                    type: "NO_VALID_AUTH_HEADERS",
+                    sessionId: sessionId?.substring(0, 8),
+                    hint: "No headers provided. Will use .env file or base config if available.",
+                });
+            }
+            return;
+        }
+        const config = validationResult.config;
+        // Process based on priority (highest to lowest)
+        switch (config.priority) {
+            case header_validator_1.AuthMethodPriority.SAP_DESTINATION: {
+                // Priority 4: x-sap-destination (uses AuthBroker, URL from destination)
+                if (!config.destination) {
+                    logger_1.logger?.warn("SAP destination auth requires destination name", {
+                        type: "SAP_DESTINATION_AUTH_MISSING",
+                        destination: config.destination,
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                    return;
+                }
+                // Get or create AuthBroker for this destination (lazy initialization)
+                const authBroker = await this.getOrCreateAuthBroker(config.destination, clientKey || sessionId);
+                if (!authBroker) {
+                    const errorMessage = `Failed to initialize AuthBroker for destination "${config.destination}". Auth-broker is only available for HTTP/streamable-http transport.`;
+                    logger_1.logger?.error(errorMessage, {
+                        type: "AUTH_BROKER_NOT_INITIALIZED",
+                        destination: config.destination,
+                        sessionId: sessionId?.substring(0, 8),
+                        transport: this.transportConfig.type,
+                    });
+                    return;
+                }
+                try {
+                    // Get connection config from AuthBroker (loads from .env or service key)
+                    // Note: destination name must exactly match service key filename (case-sensitive)
+                    // Example: if file is "sk.json", destination must be "sk" (not "SK")
+                    const connConfig = await authBroker.getConnectionConfig(config.destination);
+                    if (!connConfig || !connConfig.serviceUrl) {
+                        logger_1.logger?.error("Failed to get SAP URL from destination", {
+                            type: "SAP_DESTINATION_URL_NOT_FOUND",
+                            destination: config.destination,
+                            sessionId: sessionId?.substring(0, 8),
+                            hint: `Service key file "${config.destination}.json" not found or missing URL. Check file name matches destination exactly (case-sensitive).`,
+                        });
+                        return;
+                    }
+                    const sapUrl = connConfig.serviceUrl;
+                    logger_1.logger?.info("SAP URL retrieved from destination", {
+                        type: "SAP_URL_RETRIEVED",
+                        destination: config.destination,
+                        url: sapUrl,
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                    // Check authType from connection config BEFORE calling getToken()
+                    const isBasicAuth = connConfig.authType === 'basic' || (connConfig.username && connConfig.password);
+                    if (isBasicAuth) {
+                        // Basic auth for on-premise
+                        if (connConfig.username && connConfig.password) {
+                            this.processBasicAuthConfigUpdate(sapUrl, connConfig.username, connConfig.password, sessionId);
+                            logger_1.logger?.info("Updated SAP configuration using SAP destination with basic auth", {
+                                type: "SAP_CONFIG_UPDATED_SAP_DESTINATION_BASIC_AUTH",
+                                destination: config.destination,
+                                url: sapUrl,
+                                sessionId: sessionId?.substring(0, 8),
+                            });
+                        }
+                        else {
+                            logger_1.logger?.error("Basic auth requires username and password", {
+                                type: "BASIC_AUTH_MISSING_CREDENTIALS",
+                                destination: config.destination,
+                                sessionId: sessionId?.substring(0, 8),
+                            });
+                        }
+                    }
+                    else {
+                        // JWT auth for cloud
+                        // Get token from AuthBroker
+                        const jwtToken = await authBroker.getToken(config.destination);
+                        // Register AuthBroker in global registry for connection to use during token refresh
+                        const { registerAuthBroker } = require('./lib/utils');
+                        registerAuthBroker(config.destination, authBroker);
+                        this.processJwtConfigUpdate(sapUrl, jwtToken, undefined, config.destination, sessionId);
+                        logger_1.logger?.info("Updated SAP configuration using SAP destination (AuthBroker)", {
+                            type: "SAP_CONFIG_UPDATED_SAP_DESTINATION",
+                            destination: config.destination,
+                            url: sapUrl,
+                            sessionId: sessionId?.substring(0, 8),
+                        });
+                    }
+                }
+                catch (error) {
+                    logger_1.logger?.error("Failed to get token from AuthBroker for SAP destination", {
+                        type: "AUTH_BROKER_ERROR_SAP_DESTINATION",
+                        destination: config.destination,
+                        error: error instanceof Error ? error.message : String(error),
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                }
+                return;
+            }
+            case header_validator_1.AuthMethodPriority.MCP_DESTINATION: {
+                // Priority 3: x-mcp-destination (uses AuthBroker, URL from destination or x-sap-url header)
+                if (!config.destination) {
+                    logger_1.logger?.warn("MCP destination auth requires destination", {
+                        type: "MCP_DESTINATION_AUTH_MISSING",
+                        destination: config.destination,
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                    return;
+                }
+                // Get or create AuthBroker for this destination (lazy initialization)
+                const authBroker = await this.getOrCreateAuthBroker(config.destination, clientKey || sessionId);
+                if (!authBroker) {
+                    logger_1.logger?.error("Failed to initialize AuthBroker for MCP destination", {
+                        type: "AUTH_BROKER_NOT_INITIALIZED",
+                        destination: config.destination,
+                        sessionId: sessionId?.substring(0, 8),
+                        transport: this.transportConfig.type,
+                    });
+                    return;
+                }
+                try {
+                    // Get connection config from AuthBroker (loads from .env or service key)
+                    // If x-sap-url was provided in headers, it will be ignored (warning already issued by validator)
+                    // Note: destination name must exactly match service key filename (case-sensitive)
+                    const connConfig = await authBroker.getConnectionConfig(config.destination);
+                    if (!connConfig || !connConfig.serviceUrl) {
+                        logger_1.logger?.error("Failed to get SAP URL from destination", {
+                            type: "MCP_DESTINATION_URL_NOT_FOUND",
+                            destination: config.destination,
+                            sessionId: sessionId?.substring(0, 8),
+                            hint: `Service key file "${config.destination}.json" not found or missing URL. Check file name matches destination exactly (case-sensitive).`,
+                        });
+                        return;
+                    }
+                    const sapUrl = connConfig.serviceUrl;
+                    logger_1.logger?.info("SAP URL retrieved from destination", {
+                        type: "SAP_URL_RETRIEVED",
+                        destination: config.destination,
+                        url: sapUrl,
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                    // Check authType from connection config BEFORE calling getToken()
+                    const isBasicAuth = connConfig.authType === 'basic' || (connConfig.username && connConfig.password);
+                    if (isBasicAuth) {
+                        // Basic auth for on-premise
+                        if (connConfig.username && connConfig.password) {
+                            this.processBasicAuthConfigUpdate(sapUrl, connConfig.username, connConfig.password, sessionId);
+                            logger_1.logger?.info("Updated SAP configuration using MCP destination with basic auth", {
+                                type: "SAP_CONFIG_UPDATED_MCP_DESTINATION_BASIC_AUTH",
+                                destination: config.destination,
+                                url: sapUrl,
+                                sessionId: sessionId?.substring(0, 8),
+                            });
+                        }
+                        else {
+                            logger_1.logger?.error("Basic auth requires username and password", {
+                                type: "BASIC_AUTH_MISSING_CREDENTIALS",
+                                destination: config.destination,
+                                sessionId: sessionId?.substring(0, 8),
+                            });
+                        }
+                    }
+                    else {
+                        // JWT auth for cloud
+                        // Get token from AuthBroker
+                        const jwtToken = await authBroker.getToken(config.destination);
+                        // Register AuthBroker in global registry for connection to use during token refresh
+                        const { registerAuthBroker } = require('../../lib/utils.js');
+                        registerAuthBroker(config.destination, authBroker);
+                        this.processJwtConfigUpdate(sapUrl, jwtToken, undefined, config.destination, sessionId);
+                        logger_1.logger?.info("Updated SAP configuration using MCP destination (AuthBroker)", {
+                            type: "SAP_CONFIG_UPDATED_MCP_DESTINATION",
+                            destination: config.destination,
+                            url: sapUrl,
+                            sessionId: sessionId?.substring(0, 8),
+                        });
+                    }
+                }
+                catch (error) {
+                    logger_1.logger?.error("Failed to get token from AuthBroker for MCP destination", {
+                        type: "AUTH_BROKER_ERROR_MCP_DESTINATION",
+                        destination: config.destination,
+                        error: error instanceof Error ? error.message : String(error),
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                }
+                return;
+            }
+            case header_validator_1.AuthMethodPriority.DIRECT_JWT: {
+                // Priority 2: x-sap-jwt-token (direct JWT token)
+                if (!config.sapUrl || !config.jwtToken) {
+                    logger_1.logger?.warn("Direct JWT auth requires URL and token", {
+                        type: "DIRECT_JWT_AUTH_MISSING",
+                        sapUrl: config.sapUrl,
+                        hasToken: !!config.jwtToken,
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                    return;
+                }
+                this.processJwtConfigUpdate(config.sapUrl, config.jwtToken, config.refreshToken, sessionId);
+                logger_1.logger?.info("Updated SAP configuration using direct JWT token", {
+                    type: "SAP_CONFIG_UPDATED_DIRECT_JWT",
+                    url: config.sapUrl,
+                    sessionId: sessionId?.substring(0, 8),
+                });
+                return;
+            }
+            case header_validator_1.AuthMethodPriority.BASIC: {
+                // Priority 1: x-sap-login + x-sap-password (basic auth)
+                if (!config.sapUrl || !config.username || !config.password) {
+                    logger_1.logger?.warn("Basic auth requires URL, username, and password", {
+                        type: "BASIC_AUTH_MISSING",
+                        sapUrl: config.sapUrl,
+                        hasUsername: !!config.username,
+                        hasPassword: !!config.password,
+                        sessionId: sessionId?.substring(0, 8),
+                    });
+                    return;
+                }
+                this.processBasicAuthConfigUpdate(config.sapUrl, config.username, config.password, sessionId);
+                logger_1.logger?.info("Updated SAP configuration using basic auth", {
+                    type: "SAP_CONFIG_UPDATED_BASIC",
+                    url: config.sapUrl,
+                    sessionId: sessionId?.substring(0, 8),
+                });
+                return;
+            }
+            default: {
+                logger_1.logger?.warn("Unknown authentication method priority", {
+                    type: "UNKNOWN_AUTH_PRIORITY",
+                    priority: config.priority,
+                    sessionId: sessionId?.substring(0, 8),
+                });
+                return;
+            }
+        }
+    }
+    processJwtConfigUpdate(sapUrl, jwtToken, refreshToken, destination, sessionId) {
+        const sanitizeToken = (token) => token.length <= 10 ? token : `${token.substring(0, 6)}…${token.substring(token.length - 4)}`;
+        // URL from auth-broker/service key is already clean and correct, no need to clean it
+        // Only validate format
+        let cleanedUrl = sapUrl.trim();
+        // Ensure URL has protocol
+        if (!/^https?:\/\//.test(cleanedUrl)) {
+            logger_1.logger?.error("Invalid URL format in processJwtConfigUpdate", {
+                type: "INVALID_URL_FORMAT",
+                originalUrl: sapUrl,
+                cleanedUrl: cleanedUrl,
+                sessionId: sessionId?.substring(0, 8),
+            });
+            throw new Error(`Invalid URL format: "${sapUrl}". Expected format: https://your-system.sap.com`);
+        }
+        // Normalize URL using URL object
+        try {
+            const urlObj = new URL(cleanedUrl);
+            cleanedUrl = urlObj.href.replace(/\/$/, ''); // Remove trailing slash
+        }
+        catch (urlError) {
+            logger_1.logger?.error("Failed to parse URL in processJwtConfigUpdate", {
+                type: "URL_PARSE_ERROR",
+                url: cleanedUrl,
+                error: urlError instanceof Error ? urlError.message : String(urlError),
+                sessionId: sessionId?.substring(0, 8),
+            });
+            throw new Error(`Invalid URL: "${sapUrl}". Error: ${urlError instanceof Error ? urlError.message : urlError}`);
+        }
+        // Use cleaned URL
+        sapUrl = cleanedUrl;
+        let baseConfig = this.sapConfig;
+        // Don't load from .env if using auth-broker (--mcp or --auth-broker)
+        // This prevents .env from being used when destination-based auth is specified
+        const isUsingAuthBroker = this.defaultMcpDestination || useAuthBroker;
+        if ((!baseConfig || baseConfig.url === "http://placeholder") && !isUsingAuthBroker) {
+            try {
+                baseConfig = (0, config_js_1.getConfig)();
+            }
+            catch (error) {
+                logger_1.logger?.warn("Failed to load base SAP config when applying headers", {
+                    type: "SAP_CONFIG_HEADER_APPLY_FAILED",
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                baseConfig = {
+                    url: sapUrl,
+                    authType: "jwt",
+                };
+            }
+        }
+        else if (!baseConfig || baseConfig.url === "http://placeholder") {
+            // Using auth-broker, don't load from .env
+            baseConfig = {
+                url: sapUrl,
+                authType: "jwt",
+            };
+        }
+        // Check if any configuration changed
+        const urlChanged = sapUrl !== baseConfig.url;
+        const authTypeChanged = "jwt" !== baseConfig.authType;
+        const tokenChanged = baseConfig.jwtToken !== jwtToken ||
+            (!!refreshToken && refreshToken.trim() !== baseConfig.refreshToken);
+        if (!urlChanged && !authTypeChanged && !tokenChanged) {
+            return;
+        }
+        const newConfig = {
+            ...baseConfig,
+            url: sapUrl,
+            authType: "jwt",
+            jwtToken,
+        };
+        if (refreshToken && refreshToken.trim()) {
+            newConfig.refreshToken = refreshToken.trim();
+        }
+        (0, config_js_1.setSapConfigOverride)(newConfig);
+        this.sapConfig = newConfig;
+        // Store config and destination in session if sessionId is provided
+        if (sessionId) {
+            const clientKeyForSession = this.streamableSessionIndex.get(sessionId);
+            const session = clientKeyForSession ? this.streamableHttpSessions.get(clientKeyForSession) : undefined;
+            if (session) {
+                session.sapConfig = newConfig;
+                if (destination) {
+                    session.destination = destination;
+                }
+            }
+        }
+        // Force connection cache invalidation (for backward compatibility)
+        const { invalidateConnectionCache } = require('../../lib/utils.js');
+        try {
+            invalidateConnectionCache();
+        }
+        catch (error) {
+            logger_1.logger?.debug("Connection cache invalidation failed", {
+                type: "CONNECTION_CACHE_INVALIDATION_FAILED",
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+        logger_1.logger?.info("Updated SAP configuration from HTTP headers (JWT)", {
+            type: "SAP_CONFIG_UPDATED",
+            urlChanged: Boolean(urlChanged),
+            authTypeChanged: Boolean(authTypeChanged),
+            tokenChanged: Boolean(tokenChanged),
+            hasRefreshToken: Boolean(refreshToken),
+            jwtPreview: sanitizeToken(jwtToken),
+            sessionId: sessionId?.substring(0, 8),
+        });
+    }
+    /**
+     * Process JWT config update using AuthBroker for destination-based authentication
+     * @private
+     */
+    async processJwtConfigUpdateWithAuthBroker(sapUrl, destination, sessionId) {
+        // Get or create AuthBroker for this destination (lazy initialization)
+        const authBroker = await this.getOrCreateAuthBroker(destination, sessionId);
+        if (!authBroker) {
+            logger_1.logger?.warn("AuthBroker not available, falling back to direct token", {
+                type: "AUTH_BROKER_NOT_AVAILABLE",
+                destination,
+                transport: this.transportConfig.type,
+            });
+            return;
+        }
+        try {
+            // Get token from AuthBroker (will load from .env, validate, and refresh if needed)
+            const jwtToken = await authBroker.getToken(destination);
+            // Load refresh token from .env if available (AuthBroker doesn't return it, but we can load it)
+            // For now, we'll just use the access token - refresh will be handled by AuthBroker automatically
+            const refreshToken = undefined; // AuthBroker handles refresh internally
+            // Process JWT config update with the token from AuthBroker
+            this.processJwtConfigUpdate(sapUrl, jwtToken, refreshToken, destination, sessionId);
+            logger_1.logger?.info("Updated SAP configuration using AuthBroker (destination-based)", {
+                type: "SAP_CONFIG_UPDATED_AUTH_BROKER",
+                destination,
+                url: sapUrl,
+                sessionId: sessionId?.substring(0, 8),
+            });
+        }
+        catch (error) {
+            logger_1.logger?.error("Failed to get token from AuthBroker", {
+                type: "AUTH_BROKER_ERROR",
+                destination,
+                error: error instanceof Error ? error.message : String(error),
+            });
+            // Don't throw - let the request continue with existing config or fail later
+        }
+    }
+    processBasicAuthConfigUpdate(sapUrl, username, password, sessionId) {
+        let baseConfig = this.sapConfig;
+        if (!baseConfig || baseConfig.url === "http://placeholder") {
+            try {
+                baseConfig = (0, config_js_1.getConfig)();
+            }
+            catch (error) {
+                logger_1.logger?.warn("Failed to load base SAP config when applying headers", {
+                    type: "SAP_CONFIG_HEADER_APPLY_FAILED",
+                    error: error instanceof Error ? error.message : String(error),
+                });
+                baseConfig = {
+                    url: sapUrl,
+                    authType: "basic",
+                };
+            }
+        }
+        // Check if any configuration changed
+        const urlChanged = sapUrl !== baseConfig.url;
+        const authTypeChanged = "basic" !== baseConfig.authType;
+        const credentialsChanged = baseConfig.username !== username ||
+            baseConfig.password !== password;
+        if (!urlChanged && !authTypeChanged && !credentialsChanged) {
+            return;
+        }
+        const newConfig = {
+            ...baseConfig,
+            url: sapUrl,
+            authType: "basic",
+            username,
+            password,
+        };
+        (0, config_js_1.setSapConfigOverride)(newConfig);
+        this.sapConfig = newConfig;
+        // Store config in session if sessionId is provided
+        if (sessionId) {
+            const clientKeyForSession = this.streamableSessionIndex.get(sessionId);
+            const session = clientKeyForSession ? this.streamableHttpSessions.get(clientKeyForSession) : undefined;
+            if (session) {
+                session.sapConfig = newConfig;
+            }
+        }
+        // Force connection cache invalidation (for backward compatibility)
+        const { invalidateConnectionCache } = require('../../lib/utils.js');
+        try {
+            invalidateConnectionCache();
+        }
+        catch (error) {
+            logger_1.logger?.debug("Connection cache invalidation failed", {
+                type: "CONNECTION_CACHE_INVALIDATION_FAILED",
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+        logger_1.logger?.info("Updated SAP configuration from HTTP headers (Basic)", {
+            type: "SAP_CONFIG_UPDATED",
+            urlChanged: Boolean(urlChanged),
+            authTypeChanged: Boolean(authTypeChanged),
+            credentialsChanged: Boolean(credentialsChanged),
+            hasUsername: Boolean(username),
+            sessionId: sessionId?.substring(0, 8),
+        });
+    }
+    /**
+     * Check if connection is from localhost
+     */
+    isLocalConnection(remoteAddress) {
+        if (!remoteAddress) {
+            return false;
+        }
+        // Check for IPv4 localhost
+        if (remoteAddress === "127.0.0.1" || remoteAddress === "localhost") {
+            return true;
+        }
+        // Check for IPv6 localhost
+        if (remoteAddress === "::1" || remoteAddress === "::ffff:127.0.0.1") {
+            return true;
+        }
+        // Check if it's a loopback interface
+        if (remoteAddress.startsWith("127.") || remoteAddress.startsWith("::1")) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check if server is listening on non-local interface (0.0.0.0)
+     * When listening on 0.0.0.0, we don't use default destination - client must provide all headers
+     */
+    isListeningOnNonLocalInterface() {
+        if (this.transportConfig.type === "streamable-http" || this.transportConfig.type === "sse") {
+            const host = this.transportConfig.host;
+            // If host is 0.0.0.0, ::, or empty, it accepts connections from all interfaces
+            return host === "0.0.0.0" || host === "::" || host === "" || !host;
+        }
+        // stdio is always local
+        return false;
+    }
+    /**
+     * Check if request has SAP connection headers
+     */
+    hasSapHeaders(headers) {
+        if (!headers) {
+            return false;
+        }
+        // Check for destination-based auth headers
+        if (headers[interfaces_1.HEADER_SAP_DESTINATION_SERVICE] || headers[interfaces_1.HEADER_MCP_DESTINATION]) {
+            return true;
+        }
+        // Check for direct auth headers
+        const sapUrl = headers[interfaces_1.HEADER_SAP_URL];
+        const sapAuthType = headers[interfaces_1.HEADER_SAP_AUTH_TYPE];
+        return !!(sapUrl && sapAuthType);
+    }
+    /**
+     * Constructor for the mcp_abap_adt_server class.
+     */
+    constructor(options) {
+        this.allowProcessExit = options?.allowProcessExit ?? true;
+        this.registerSignalHandlers = options?.registerSignalHandlers ?? true;
+        this.defaultMcpDestination = defaultMcpDestination;
+        this.envFilePath = envFilePath; // Store .env file path for SessionStore creation
+        // Parse exposition from CLI args or use default
+        if (options?.exposition) {
+            this.exposition = options.exposition;
+        }
+        else {
+            // Parse --exposition from CLI
+            const expositionArg = process.argv.find(arg => arg.startsWith('--exposition='));
+            if (expositionArg) {
+                const sets = expositionArg.split('=')[1]?.split(',').map(s => s.trim()).filter(Boolean) || [];
+                this.exposition = sets.length > 0 ? sets : ['readonly', 'high'];
+            }
+        }
+        // Initialize AuthBroker factory
+        const brokerConfig = new AuthBrokerConfig_js_1.AuthBrokerConfig(this.defaultMcpDestination, this.defaultDestination, this.envFilePath, authBrokerPath, unsafe, transportType, useAuthBroker, browser, logger_1.logger);
+        this.authBrokerFactory = new index_1.AuthBrokerFactory(brokerConfig);
+        this.mcpHandlers = new mcp_handlers_1.McpHandlers();
+        // Check if .env file exists (was loaded at startup)
+        // This is used to determine if we should restrict non-local connections
+        this.hasEnvFile = fs_1.default.existsSync(envFilePath || path_1.default.resolve(process.cwd(), ".env"));
+        if (options?.connection) {
+            setAbapConnectionOverride(options.connection);
+        }
+        else {
+            setAbapConnectionOverride(undefined);
+        }
+        if (!options?.connection) {
+            (0, config_js_1.setSapConfigOverride)(options?.sapConfig);
+        }
+        // CHANGED: Don't validate config in constructor - will validate on actual ABAP requests
+        // This allows creating server instance without .env file when using runtime config (e.g., from HTTP headers)
+        try {
+            if (options?.sapConfig) {
+                this.sapConfig = options.sapConfig;
+            }
+            else if (!options?.connection) {
+                // Don't load .env config if using auth-broker (--mcp or --auth-broker)
+                // Connection will be created via auth-broker instead
+                if (this.defaultMcpDestination || useAuthBroker) {
+                    // Using auth-broker, don't load .env config
+                    this.sapConfig = {
+                        url: "http://placeholder",
+                        authType: "basic",
+                    };
+                    logger_1.logger?.debug("Skipping .env config load (using auth-broker)", {
+                        type: "SKIP_ENV_CONFIG_FOR_AUTH_BROKER",
+                        defaultMcpDestination: this.defaultMcpDestination,
+                        useAuthBroker,
+                    });
+                }
+                else {
+                    // Try to get config from .env, but don't fail if it's invalid - server should still initialize
+                    // Invalid config will be caught when handlers try to use it
+                    try {
+                        this.sapConfig = (0, config_js_1.getConfig)();
+                    }
+                    catch (configError) {
+                        // For stdio mode, we want the server to initialize even with invalid config
+                        // The error will be shown when user tries to use a tool
+                        // Check stdio mode using environment variable or stdin check (transportConfig not set yet)
+                        const isStdioMode = process.env.MCP_TRANSPORT === "stdio" || !process.stdin.isTTY;
+                        if (isStdioMode) {
+                            // In stdio mode, write error to stderr (safe for MCP protocol)
+                            process.stderr.write(`[MCP] ⚠ WARNING: Invalid SAP configuration: ${configError instanceof Error ? configError.message : String(configError)}\n`);
+                            process.stderr.write(`[MCP]   Server will start, but tools will fail until configuration is fixed.\n`);
+                        }
+                        logger_1.logger?.warn("SAP config invalid at initialization, will use placeholder", {
+                            type: "CONFIG_INVALID",
+                            error: configError instanceof Error ? configError.message : String(configError),
+                        });
+                        // Set a placeholder that will be replaced when valid config is provided
+                        this.sapConfig = { url: "http://placeholder", authType: "jwt", jwtToken: "placeholder" };
+                    }
+                }
+            }
+            else {
+                this.sapConfig = { url: "http://injected-connection", authType: "jwt", jwtToken: "injected" };
+            }
+        }
+        catch (error) {
+            // If config is not available yet, that's OK - it will be provided later via setSapConfigOverride or DI
+            logger_1.logger?.warn("SAP config not available at initialization, will use runtime config", {
+                type: "CONFIG_DEFERRED",
+                error: error instanceof Error ? error.message : String(error),
+            });
+            // Set a placeholder that will be replaced
+            this.sapConfig = { url: "http://placeholder", authType: "jwt", jwtToken: "placeholder" };
+        }
+        try {
+            this.transportConfig = options?.transportConfig ?? parseTransportConfig();
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            // Always write error to stderr (stderr is safe even in stdio mode)
+            logger_1.logger?.error("Failed to parse transport configuration", {
+                type: "TRANSPORT_CONFIG_ERROR",
+                error: message,
+            });
+            process.stderr.write(`[MCP] ✗ ERROR: Failed to parse transport configuration: ${message}\n`);
+            if (this.allowProcessExit) {
+                // On Windows, add a small delay before exit to allow error message to be visible
+                if (process.platform === 'win32') {
+                    setTimeout(() => process.exit(1), 100);
+                }
+                else {
+                    process.exit(1);
+                }
+            }
+            throw error instanceof Error ? error : new Error(message);
+        }
+        // Create McpServer (for all transports)
+        this.mcpServer = new mcp_js_1.McpServer({
+            name: "mcp-abap-adt",
+            version: "0.1.0"
+        });
+        // AuthBroker will be initialized lazily when needed (per destination)
+        // Only for HTTP/streamable-http transport (not for stdio or SSE)
+        const isHttpTransport = this.transportConfig.type === "streamable-http";
+        if (isHttpTransport && !useAuthBroker) {
+            // Only initialize if --auth-broker flag is NOT set (for stdio/SSE, ignore the flag)
+            // For stdio/SSE, --auth-broker flag is ignored
+        }
+        else if (isHttpTransport && useAuthBroker) {
+            // Support DEBUG_AUTH_BROKER as alias for DEBUG_AUTH_LOG
+            // If DEBUG_AUTH_BROKER is set, ensure DEBUG_AUTH_LOG is also set for auth-broker package
+            if (process.env.DEBUG_AUTH_BROKER === "true" && !process.env.DEBUG_AUTH_LOG) {
+                process.env.DEBUG_AUTH_LOG = "true";
+            }
+            // Get paths for service keys and sessions
+            // Use authBrokerPath if provided, otherwise use default platform paths
+            // If authBrokerPath is provided, it's the base path - service-keys and sessions will be subdirectories
+            const customPath = authBrokerPath ? path_1.default.resolve(authBrokerPath.replace(/^~/, os.homedir())) : undefined;
+            const serviceKeysPaths = (0, platformPaths_1.getPlatformPaths)(customPath, 'service-keys');
+            const sessionsPaths = (0, platformPaths_1.getPlatformPaths)(customPath, 'sessions');
+            // Create directories if they don't exist
+            const fs = require('fs');
+            const serviceKeysDir = serviceKeysPaths[0]; // First path is where we save
+            const sessionsDir = sessionsPaths[0]; // First path is where we save
+            if (!fs.existsSync(serviceKeysDir)) {
+                fs.mkdirSync(serviceKeysDir, { recursive: true });
+                logger_1.logger?.info("Created service keys directory", {
+                    type: "SERVICE_KEYS_DIR_CREATED",
+                    path: serviceKeysDir,
+                });
+            }
+            if (!fs.existsSync(sessionsDir)) {
+                fs.mkdirSync(sessionsDir, { recursive: true });
+                logger_1.logger?.info("Created sessions directory", {
+                    type: "SESSIONS_DIR_CREATED",
+                    path: sessionsDir,
+                });
+            }
+            logger_1.logger?.info("AuthBroker will be initialized lazily when destination is needed", {
+                type: "AUTH_BROKER_LAZY_INIT",
+                transport: this.transportConfig.type,
+                useAuthBrokerFlag: useAuthBroker,
+                hasEnvFile: !!envFilePath,
+                authBrokerPath: customPath || 'default',
+            });
+            // Print paths information with stars and empty lines
+            console.log('');
+            console.log('********************************************************************************');
+            console.log('* AuthBroker Storage Paths:');
+            console.log('*');
+            console.log('* Service Keys (searched in order):');
+            serviceKeysPaths.forEach((p, i) => {
+                console.log(`*   ${i + 1}. ${p}`);
+            });
+            console.log('*');
+            console.log('* Sessions (saved to):');
+            sessionsPaths.forEach((p, i) => {
+                console.log(`*   ${i + 1}. ${p}`);
+            });
+            console.log('********************************************************************************');
+            console.log('');
+        }
+        else {
+            logger_1.logger?.info("AuthBroker not available - not needed for this transport type", {
+                type: "AUTH_BROKER_SKIPPED",
+                transport: this.transportConfig.type,
+                reason: "AuthBroker is only used for HTTP/streamable-http transport. For stdio/SSE, use .env file instead.",
+            });
+        }
+        if (this.transportConfig.type === "streamable-http") {
+            logger_1.logger?.info("Transport configured", {
+                type: "TRANSPORT_CONFIG",
+                transport: this.transportConfig.type,
+                host: this.transportConfig.host,
+                port: this.transportConfig.port,
+                enableJsonResponse: this.transportConfig.enableJsonResponse,
+                allowedOrigins: this.transportConfig.allowedOrigins ?? [],
+                allowedHosts: this.transportConfig.allowedHosts ?? [],
+                enableDnsRebindingProtection: this.transportConfig.enableDnsRebindingProtection,
+            });
+        }
+        else if (this.transportConfig.type === "sse") {
+            logger_1.logger?.info("Transport configured", {
+                type: "TRANSPORT_CONFIG",
+                transport: this.transportConfig.type,
+                host: this.transportConfig.host,
+                port: this.transportConfig.port,
+                allowedOrigins: this.transportConfig.allowedOrigins ?? [],
+                allowedHosts: this.transportConfig.allowedHosts ?? [],
+                enableDnsRebindingProtection: this.transportConfig.enableDnsRebindingProtection,
+            });
+        }
+        else {
+            logger_1.logger?.info("Transport configured", {
+                type: "TRANSPORT_CONFIG",
+                transport: this.transportConfig.type,
+            });
+        }
+        // Register handlers immediately if context is provided (for embedding scenarios)
+        if (options?.context) {
+            this.registerHandlers(options.context);
+            logger_1.logger?.info("Handlers registered via context injection", {
+                type: "HANDLERS_REGISTERED_VIA_CONTEXT",
+                exposition: this.exposition,
+            });
+        }
+    }
+    /**
+     * Creates AbapConnection from available sources (headers, broker, or .env)
+     * @param headers - Optional HTTP headers containing connection info
+     * @param sessionId - Optional session ID
+     * @param destination - Optional destination name for broker-based auth
+     * @returns AbapConnection instance
+     * @private
+     */
+    async getOrCreateConnectionForServer(headers, sessionId, destination) {
+        // Extract destination from headers if not provided
+        let actualDestination = destination;
+        if (!actualDestination && headers) {
+            actualDestination = headers[interfaces_1.HEADER_MCP_DESTINATION] ||
+                headers['X-MCP-Destination'] ||
+                headers['x-mcp-destination'];
+        }
+        // Use default destination if still not set
+        if (!actualDestination && this.defaultDestination) {
+            actualDestination = this.defaultDestination;
+            logger_1.logger?.debug('Using default destination for connection', {
+                destination: actualDestination,
+                type: 'DEFAULT_DESTINATION_USED',
+            });
+        }
+        logger_1.logger?.info("Creating connection for server", {
+            type: "CONNECTION_CREATION_START",
+            hasHeaders: !!headers,
+            sessionId: sessionId || 'not-provided',
+            destination: actualDestination || 'not-provided',
+        });
+        // Try to get connection from session context first
+        const context = utils_1.sessionContext.getStore();
+        if (context?.sapConfig) {
+            logger_1.logger?.info("Using connection from session context", {
+                type: "CONNECTION_FROM_SESSION_CONTEXT",
+                sessionId: sessionId || 'not-provided',
+                url: context.sapConfig.url,
+                authType: context.sapConfig.authType,
+            });
+            const sessionConnection = (0, connection_1.createAbapConnection)(context.sapConfig, loggerAdapter_1.loggerAdapter, sessionId || `mcp-server-${(0, crypto_1.randomUUID)()}`);
+            return sessionConnection;
+        }
+        // If headers provided, create connection from headers
+        if (headers && this.hasSapHeaders(headers)) {
+            // Get config from headers (already processed by applyAuthHeaders)
+            const config = this.sapConfig;
+            if (config && config.url !== "http://placeholder" && config.url !== "http://injected-connection") {
+                // If destination is known, try to refresh token via auth broker before creating connection
+                if (actualDestination) {
+                    try {
+                        const brokerForHeaders = await this.getOrCreateAuthBroker(actualDestination, sessionId || 'global');
+                        if (brokerForHeaders) {
+                            const freshToken = await brokerForHeaders.getToken(actualDestination);
+                            if (freshToken && config) {
+                                config.authorizationToken = freshToken;
+                            }
+                            const { registerAuthBroker } = require('../../lib/utils.js');
+                            registerAuthBroker(actualDestination, brokerForHeaders);
+                        }
+                    }
+                    catch (e) {
+                        logger_1.logger?.warn?.("Auth broker refresh failed for header connection", {
+                            type: "CONNECTION_FROM_HEADERS_BROKER_WARN",
+                            error: e instanceof Error ? e.message : String(e),
+                        });
+                    }
+                }
+                logger_1.logger?.info("Using connection from headers", {
+                    type: "CONNECTION_FROM_HEADERS",
+                    sessionId: sessionId || 'not-provided',
+                    url: config.url,
+                    authType: config.authType,
+                });
+                let connection = (0, connection_1.createAbapConnection)(config, loggerAdapter_1.loggerAdapter, sessionId || `mcp-server-${(0, crypto_1.randomUUID)()}`);
+                return connection;
+            }
+        }
+        // If destination provided, create connection via broker
+        if (actualDestination) {
+            try {
+                logger_1.logger?.info("Attempting to create connection via auth broker", {
+                    type: "CONNECTION_VIA_BROKER_ATTEMPT",
+                    destination: actualDestination,
+                    sessionId: sessionId || 'not-provided',
+                });
+                const authBroker = await this.getOrCreateAuthBroker(actualDestination, sessionId || 'global');
+                console.error("[DEBUG v1] authBroker result:", { hasBroker: !!authBroker, destination: actualDestination });
+                if (authBroker) {
+                    const connConfig = await authBroker.getConnectionConfig(actualDestination);
+                    console.error("[DEBUG v1] connConfig result:", {
+                        hasConfig: !!connConfig,
+                        serviceUrl: connConfig?.serviceUrl?.substring(0, 50),
+                        authType: connConfig?.authType,
+                        hasToken: !!connConfig?.authorizationToken,
+                        hasUsername: !!connConfig?.username,
+                    });
+                    if (connConfig?.serviceUrl) {
+                        // Register AuthBroker in global registry for connection to use during token refresh
+                        const { registerAuthBroker } = require('../../lib/utils.js');
+                        registerAuthBroker(actualDestination, authBroker);
+                        // Determine auth type from connection config (like v2)
+                        const authType = connConfig.authType ||
+                            (connConfig.username && connConfig.password ? 'basic' : 'jwt');
+                        let config;
+                        if (authType === 'basic') {
+                            // Basic auth - use username/password from connection config
+                            config = {
+                                url: connConfig.serviceUrl,
+                                authType: "basic",
+                                username: connConfig.username,
+                                password: connConfig.password,
+                                client: connConfig.sapClient,
+                            };
+                            logger_1.logger?.info("Using basic auth connection from auth broker", {
+                                type: "CONNECTION_FROM_BROKER_BASIC",
+                                destination: actualDestination,
+                                sessionId: sessionId || 'not-provided',
+                                url: config.url,
+                                authType: config.authType,
+                            });
+                        }
+                        else {
+                            // JWT auth - try to get fresh token from broker
+                            let jwtToken;
+                            try {
+                                jwtToken = await authBroker.getToken(actualDestination);
+                            }
+                            catch (error) {
+                                // Broker can't provide/refresh token (e.g., no UAA credentials for .env-only setup)
+                                // Use existing token from connectionConfig
+                                logger_1.logger?.debug?.("Broker can't refresh token, using existing token from session", {
+                                    type: "TOKEN_REFRESH_FALLBACK",
+                                    destination: actualDestination,
+                                    error: error instanceof Error ? error.message : String(error),
+                                });
+                                jwtToken = connConfig.authorizationToken;
+                            }
+                            const tokenToUse = jwtToken || connConfig.authorizationToken;
+                            if (!tokenToUse) {
+                                logger_1.logger?.warn("No JWT token available for connection", {
+                                    type: "NO_JWT_TOKEN",
+                                    destination: actualDestination,
+                                });
+                                throw new Error(`No JWT token available for destination: ${actualDestination}`);
+                            }
+                            config = {
+                                url: connConfig.serviceUrl,
+                                authType: "jwt",
+                                jwtToken: tokenToUse,
+                                client: connConfig.sapClient,
+                            };
+                            logger_1.logger?.info("Using JWT auth connection from auth broker", {
+                                type: "CONNECTION_FROM_BROKER_JWT",
+                                destination: actualDestination,
+                                sessionId: sessionId || 'not-provided',
+                                url: config.url,
+                                authType: config.authType,
+                            });
+                        }
+                        // Create connection
+                        let connection = (0, connection_1.createAbapConnection)(config, loggerAdapter_1.loggerAdapter, sessionId || `mcp-server-${(0, crypto_1.randomUUID)()}`);
+                        return connection;
+                    }
+                }
+            }
+            catch (error) {
+                logger_1.logger?.warn("Failed to create connection from destination", {
+                    type: "CONNECTION_FROM_DESTINATION_FAILED",
+                    destination: actualDestination,
+                    error: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        // Fallback to default config (from .env or constructor)
+        // BUT: Don't use .env fallback if we have defaultDestination (means we're using auth-broker)
+        // This prevents .env from being used when --mcp is specified
+        if (this.sapConfig &&
+            this.sapConfig.url !== "http://placeholder" &&
+            this.sapConfig.url !== "http://injected-connection" &&
+            !this.defaultDestination) { // Don't fallback to .env if using auth-broker
+            logger_1.logger?.info("Using connection from default config (.env or constructor)", {
+                type: "CONNECTION_FROM_DEFAULT_CONFIG",
+                sessionId: sessionId || 'not-provided',
+                url: this.sapConfig.url,
+                authType: this.sapConfig.authType,
+            });
+            return (0, connection_1.createAbapConnection)(this.sapConfig, loggerAdapter_1.loggerAdapter, sessionId || `mcp-server-${(0, crypto_1.randomUUID)()}`);
+        }
+        logger_1.logger?.error("Unable to create connection: no valid configuration available", {
+            type: "CONNECTION_CREATION_FAILED",
+            hasHeaders: !!headers,
+            sessionId: sessionId || 'not-provided',
+            destination: actualDestination || 'not-provided',
+            defaultDestination: this.defaultDestination || 'not-set',
+            hasSapConfig: !!this.sapConfig,
+            sapConfigUrl: this.sapConfig?.url || 'not-set',
+        });
+        throw new Error("Unable to create connection: no valid configuration available");
+    }
+    /**
+     * Creates a new McpServer instance with all handlers registered
+     * Used for SSE sessions where each session needs its own server instance
+     * @param context - HandlerContext instance to use for handlers
+     * @private
+     */
+    createMcpServerForSession(context) {
+        const server = new mcp_js_1.McpServer({
+            name: "mcp-abap-adt",
+            version: "0.1.0"
+        });
+        // Register all tools using McpHandlers
+        const handlers = new mcp_handlers_1.McpHandlers();
+        handlers.RegisterAllToolsOnServer(server, context, this.exposition);
+        return server;
+    }
+    /**
+     * Register handlers on the internal McpServer with a provided context.
+     * Use this when embedding mcp_abap_adt_server in an external server
+     * that manages its own connection lifecycle.
+     *
+     * @param context - HandlerContext with connection and logger
+     * @public
+     */
+    registerHandlers(context) {
+        this.mcpHandlers.RegisterAllToolsOnServer(this.mcpServer, context, this.exposition);
+    }
+    /**
+     * Sets up handlers for new McpServer using registerTool (recommended API)
+     * @param context - HandlerContext with connection and logger
+     * @private
+     */
+    setupMcpServerHandlers(context) {
+        // Connection is already wrapped with token refresh in run() method
+        // Just register handlers with the provided context
+        this.mcpHandlers.RegisterAllToolsOnServer(this.mcpServer, context, this.exposition);
+    }
+    /**
+     * Creates a wrapper connection that refreshes token before each request
+     * @private
+     */
+    createConnectionWithTokenRefresh(connection, destination) {
+        const connectionWithRefresh = connection;
+        // Wrap makeAdtRequest to refresh token before each request
+        if (connectionWithRefresh.makeAdtRequest) {
+            const originalMakeAdtRequest = connectionWithRefresh.makeAdtRequest.bind(connection);
+            connectionWithRefresh.makeAdtRequest = async function (options) {
+                // Always refresh token via AuthBroker before request (AuthBroker will refresh if needed)
+                const { getAuthBroker } = require('../../lib/utils.js');
+                const authBroker = getAuthBroker(destination);
+                logger_1.logger?.debug('makeAdtRequest called, checking AuthBroker', {
+                    destination,
+                    hasAuthBroker: !!authBroker,
+                    method: options?.method,
+                    url: options?.url,
+                });
+                if (!authBroker) {
+                    logger_1.logger?.warn('AuthBroker not found for destination, cannot refresh token', {
+                        destination,
+                        type: 'AUTH_BROKER_NOT_FOUND',
+                    });
+                    // Continue without refresh - will use existing token
+                    return await originalMakeAdtRequest(options);
+                }
+                try {
+                    // Get fresh token from AuthBroker (will refresh automatically if expired)
+                    logger_1.logger?.debug('Requesting fresh token from AuthBroker', {
+                        destination,
+                        type: 'TOKEN_REFRESH_REQUEST',
+                    });
+                    const freshToken = await authBroker.getToken(destination);
+                    const config = connectionWithRefresh.getConfig();
+                    if (config) {
+                        // Always update token (AuthBroker.getToken() returns fresh token)
+                        const tokenChanged = config.jwtToken !== freshToken;
+                        const oldToken = config.jwtToken;
+                        logger_1.logger?.debug('Updating connection config with fresh token', {
+                            destination,
+                            tokenChanged,
+                            oldTokenPreview: oldToken ? oldToken.substring(0, 20) + '...' : 'none',
+                            newTokenPreview: freshToken.substring(0, 20) + '...',
+                            type: 'TOKEN_UPDATE',
+                        });
+                        config.jwtToken = freshToken;
+                        // Verify token was updated
+                        const verifyConfig = connectionWithRefresh.getConfig();
+                        if (verifyConfig.jwtToken !== freshToken) {
+                            logger_1.logger?.error('Token update failed - config.jwtToken does not match fresh token', {
+                                destination,
+                                expectedPreview: freshToken.substring(0, 20) + '...',
+                                actualPreview: verifyConfig.jwtToken ? verifyConfig.jwtToken.substring(0, 20) + '...' : 'none',
+                                type: 'TOKEN_UPDATE_FAILED',
+                            });
+                        }
+                        // Get refresh token from session store if available
+                        try {
+                            const { authorizationConfig } = await authBroker.getConnectionConfig(destination);
+                            if (authorizationConfig?.refreshToken) {
+                                config.refreshToken = authorizationConfig.refreshToken;
+                            }
+                        }
+                        catch (configError) {
+                            // Ignore errors getting refresh token (not critical)
+                            logger_1.logger?.debug('Could not get refresh token from AuthBroker', {
+                                destination,
+                                error: configError instanceof Error ? configError.message : String(configError),
+                            });
+                        }
+                        // Reset connection only if token changed to ensure fresh token is used
+                        // This ensures that buildAuthorizationHeader() will use the new token
+                        // Don't reset if token didn't change to preserve CSRF token and cookies
+                        if (tokenChanged) {
+                            connectionWithRefresh.reset();
+                            logger_1.logger?.info('Token refreshed via AuthBroker before request', {
+                                destination,
+                                tokenPreview: freshToken.substring(0, 20) + '...',
+                                oldTokenPreview: oldToken ? oldToken.substring(0, 20) + '...' : 'none',
+                                type: 'TOKEN_REFRESHED_BEFORE_REQUEST',
+                            });
+                        }
+                        else {
+                            // Token didn't change - no need to reset, connection can reuse CSRF token and cookies
+                            logger_1.logger?.debug('Token verified via AuthBroker before request (no change, keeping session)', {
+                                destination,
+                                tokenPreview: freshToken.substring(0, 20) + '...',
+                                type: 'TOKEN_VERIFIED_BEFORE_REQUEST',
+                            });
+                        }
+                    }
+                    else {
+                        logger_1.logger?.warn('Connection config not available, cannot update token', {
+                            destination,
+                            type: 'CONNECTION_CONFIG_NOT_AVAILABLE',
+                        });
+                    }
+                }
+                catch (error) {
+                    logger_1.logger?.error('Failed to refresh token before request', {
+                        error: error instanceof Error ? error.message : String(error),
+                        destination,
+                        errorStack: error instanceof Error ? error.stack : undefined,
+                        type: 'TOKEN_REFRESH_FAILED',
+                    });
+                    // Continue with existing token - will try to use it, but may fail if expired
+                }
+                // Call original makeAdtRequest (with potentially refreshed token)
+                try {
+                    return await originalMakeAdtRequest(options);
+                }
+                catch (error) {
+                    // If we still get 401/403 or "JWT token has expired" error, try to refresh token again
+                    const isAuthError = error?.response?.status === 401 || error?.response?.status === 403;
+                    const isExpiredTokenError = error?.message?.includes('JWT token has expired') ||
+                        error?.message?.includes('Please re-authenticate');
+                    if ((isAuthError || isExpiredTokenError) && authBroker) {
+                        // Check if this is a permissions error, not an auth error
+                        const responseData = error?.response?.data;
+                        const responseText = typeof responseData === "string" ? responseData : JSON.stringify(responseData || "");
+                        if (responseText.includes("ExceptionResourceNoAccess") ||
+                            responseText.includes("No authorization") ||
+                            responseText.includes("Missing authorization")) {
+                            // Not an auth token issue, re-throw
+                            throw error;
+                        }
+                        // Try to refresh token again and retry
+                        try {
+                            logger_1.logger?.info('Got 401/403 after token refresh, attempting to refresh token again', {
+                                destination,
+                                error: error?.message,
+                                type: 'TOKEN_REFRESH_RETRY',
+                            });
+                            const freshToken = await authBroker.getToken(destination);
+                            const config = connectionWithRefresh.getConfig();
+                            if (config) {
+                                config.jwtToken = freshToken;
+                                // Get refresh token from session store if available
+                                try {
+                                    const { authorizationConfig } = await authBroker.getConnectionConfig(destination);
+                                    if (authorizationConfig?.refreshToken) {
+                                        config.refreshToken = authorizationConfig.refreshToken;
+                                    }
+                                }
+                                catch (configError) {
+                                    // Ignore errors getting refresh token
+                                }
+                                // Reset connection to use new token
+                                connectionWithRefresh.reset();
+                                logger_1.logger?.info('Token refreshed again, retrying request', {
+                                    destination,
+                                    tokenPreview: freshToken.substring(0, 20) + '...',
+                                    type: 'TOKEN_REFRESHED_RETRY',
+                                });
+                                // Retry the request with new token
+                                return await originalMakeAdtRequest(options);
+                            }
+                        }
+                        catch (refreshError) {
+                            logger_1.logger?.error('Failed to refresh token on retry', {
+                                destination,
+                                error: refreshError instanceof Error ? refreshError.message : String(refreshError),
+                                type: 'TOKEN_REFRESH_RETRY_FAILED',
+                            });
+                            // Re-throw original error if refresh fails
+                            throw error;
+                        }
+                    }
+                    // Re-throw error if not handled
+                    throw error;
+                }
+            };
+        }
+        return connectionWithRefresh;
+    }
+    setupSignalHandlers() {
+        const signals = ["SIGINT", "SIGTERM"];
+        for (const signal of signals) {
+            process.on(signal, () => {
+                if (this.shuttingDown) {
+                    return;
+                }
+                this.shuttingDown = true;
+                logger_1.logger?.info("Received shutdown signal", {
+                    type: "SERVER_SHUTDOWN_SIGNAL",
+                    signal,
+                    transport: this.transportConfig.type,
+                });
+                void this.shutdown().finally(() => {
+                    if (this.allowProcessExit) {
+                        process.exit(0);
+                    }
+                });
+            });
+        }
+    }
+    async shutdown() {
+        try {
+            await this.mcpServer.close();
+        }
+        catch (error) {
+            logger_1.logger?.error("Failed to close MCP server", {
+                type: "SERVER_SHUTDOWN_ERROR",
+                error: error instanceof Error ? error.message : String(error),
+            });
+        }
+        if (this.httpServer) {
+            await new Promise((resolve) => {
+                this.httpServer?.close((closeError) => {
+                    if (closeError) {
+                        logger_1.logger?.error("Failed to close HTTP server", {
+                            type: "HTTP_SERVER_SHUTDOWN_ERROR",
+                            error: closeError instanceof Error ? closeError.message : String(closeError),
+                        });
+                    }
+                    resolve();
+                });
+            });
+            this.httpServer = undefined;
+        }
+    }
+}
+exports.mcp_abap_adt_server = mcp_abap_adt_server;
+// if (process.env.MCP_SKIP_AUTO_START !== "true") {
+//   const server = new mcp_abap_adt_server();
+//   server.run().catch((error) => {
+//     logger?.error("Fatal error while running MCP server", {
+//       type: "SERVER_FATAL_ERROR",
+//       error: error instanceof Error ? error.message : String(error),
+//     });
+//     // Always write to stderr (safe even in stdio mode)
+//     process.stderr.write(`[MCP] ✗ Fatal error: ${error instanceof Error ? error.message : String(error)}\n`);
+//     // On Windows, add a small delay before exit to allow error message to be visible
+//     if (process.platform === 'win32') {
+//       setTimeout(() => process.exit(1), 100);
+//     } else {
+//       process.exit(1);
+//     }
+//   });
+// }
+//# sourceMappingURL=legacy-server.js.map