@mcp-abap-adt/core 7.1.1 → 7.2.0

package/docs/architecture/HANDLER_EXPORTER.md

@@ -13,14 +13,14 @@ The `HandlerExporter` class allows you to register all ABAP ADT handlers on any
 ## Installation
 
 ```bash
-npm install @fr0ster/mcp-abap-adt
+npm install @mcp-abap-adt/core
 ```
 
 ## Basic Usage
 
 ```typescript
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { HandlerExporter } from "@fr0ster/mcp-abap-adt/handlers";
+import { HandlerExporter } from "@mcp-abap-adt/core/handlers";
 import { createAbapConnection } from "@mcp-abap-adt/connection";
 
 // Create your MCP server
@@ -138,7 +138,7 @@ for (const entry of entries) {
 If you're using v2 server classes directly:
 
 ```typescript
-import { StreamableHttpServer } from "@fr0ster/mcp-abap-adt/server/v2";
+import { StreamableHttpServer } from "@mcp-abap-adt/core/server/v2";
 
 const exporter = new HandlerExporter();
 const registry = exporter.createRegistry();
@@ -155,7 +155,7 @@ Example for cloud-llm-hub style integration:
 ```typescript
 import cds from "@sap/cds";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { HandlerExporter } from "@fr0ster/mcp-abap-adt";
+import { HandlerExporter } from "@mcp-abap-adt/core";
 import { createConnection } from "./connections/connectionFactory";
 
 // Create MCP server instance
@@ -191,12 +191,12 @@ If you were using `mcp_abap_adt_server` directly:
 
 ```typescript
 // Old way (still works via legacy import)
-import { mcp_abap_adt_server } from "@fr0ster/mcp-abap-adt";
+import { mcp_abap_adt_server } from "@mcp-abap-adt/core";
 const server = new mcp_abap_adt_server({ connection });
 await server.run();
 
 // New way (recommended for embedding)
-import { HandlerExporter } from "@fr0ster/mcp-abap-adt/handlers";
+import { HandlerExporter } from "@mcp-abap-adt/core/handlers";
 const exporter = new HandlerExporter();
 exporter.registerOnServer(yourMcpServer, () => connection);
 ```

package/docs/architecture/README.md

@@ -15,7 +15,7 @@ The default `mcp-abap-adt` command runs the v2 server with full transport suppor
 ### Handler Exporter (v1)
 For embedding into existing servers (e.g., CAP/CDS applications):
 ```typescript
-import { HandlerExporter } from '@fr0ster/mcp-abap-adt/handlers';
+import { HandlerExporter } from '@mcp-abap-adt/core/handlers';
 
 const exporter = new HandlerExporter({
   includeReadOnly: true,

package/docs/architecture/TOOLS_ARCHITECTURE.md

@@ -16,24 +16,33 @@ Each module now owns its description via a constant `TOOL_DEFINITION` structure
 ### 1. Handler Organization
 
 Handlers are organized into categorized subdirectories under `src/handlers/`:
-- `bdef/` - Behavior Definition handlers
+- `behavior_definition/` - Behavior Definition handlers
+- `behavior_implementation/` - Behavior Implementation handlers
 - `class/` - Class handlers
 - `common/` - Common handlers (activate, delete, check, lock, unlock, validate)
+- `compact/` - Compact facade handlers
 - `data_element/` - Data Element handlers
-- `ddlx/` - Metadata Extension handlers
+- `ddlx/` - DDLX (metadata extension) handlers
 - `domain/` - Domain handlers
 - `enhancement/` - Enhancement handlers
-- `function/` - Function handlers
+- `function/` - Function (function module) handlers
+- `function_group/` - Function Group handlers
+- `function_include/` - Function Include handlers
+- `function_module/` - Function Module handlers
 - `include/` - Include handlers
 - `interface/` - Interface handlers
+- `metadata_extension/` - Metadata Extension handlers
 - `package/` - Package handlers
 - `program/` - Program handlers
 - `search/` - Search handlers
+- `service_binding/` - Service Binding handlers
+- `service_definition/` - Service Definition handlers
 - `structure/` - Structure handlers
 - `system/` - System handlers
 - `table/` - Table handlers
 - `transport/` - Transport handlers
-- `view/` - View handlers
+- `unit_test/` - ABAP Unit test handlers
+- `view/` - View (CDS) handlers
 
 This organization improves code navigation, reduces merge conflicts, and makes the codebase more maintainable.
 

package/docs/configuration/YAML_CONFIG.md

@@ -28,7 +28,7 @@ Command-line arguments **always override** YAML values. This allows you to:
 Example:
 ```bash
 # Use config.yaml but override the port
-mcp-abap-adt --conf=config.yaml --http-port=8080
+mcp-abap-adt --conf=config.yaml --port=8080
 ```
 
 ## Configuration File Structure
@@ -66,9 +66,9 @@ http:
   # When using 0.0.0.0, client must provide all connection headers - server won't use default destination
   host: 127.0.0.1
   json-response: false
-  allowed-origins: []
-  allowed-hosts: []
-  enable-dns-protection: false
+  allowed-hosts: []          # DNS-rebinding protection: exact Host values incl. port, e.g. ["localhost:3000"]
+  allowed-origins: []        # DNS-rebinding protection: exact Origin values incl. scheme, e.g. ["https://app.example.com"]
+  enable-dns-protection: false  # Enable Host/Origin allowlist validation (needs at least one list set)
 
 # SSE (Server-Sent Events) transport options
 sse:
@@ -76,9 +76,9 @@ sse:
   # Host binding: 127.0.0.1 (default, localhost only, secure) or 0.0.0.0 (all interfaces, less secure)
   # When using 0.0.0.0, client must provide all connection headers - server won't use default destination
   host: 127.0.0.1
-  allowed-origins: []
-  allowed-hosts: []
-  enable-dns-protection: false
+  allowed-hosts: []          # DNS-rebinding protection: exact Host values incl. port, e.g. ["localhost:3001"]
+  allowed-origins: []        # DNS-rebinding protection: exact Origin values incl. scheme, e.g. ["https://app.example.com"]
+  enable-dns-protection: false  # Enable Host/Origin allowlist validation (needs at least one list set)
 ```
 
 ## Configuration Options
@@ -101,21 +101,21 @@ sse:
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `http.port` | number | `3000` | HTTP server port |
-| `http.host` | string | `0.0.0.0` | HTTP server host (`0.0.0.0` for all interfaces, `localhost` for local only) |
+| `http.host` | string | `127.0.0.1` | HTTP server host (`127.0.0.1`/`localhost` for local only, `0.0.0.0` for all interfaces) |
 | `http.json-response` | boolean | `false` | Enable JSON response format |
-| `http.allowed-origins` | array/string | `[]` | Allowed CORS origins (comma-separated string or array) |
-| `http.allowed-hosts` | array/string | `[]` | Allowed hosts (comma-separated string or array) |
-| `http.enable-dns-protection` | boolean | `false` | Enable DNS rebinding protection |
+| `http.allowed-hosts` | string[] | `[]` | DNS-rebinding protection: exact Host header values to allow, including port (e.g. `localhost:3000`). NOT browser CORS — no Access-Control-Allow-Origin headers are emitted. |
+| `http.allowed-origins` | string[] | `[]` | DNS-rebinding protection: exact Origin header values to allow, including scheme (e.g. `https://app.example.com`). |
+| `http.enable-dns-protection` | boolean | `false` | Enable Host/Origin allowlist validation. Required for `allowed-hosts`/`allowed-origins` to take effect; needs at least one list set. Non-allowlisted Host/Origin → HTTP 403. |
 
 ### SSE Options
 
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `sse.port` | number | `3001` | SSE server port |
-| `sse.host` | string | `0.0.0.0` | SSE server host |
-| `sse.allowed-origins` | array/string | `[]` | Allowed CORS origins (comma-separated string or array) |
-| `sse.allowed-hosts` | array/string | `[]` | Allowed hosts (comma-separated string or array) |
-| `sse.enable-dns-protection` | boolean | `false` | Enable DNS rebinding protection |
+| `sse.host` | string | `127.0.0.1` | SSE server host |
+| `sse.allowed-hosts` | string[] | `[]` | DNS-rebinding protection: exact Host header values to allow, including port (e.g. `localhost:3001`). NOT browser CORS — no Access-Control-Allow-Origin headers are emitted. |
+| `sse.allowed-origins` | string[] | `[]` | DNS-rebinding protection: exact Origin header values to allow, including scheme (e.g. `https://app.example.com`). |
+| `sse.enable-dns-protection` | boolean | `false` | Enable Host/Origin allowlist validation. Required for `allowed-hosts`/`allowed-origins` to take effect; needs at least one list set. Non-allowlisted Host/Origin → HTTP 403. |
 
 ## Examples
 
@@ -145,15 +145,13 @@ Usage:
 mcp-abap-adt --conf=config.yaml
 ```
 
-### Example 3: SSE Mode with CORS
+### Example 3: SSE Mode with Custom Host and Port
 
 ```yaml
 transport: sse
 sse:
   port: 3001
-  allowed-origins:
-    - http://localhost:3000
-    - http://localhost:5173
+  host: 127.0.0.1
 ```
 
 Usage:
@@ -225,13 +223,11 @@ http:
   port: 3000
 ```
 
-### Test Config 4: sse-cors.yaml
+### Test Config 4: sse-default.yaml
 ```yaml
 transport: sse
 sse:
   port: 3001
-  allowed-origins:
-    - http://localhost:3000
 ```
 
 Run tests with different configs:
@@ -239,7 +235,7 @@ Run tests with different configs:
 mcp-abap-adt --conf=stdio-stdio.yaml
 mcp-abap-adt --conf=stdio-env.yaml
 mcp-abap-adt --conf=http-default.yaml
-mcp-abap-adt --conf=sse-cors.yaml
+mcp-abap-adt --conf=sse-default.yaml
 ```
 
 ## Benefits

package/docs/deployment/GITHUB_ACTIONS.md

@@ -12,7 +12,7 @@ Automatically creates GitHub releases when you push a version tag.
 
 **What it does:**
 1. Checks out code with submodules
-2. Sets up Node.js 18
+2. Sets up Node.js 22
 3. Installs dependencies
 4. Builds the project
 5. Runs tests (non-blocking)
@@ -42,7 +42,7 @@ Runs continuous integration tests on every push and PR.
 
 **What it does:**
 1. Tests on multiple OS (Ubuntu, macOS, Windows)
-2. Tests on multiple Node.js versions (18, 20)
+2. Tests on multiple Node.js versions (22, 25)
 3. Builds and tests the project
 4. Verifies package creation
 5. Tests package installation

package/docs/development/ASSISTANT_GUIDELINES.md

@@ -160,7 +160,7 @@ When reviewing code or documentation:
 
 This submodule is used by the main `cloud-llm-hub` project:
 
-- **Import path**: `@fr0ster/mcp-abap-adt`
+- **Import path**: `@mcp-abap-adt/core`
 - **Build output**: `dist/` directory
 - **Usage**: Imported in `srv/mcp-proxy.ts` and `srv/mcp-manager.ts`
 - **MCP Endpoints**: Exposed via CAP service at `/mcp/stream/http` and `/mcp/sse`

package/docs/development/tests/TESTING_AUTH.md

@@ -47,7 +47,7 @@ EOF
 
 ```bash
 cd /home/okyslytsia/prj/mcp-abap-adt
-npm run dev:stdio
+npm run dev
 # or
 npm run dev:http
 # or
@@ -105,7 +105,7 @@ cat > TRIAL.json << 'EOF'
 EOF
 
 # Start server from this directory
-npm run dev:stdio
+npm run dev
 ```
 
 ## Debug Mode:
@@ -113,7 +113,7 @@ npm run dev:stdio
 To enable debug logs for auth-broker:
 
 ```bash
-DEBUG_AUTH_LOG=true npm run dev:stdio
+DEBUG_AUTH_LOG=true npm run dev
 ```
 
 ## Test Logging Switches

package/docs/installation/CLINE_CONFIGURATION.md

@@ -33,9 +33,9 @@ Cline reads MCP server configurations from:
 
 If you installed via npm:
 ```bash
-npm install -g @fr0ster/mcp-abap-adt
+npm install -g @mcp-abap-adt/core
 # or
-npx @fr0ster/mcp-abap-adt
+npx @mcp-abap-adt/core
 ```
 
 Use the simpler configurations below (no need to specify full paths).
@@ -61,7 +61,7 @@ If you cloned the repository and are developing locally, use the full path confi
       "command": "npx",
       "args": [
         "-y",
-        "@fr0ster/mcp-abap-adt",
+        "@mcp-abap-adt/core",
         "--transport=stdio",
         "--env=/absolute/path/to/.env"
       ],
@@ -80,7 +80,7 @@ If you cloned the repository and are developing locally, use the full path confi
       "command": "npx",
       "args": [
         "-y",
-        "@fr0ster/mcp-abap-adt",
+        "@mcp-abap-adt/core",
         "--transport=stdio",
         "--env=/Users/username/.env"
       ],
@@ -99,7 +99,7 @@ If you cloned the repository and are developing locally, use the full path confi
       "command": "npx",
       "args": [
         "-y",
-        "@fr0ster/mcp-abap-adt",
+        "@mcp-abap-adt/core",
         "--transport=stdio",
         "--env=C:/Users/username/.env"
       ],
@@ -112,7 +112,7 @@ If you cloned the repository and are developing locally, use the full path confi
 
 #### B. Using Global Installation
 
-If you installed globally (`npm install -g @fr0ster/mcp-abap-adt`):
+If you installed globally (`npm install -g @mcp-abap-adt/core`):
 
 **With .env file:**
 ```json
@@ -192,12 +192,12 @@ Choose one method:
 
 **A. Using NPX** (recommended):
 ```bash
-npx @fr0ster/mcp-abap-adt --transport=http --http-port=3000
+npx @mcp-abap-adt/core --transport=http --port=3000
 ```
 
 **B. Using Global Install**:
 ```bash
-mcp-abap-adt --transport=http --http-port=3000
+mcp-abap-adt --transport=http --port=3000
 ```
 
 **C. Using NPM Script** (local development):
@@ -258,12 +258,12 @@ Choose one method:
 
 **A. Using NPX** (recommended):
 ```bash
-npx @fr0ster/mcp-abap-adt --transport=sse --sse-port=3001 --env=/path/to/.env
+npx @mcp-abap-adt/core --transport=sse --port=3001 --env=/path/to/.env
 ```
 
 **B. Using Global Install**:
 ```bash
-mcp-abap-adt --transport=sse --sse-port=3001 --env=/path/to/.env
+mcp-abap-adt --transport=sse --port=3001 --env=/path/to/.env
 ```
 
 **C. Using NPM Script** (local development):
@@ -418,18 +418,10 @@ You can run multiple instances with different SAP systems:
 
 ```bash
 # HTTP
-node ./bin/mcp-abap-adt.js --transport=http --http-port=8080 --http-host=0.0.0.0
+node ./bin/mcp-abap-adt.js --transport=http --port=8080 --host=0.0.0.0
 
 # SSE
-node ./bin/mcp-abap-adt.js --transport=sse --sse-port=8081 --sse-host=0.0.0.0
-```
-
-### CORS Configuration
-
-```bash
-node ./bin/mcp-abap-adt.js --transport=http \
-  --http-allowed-origins=http://localhost:3000,https://example.com \
-  --http-enable-dns-protection
+node ./bin/mcp-abap-adt.js --transport=sse --port=8081 --host=0.0.0.0
 ```
 
 ### Environment Variables
@@ -466,7 +458,11 @@ Instead of command-line arguments, you can use environment variables:
 
 1. **Never commit** `.env` files with credentials to git
 2. **Use JWT authentication** for production environments
-3. **Enable DNS protection** for HTTP/SSE servers exposed to network
+3. **Enable DNS-rebinding protection** for HTTP/SSE servers exposed to network — use `--http-enable-dns-protection` with `--http-allowed-hosts` to restrict which Host headers are accepted. Example:
+   ```bash
+   mcp-abap-adt --transport=http --http-enable-dns-protection --http-allowed-hosts=localhost:3000
+   ```
+   This is Host/Origin allowlist validation, NOT browser CORS — no `Access-Control-Allow-Origin` headers are emitted. A non-allowlisted Host gets HTTP 403. The `--http-allowed-hosts` value must include the port (e.g. `localhost:3000`, not `localhost`).
 4. **Use HTTPS** in production (configure reverse proxy)
 
 ## Next Steps

package/docs/installation/INSTALLATION.md

@@ -18,7 +18,7 @@ After installation, you'll be able to:
 ## 🔧 Prerequisites
 
 All platforms require:
-- **Node.js** 18 or later
+- **Node.js** 22 or later
 - **npm** (comes with Node.js)
 - **Git**
 - Access to SAP ABAP system (on-premise or BTP)
@@ -36,14 +36,14 @@ Download and install from a pre-built `.tgz` package:
 # Or receive it from your administrator
 
 # Install globally (recommended)
-npm install -g ./fr0ster-mcp-abap-adt-1.1.0.tgz
+npm install -g ./mcp-abap-adt-core-<version>.tgz
 
 # Or install locally in your project
-npm install ./fr0ster-mcp-abap-adt-1.1.0.tgz
+npm install ./mcp-abap-adt-core-<version>.tgz
 ```
 
 After installation, you'll have access to:
-- `mcp-abap-adt` - MCP ABAP ADT Server (default: HTTP mode)
+- `mcp-abap-adt` - MCP ABAP ADT Server (default: stdio mode)
 - `mcp-abap-adt --transport=stdio` - stdio transport (for MCP clients)
 - `mcp-abap-adt --transport=http` - HTTP server transport
 - `mcp-abap-adt --transport=sse` - SSE transport
@@ -90,7 +90,7 @@ mcp-auth auth -k path/to/service-key.json
 
 **Run the server:**
 ```bash
-# Default HTTP mode (uses auth-broker by default, even if .env exists)
+# Default stdio mode (bare command starts stdio; HTTP/SSE require --transport=http/--transport=sse)
 # Note: auth-broker is available for stdio/SSE via `--mcp=<destination>` and for HTTP via destination headers
 mcp-abap-adt
 
@@ -111,7 +111,7 @@ mcp-abap-adt --env-path=/path/to/my.env
 mcp-abap-adt --env-path ~/configs/sap-dev.env
 
 # Start HTTP server on custom port
-mcp-abap-adt --transport=http --http-port=8080
+mcp-abap-adt --transport=http --port=8080
 ```
 
 **Environment File Priority:**
@@ -245,10 +245,10 @@ This project uses **npm workspaces** to manage multiple packages (`@mcp-abap-adt
 
 ### Installing from Pre-built Package
 
-The pre-built package (`fr0ster-mcp-abap-adt-<version>.tgz`) contains everything you need to run the server without building from source.
+The pre-built package (`mcp-abap-adt-core-<version>.tgz`) contains everything you need to run the server without building from source.
 
 #### Prerequisites
-- Node.js 18 or later
+- Node.js 22 or later
 - npm 9 or later
 
 #### Global Installation (Recommended)
@@ -257,7 +257,7 @@ Install globally to use commands from anywhere:
 
 ```bash
 # Install from local package file
-npm install -g ./fr0ster-mcp-abap-adt-1.1.0.tgz
+npm install -g ./mcp-abap-adt-core-<version>.tgz
 
 # Verify installation
 mcp-abap-adt --help
@@ -268,7 +268,7 @@ mcp-abap-adt --transport=sse --help
 **Available commands after global installation:**
 
 ```bash
-# Default HTTP mode (uses auth-broker by default)
+# Default stdio mode (HTTP/SSE require --transport=http/--transport=sse)
 mcp-abap-adt
 
 # Force use of auth-broker (service keys), ignore .env file
@@ -281,10 +281,10 @@ mcp-abap-adt --transport=stdio
 mcp-abap-adt --env-path=/path/to/.env
 
 # HTTP server transport
-mcp-abap-adt --transport=http --http-port=3000
+mcp-abap-adt --transport=http --port=3000
 
 # SSE transport
-mcp-abap-adt --transport=sse --sse-port=3001
+mcp-abap-adt --transport=sse --port=3001
 ```
 
 **For JWT authentication with service keys**, install separately:
@@ -302,10 +302,10 @@ Install in your project directory:
 cd /path/to/your/project
 
 # Install the package
-npm install /path/to/fr0ster-mcp-abap-adt-1.1.0.tgz
+npm install /path/to/mcp-abap-adt-core-<version>.tgz
 
 # Use via npx
-npx mcp-abap-adt --transport=http --port 3000
+npx mcp-abap-adt --transport=http --port=3000
 ```
 
 #### Configuration
@@ -375,7 +375,7 @@ EOF
 Or use a custom environment file:
 
 ```bash
-mcp-abap-adt --transport=http --env-path /path/to/custom/.env --port 3000
+mcp-abap-adt --transport=http --env-path /path/to/custom/.env --port=3000
 ```
 
 #### Usage Examples
@@ -387,22 +387,22 @@ mcp-abap-adt --transport=http
 
 **Example 2: Start HTTP server on custom port**
 ```bash
-mcp-abap-adt --transport=http --port 8080
+mcp-abap-adt --transport=http --port=8080
 ```
 
 **Example 3: Start HTTP server accessible from network**
 ```bash
-mcp-abap-adt --transport=http --host 0.0.0.0 --port 3000
+mcp-abap-adt --transport=http --host=0.0.0.0 --port=3000
 ```
 
 **Example 4: Use custom environment file**
 ```bash
-mcp-abap-adt --transport=http --env-path /opt/config/.env.production --port 8080
+mcp-abap-adt --transport=http --env-path /opt/config/.env.production --port=8080
 ```
 
 **Example 5: Start SSE server**
 ```bash
-mcp-abap-adt --transport=sse --port 3000
+mcp-abap-adt --transport=sse --port=3000
 ```
 
 #### Command Line Options
@@ -426,19 +426,22 @@ All server commands (`mcp-abap-adt`, `mcp-abap-adt --transport=http`, `mcp-abap-
 - `--transport=<type>` - Transport type: `stdio`, `http`, `streamable-http`, or `sse`
 
 **HTTP Server Options (for `mcp-abap-adt --transport=http`):**
-- `--http-port=<port>` - HTTP server port (default: 3000)
-- `--http-host=<host>` - HTTP server host (default: 0.0.0.0)
+- `--host=<host>` - Server host (default: 127.0.0.1; use 0.0.0.0 for all interfaces)
+- `--port=<port>` - Server port (default: 3000 for http)
+- `--path=<path>` / `--http-path=<path>` (alias) - HTTP endpoint path (default: /mcp/stream/http)
 - `--http-json-response` - Enable JSON response format
-- `--http-allowed-origins=<list>` - Comma-separated allowed origins for CORS
-- `--http-allowed-hosts=<list>` - Comma-separated allowed hosts
-- `--http-enable-dns-protection` - Enable DNS rebinding protection
+- `--http-allowed-hosts=<list>` - Comma-separated exact Host header values for DNS-rebinding protection (includes port, e.g. `localhost:3000`)
+- `--http-allowed-origins=<list>` - Comma-separated exact Origin header values for DNS-rebinding protection (includes scheme, e.g. `https://app.example.com`)
+- `--http-enable-dns-protection` - Enable Host/Origin allowlist validation (NOT browser CORS — no Access-Control-Allow-Origin headers are emitted); needs at least one list set; non-allowlisted Host/Origin → HTTP 403
 
 **SSE Server Options (for `mcp-abap-adt --transport=sse`):**
-- `--sse-port=<port>` - SSE server port (default: 3001)
-- `--sse-host=<host>` - SSE server host (default: 0.0.0.0)
-- `--sse-allowed-origins=<list>` - Comma-separated allowed origins for CORS
-- `--sse-allowed-hosts=<list>` - Comma-separated allowed hosts
-- `--sse-enable-dns-protection` - Enable DNS rebinding protection
+- `--host=<host>` - Server host (default: 127.0.0.1; use 0.0.0.0 for all interfaces)
+- `--port=<port>` - Server port (default: 3001 for sse)
+- `--sse-path=<path>` - SSE connection path (default: /sse)
+- `--post-path=<path>` - SSE message post path (default: /messages)
+- `--sse-allowed-hosts=<list>` - Comma-separated exact Host header values for DNS-rebinding protection (includes port, e.g. `localhost:3001`)
+- `--sse-allowed-origins=<list>` - Comma-separated exact Origin header values for DNS-rebinding protection (includes scheme, e.g. `https://app.example.com`)
+- `--sse-enable-dns-protection` - Enable Host/Origin allowlist validation (NOT browser CORS — no Access-Control-Allow-Origin headers are emitted); needs at least one list set; non-allowlisted Host/Origin → HTTP 403
 
 **Environment Variables:**
 
@@ -450,8 +453,14 @@ You can also configure the server using environment variables.
 - `MCP_TRANSPORT` - Default transport type (stdio|http|sse)
 - `MCP_HTTP_PORT` - Default HTTP port
 - `MCP_HTTP_HOST` - Default HTTP host (default: 127.0.0.1)
+- `MCP_HTTP_ALLOWED_HOSTS` - Comma-separated exact Host header values (DNS-rebinding protection; includes port, e.g. `localhost:3000`)
+- `MCP_HTTP_ALLOWED_ORIGINS` - Comma-separated exact Origin header values (DNS-rebinding protection; includes scheme)
+- `MCP_HTTP_ENABLE_DNS_PROTECTION` - Enable HTTP Host/Origin allowlist validation (true|false; NOT browser CORS — no Access-Control-Allow-Origin headers are emitted)
 - `MCP_SSE_PORT` - Default SSE port
 - `MCP_SSE_HOST` - Default SSE host (default: 127.0.0.1)
+- `MCP_SSE_ALLOWED_HOSTS` - Comma-separated exact Host header values (DNS-rebinding protection; includes port, e.g. `localhost:3001`)
+- `MCP_SSE_ALLOWED_ORIGINS` - Comma-separated exact Origin header values (DNS-rebinding protection; includes scheme)
+- `MCP_SSE_ENABLE_DNS_PROTECTION` - Enable SSE Host/Origin allowlist validation (true|false; NOT browser CORS — no Access-Control-Allow-Origin headers are emitted)
 - `MCP_UNSAFE` - Disable connection validation (true|false)
 - `MCP_USE_AUTH_BROKER` - Force auth-broker usage (true|false)
 - `MCP_BROWSER` - Browser for OAuth2 flow (e.g., chrome, firefox)
@@ -491,12 +500,11 @@ mcp-abap-adt --help
 # Use custom .env from different location
 mcp-abap-adt --env=~/configs/sap-production.env
 
-# Start HTTP server with CORS configuration
-mcp-abap-adt --transport=http --http-port=8080 \
-  --http-allowed-origins=http://localhost:3000,https://myapp.com
+# Start HTTP server
+mcp-abap-adt --transport=http --port=8080
 
-# Start SSE with DNS protection
-mcp-abap-adt --transport=sse --sse-port=3001 --sse-enable-dns-protection
+# Start SSE server
+mcp-abap-adt --transport=sse --port=3001
 ```
 
 **Example 6: Use stdio transport (for MCP clients)**
@@ -510,10 +518,10 @@ To update to a newer version:
 
 ```bash
 # Uninstall old version
-npm uninstall -g @fr0ster/mcp-abap-adt
+npm uninstall -g @mcp-abap-adt/core
 
 # Install new version
-npm install -g ./fr0ster-mcp-abap-adt-1.2.0.tgz
+npm install -g ./mcp-abap-adt-core-<version>.tgz
 ```
 
 #### Troubleshooting Package Installation
@@ -537,7 +545,7 @@ $env:PATH += ";$(npm config get prefix)"
 Solution:
 ```bash
 # Use sudo for global installation
-sudo npm install -g ./fr0ster-mcp-abap-adt-1.1.0.tgz
+sudo npm install -g ./mcp-abap-adt-core-<version>.tgz
 
 # Or configure npm to use a different directory (recommended)
 mkdir ~/.npm-global
@@ -546,7 +554,7 @@ echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.bashrc
 source ~/.bashrc
 
 # Then install without sudo
-npm install -g ./fr0ster-mcp-abap-adt-1.1.0.tgz
+npm install -g ./mcp-abap-adt-core-<version>.tgz
 ```
 
 ---