@mcp-abap-adt/core 7.1.1 → 7.2.0

package/docs/user-guide/CLI_OPTIONS.md

@@ -29,7 +29,7 @@ Load server configuration from a YAML file instead of command-line arguments. If
 mcp-abap-adt --conf=config.yaml
 
 # Override YAML values with command-line arguments
-mcp-abap-adt --conf=config.yaml --http-port=8080
+mcp-abap-adt --conf=config.yaml --port=8080
 ```
 
 **Benefits:**
@@ -126,7 +126,7 @@ mcp-abap-adt --transport=http
 mcp-abap-adt --transport=sse
 ```
 
-**Note:** You can use shortcuts `--http` or `--sse` instead of `--transport=http` or `--transport=sse`.
+**Note:** The default transport is `stdio`; running bare `mcp-abap-adt` starts stdio. Select the transport explicitly with `--transport=stdio|http|sse`. There are no `--http`/`--sse` standalone shortcuts; configure host and port with the generic `--host`/`--port` flags (and the path flags `--path`/`--sse-path`/`--post-path`).
 
 ## SAP Connection Type
 
@@ -227,17 +227,17 @@ Used with `--transport=http` or `--transport=streamable-http`.
 
 ### Port Configuration
 
-**--http-port=\<port\>**
+**--port=\<port\>**
 
 HTTP server port (default: 3000).
 
 ```bash
-mcp-abap-adt --transport=http --http-port=8080
+mcp-abap-adt --transport=http --port=8080
 ```
 
 ### Host Binding
 
-**--http-host=\<host\>**
+**--host=\<host\>**
 
 HTTP server host address (default: 127.0.0.1, localhost only for security).
 
@@ -247,10 +247,10 @@ HTTP server host address (default: 127.0.0.1, localhost only for security).
 
 ```bash
 # Bind to localhost only (default, secure)
-mcp-abap-adt --transport=http --http-host=127.0.0.1
+mcp-abap-adt --transport=http --host=127.0.0.1
 
 # Bind to all interfaces (less secure, client must provide all headers)
-mcp-abap-adt --transport=http --http-host=0.0.0.0
+mcp-abap-adt --transport=http --host=0.0.0.0
 ```
 
 **When using 0.0.0.0:**
@@ -258,56 +258,56 @@ mcp-abap-adt --transport=http --http-host=0.0.0.0
 - Server acts as a simple proxy - no default destination lookup
 - All responsibility for connection configuration is on the client
 
-### Response Format
+### Path Configuration
 
-**--http-json-response**
+**--path=\<path\>** (alias **--http-path=\<path\>**)
 
-Enable JSON response format.
+HTTP endpoint path (default: /mcp/stream/http).
 
 ```bash
-mcp-abap-adt --transport=http --http-json-response
+mcp-abap-adt --transport=http --path=/mcp/stream/http
 ```
 
-### CORS Configuration
+### Response Format
 
-**--http-allowed-origins=\<list\>**
+**--http-json-response**
 
-Comma-separated list of allowed origins for CORS.
+Enable JSON response format.
 
 ```bash
-# Single origin
-mcp-abap-adt --transport=http --http-allowed-origins=http://localhost:3000
-
-# Multiple origins
-mcp-abap-adt --transport=http --http-allowed-origins=http://localhost:3000,https://app.example.com
+mcp-abap-adt --transport=http --http-json-response
 ```
 
-**--http-allowed-hosts=\<list\>**
+### DNS-Rebinding Protection (HTTP)
 
-Comma-separated list of allowed hosts.
-
-```bash
-mcp-abap-adt --transport=http --http-allowed-hosts=localhost,myapp.local
-```
+DNS-rebinding protection (Host + Origin allowlist; NOT browser CORS — no Access-Control-Allow-Origin headers are emitted):
 
-### Security
+- `--http-allowed-hosts=<list>`   Comma-separated exact Host header values to allow,
+                                  including port (e.g. `localhost:3000`).
+- `--http-allowed-origins=<list>` Comma-separated exact Origin header values to allow,
+                                  including scheme (e.g. `https://app.example.com`).
+- `--http-enable-dns-protection`  Enable validation. Required for the allowlists to take
+                                  effect; needs at least one of the two lists set.
+                                  A non-allowlisted Host/Origin gets HTTP 403.
 
-**--http-enable-dns-protection**
-
-Enable DNS rebinding protection.
+Only effective when `--http-enable-dns-protection` is set AND at least one allowlist is non-empty.
+Env vars: `MCP_HTTP_ALLOWED_HOSTS`, `MCP_HTTP_ALLOWED_ORIGINS`, `MCP_HTTP_ENABLE_DNS_PROTECTION`.
+YAML keys: `http.allowed-hosts`, `http.allowed-origins`, `http.enable-dns-protection`.
 
 ```bash
-mcp-abap-adt --transport=http --http-enable-dns-protection
+# Enable DNS-rebinding protection for HTTP transport
+mcp-abap-adt --transport=http \
+  --http-enable-dns-protection \
+  --http-allowed-hosts=localhost:3000 \
+  --http-allowed-origins=https://app.example.com
 ```
 
 ### Complete HTTP Example
 
 ```bash
 mcp-abap-adt --transport=http \
-  --http-port=8080 \
-  --http-host=0.0.0.0 \
-  --http-allowed-origins=http://localhost:3000,https://myapp.com \
-  --http-enable-dns-protection \
+  --port=8080 \
+  --host=0.0.0.0 \
   --env-path=~/configs/sap-prod.env
 ```
 
@@ -317,17 +317,17 @@ Used with `mcp-abap-adt --transport=sse` or `--transport=sse`.
 
 ### Port Configuration
 
-**--sse-port=\<port\>**
+**--port=\<port\>**
 
 SSE server port (default: 3001).
 
 ```bash
-mcp-abap-adt --transport=sse --sse-port=8081
+mcp-abap-adt --transport=sse --port=8081
 ```
 
 ### Host Binding
 
-**--sse-host=\<host\>**
+**--host=\<host\>**
 
 SSE server host address (default: 127.0.0.1, localhost only for security).
 
@@ -337,10 +337,10 @@ SSE server host address (default: 127.0.0.1, localhost only for security).
 
 ```bash
 # Bind to localhost only (default, secure)
-mcp-abap-adt --transport=sse --sse-host=127.0.0.1
+mcp-abap-adt --transport=sse --host=127.0.0.1
 
 # Bind to all interfaces (less secure, client must provide all headers)
-mcp-abap-adt --transport=sse --sse-host=0.0.0.0
+mcp-abap-adt --transport=sse --host=0.0.0.0
 ```
 
 **When using 0.0.0.0:**
@@ -348,42 +348,50 @@ mcp-abap-adt --transport=sse --sse-host=0.0.0.0
 - Server acts as a simple proxy - no default destination lookup
 - All responsibility for connection configuration is on the client
 
-### CORS Configuration
+### Path Configuration
 
-**--sse-allowed-origins=\<list\>**
+**--sse-path=\<path\>**
 
-Comma-separated list of allowed origins for CORS.
+SSE connection path (default: /sse).
 
-```bash
-mcp-abap-adt --transport=sse --sse-allowed-origins=http://localhost:3000,https://app.example.com
-```
+**--post-path=\<path\>**
 
-**--sse-allowed-hosts=\<list\>**
-
-Comma-separated list of allowed hosts.
+SSE message post path (default: /messages).
 
 ```bash
-mcp-abap-adt --transport=sse --sse-allowed-hosts=localhost,myapp.local
+mcp-abap-adt --transport=sse --sse-path=/sse --post-path=/messages
 ```
 
-### Security
+### DNS-Rebinding Protection (SSE)
+
+DNS-rebinding protection (Host + Origin allowlist; NOT browser CORS — no Access-Control-Allow-Origin headers are emitted):
 
-**--sse-enable-dns-protection**
+- `--sse-allowed-hosts=<list>`   Comma-separated exact Host header values to allow,
+                                 including port (e.g. `localhost:3001`).
+- `--sse-allowed-origins=<list>` Comma-separated exact Origin header values to allow,
+                                 including scheme (e.g. `https://app.example.com`).
+- `--sse-enable-dns-protection`  Enable validation. Required for the allowlists to take
+                                 effect; needs at least one of the two lists set.
+                                 A non-allowlisted Host/Origin gets HTTP 403.
 
-Enable DNS rebinding protection.
+Only effective when `--sse-enable-dns-protection` is set AND at least one allowlist is non-empty.
+Env vars: `MCP_SSE_ALLOWED_HOSTS`, `MCP_SSE_ALLOWED_ORIGINS`, `MCP_SSE_ENABLE_DNS_PROTECTION`.
+YAML keys: `sse.allowed-hosts`, `sse.allowed-origins`, `sse.enable-dns-protection`.
 
 ```bash
-mcp-abap-adt --transport=sse --sse-enable-dns-protection
+# Enable DNS-rebinding protection for SSE transport
+mcp-abap-adt --transport=sse \
+  --sse-enable-dns-protection \
+  --sse-allowed-hosts=localhost:3001 \
+  --sse-allowed-origins=https://app.example.com
 ```
 
 ### Complete SSE Example
 
 ```bash
 mcp-abap-adt --transport=sse \
-  --sse-port=3001 \
-  --sse-host=0.0.0.0 \
-  --sse-allowed-origins=http://localhost:3000 \
-  --sse-enable-dns-protection \
+  --port=3001 \
+  --host=0.0.0.0 \
   --env-path=~/configs/sap-dev.env
 ```
 
@@ -406,17 +414,17 @@ Alternative to command line arguments. Environment variables can be set in shell
 - `MCP_HTTP_PORT` - Default HTTP port
 - `MCP_HTTP_HOST` - Default HTTP host (default: 127.0.0.1)
 - `MCP_HTTP_ENABLE_JSON_RESPONSE` - Enable JSON responses (true|false)
-- `MCP_HTTP_ALLOWED_ORIGINS` - Allowed CORS origins (comma-separated)
-- `MCP_HTTP_ALLOWED_HOSTS` - Allowed hosts (comma-separated)
-- `MCP_HTTP_ENABLE_DNS_PROTECTION` - Enable DNS protection (true|false)
+- `MCP_HTTP_ALLOWED_HOSTS` - Comma-separated exact Host header values (DNS-rebinding protection; includes port, e.g. `localhost:3000`)
+- `MCP_HTTP_ALLOWED_ORIGINS` - Comma-separated exact Origin header values (DNS-rebinding protection; includes scheme, e.g. `https://app.example.com`)
+- `MCP_HTTP_ENABLE_DNS_PROTECTION` - Enable Host/Origin allowlist validation (true|false; NOT browser CORS — no Access-Control-Allow-Origin headers are emitted)
 
 ### SSE Transport
 
 - `MCP_SSE_PORT` - Default SSE port
 - `MCP_SSE_HOST` - Default SSE host
-- `MCP_SSE_ALLOWED_ORIGINS` - Allowed CORS origins (comma-separated)
-- `MCP_SSE_ALLOWED_HOSTS` - Allowed hosts (comma-separated)
-- `MCP_SSE_ENABLE_DNS_PROTECTION` - Enable DNS protection (true|false)
+- `MCP_SSE_ALLOWED_HOSTS` - Comma-separated exact Host header values (DNS-rebinding protection; includes port, e.g. `localhost:3001`)
+- `MCP_SSE_ALLOWED_ORIGINS` - Comma-separated exact Origin header values (DNS-rebinding protection; includes scheme, e.g. `https://app.example.com`)
+- `MCP_SSE_ENABLE_DNS_PROTECTION` - Enable Host/Origin allowlist validation (true|false; NOT browser CORS — no Access-Control-Allow-Origin headers are emitted)
 
 ### SAP Connection
 
@@ -459,7 +467,6 @@ These are typically set in `.env` file:
 **Shell environment:**
 ```bash
 export MCP_HTTP_PORT=8080
-export MCP_HTTP_ALLOWED_ORIGINS=http://localhost:3000
 mcp-abap-adt --transport=http
 ```
 
@@ -467,7 +474,6 @@ mcp-abap-adt --transport=http
 ```bash
 # ~/.mcp-abap-adt.env
 MCP_HTTP_PORT=8080
-MCP_HTTP_ALLOWED_ORIGINS=http://localhost:3000,https://myapp.com
 
 # Use it
 mcp-abap-adt --transport=http --env-path ~/.mcp-abap-adt.env
@@ -477,7 +483,7 @@ mcp-abap-adt --transport=http --env-path ~/.mcp-abap-adt.env
 
 When the same option is specified multiple ways, this is the priority order (highest to lowest):
 
-1. **Command line arguments** (`--http-port=8080`)
+1. **Command line arguments** (`--port=8080`)
 2. **Environment variables** (`MCP_HTTP_PORT=8080`)
 3. **Default values**
 
@@ -485,7 +491,7 @@ Example:
 ```bash
 # Port 9000 wins (command line)
 export MCP_HTTP_PORT=8080
-mcp-abap-adt --transport=http --http-port=9000
+mcp-abap-adt --transport=http --port=9000
 ```
 
 ## Common Usage Patterns
@@ -544,8 +550,7 @@ EOF
 # Run with explicit config
 mcp-abap-adt --transport=http \
   --env-path=/etc/mcp-abap-adt/prod.env \
-  --http-port=8080 \
-  --http-enable-dns-protection
+  --port=8080
 ```
 
 ### Multi-Environment
@@ -560,7 +565,7 @@ mcp-abap-adt --transport=http \
 # Quick switch
 alias mcp-dev='mcp-abap-adt --env-path=~/sap-configs/dev.env'
 alias mcp-test='mcp-abap-adt --env-path=~/sap-configs/test.env'
-alias mcp-prod='mcp-abap-adt --transport=http --env-path=~/sap-configs/prod.env --http-port=8080'
+alias mcp-prod='mcp-abap-adt --transport=http --env-path=~/sap-configs/prod.env --port=8080'
 
 # Use
 mcp-dev
@@ -590,7 +595,7 @@ mcp-abap-adt 2>&1 | grep MCP-ENV
 lsof -i :3000
 
 # Use different port
-mcp-abap-adt --transport=http --http-port=3001
+mcp-abap-adt --transport=http --port=3001
 ```
 
 ### Can't Find .env File

package/docs/user-guide/HANDLERS_MANAGEMENT.md

@@ -62,7 +62,7 @@ V2 server supports flexible handler set configuration through the `--exposition`
    - Object search
    - Code search
 
-6. **system** - Always included automatically  
+6. **system** - Included only when the exposition includes `readonly` (added alongside the read-only group)
    - Where-used analysis (GetWhereUsed)
    - Type information (GetTypeInfo)
    - Object info (GetObjectInfo)
@@ -75,25 +75,25 @@ V2 server supports flexible handler set configuration through the `--exposition`
 
 ## Usage
 
-**Note:** `search` and `system` handler groups are ALWAYS included regardless of `--exposition` setting.
+**Note:** The `search` handler group is ALWAYS included regardless of `--exposition`. The `system` handler group is included only when the exposition contains `readonly` (it is registered together with the read-only group). The default exposition is `readonly,high`, so both are present by default.
 
 ### Command Line
 
 ```bash
-# Default: readonly + high (+ search + system always included)
-node bin/mcp-abap-adt-v2.js --transport=stdio --env-path=.env
+# Default: readonly + high (+ search always; + system because readonly is present)
+node bin/mcp-abap-adt.js --transport=stdio --env-path=.env
 
 # Only read-only operations (safest)
-node bin/mcp-abap-adt-v2.js --transport=stdio --env-path=.env --exposition=readonly
+node bin/mcp-abap-adt.js --transport=stdio --env-path=.env --exposition=readonly
 
 # Read-only + high-level writes (recommended)
-node bin/mcp-abap-adt-v2.js --transport=stdio --env-path=.env --exposition=readonly,high
+node bin/mcp-abap-adt.js --transport=stdio --env-path=.env --exposition=readonly,high
 
 # Compact facade only
-node bin/mcp-abap-adt-v2.js --transport=stdio --env-path=.env --exposition=compact
+node bin/mcp-abap-adt.js --transport=stdio --env-path=.env --exposition=compact
 
 # Low-level writes (use instead of `high`, not together)
-node bin/mcp-abap-adt-v2.js --transport=stdio --env-path=.env --exposition=readonly,low
+node bin/mcp-abap-adt.js --transport=stdio --env-path=.env --exposition=readonly,low
 ```
 
 #### Validation rules
@@ -129,7 +129,7 @@ Set `MCP_EXPOSITION`:
 
 ```bash
 export MCP_EXPOSITION=readonly,high
-node bin/mcp-abap-adt-v2.js --transport=stdio --env-path=.env
+node bin/mcp-abap-adt.js --transport=stdio --env-path=.env
 ```
 
 ## Generating Handler Documentation

package/docs/user-guide/README.md

@@ -14,11 +14,11 @@ Install from a pre-built `.tgz` package:
 
 ```bash
 # Install globally
-npm install -g ./fr0ster-mcp-abap-adt-1.1.0.tgz
+npm install -g ./mcp-abap-adt-core-<version>.tgz
 
 # Available commands:
-mcp-abap-adt          # HTTP transport (default)
-mcp-abap-adt --transport=stdio    # stdio transport (for MCP clients)
+mcp-abap-adt          # stdio transport (default, for MCP clients)
+mcp-abap-adt --transport=http     # HTTP server
 mcp-abap-adt --transport=sse      # SSE server
 ```
 
@@ -33,7 +33,7 @@ SAP_JWT_TOKEN=your-jwt-token
 EOF
 
 # Run HTTP server
-mcp-abap-adt --transport=http --port 3000
+mcp-abap-adt --transport=http --port=3000
 ```
 
 See [Installation Guide](../installation/INSTALLATION.md#package-installation-details) for detailed instructions.
@@ -91,7 +91,7 @@ objects for each package. Each object includes:
 
 After installing from package, these commands are available:
 
-### `mcp-abap-adt` - Default HTTP transport
+### `mcp-abap-adt` - Default stdio transport
 ```bash
 mcp-abap-adt [--env <destination>] [--env-path /path/to/.env]
 ```
@@ -113,15 +113,15 @@ Starts HTTP server with Server-Sent Events transport.
 
 ### Example 1: HTTP Server on Port 8080
 ```bash
-mcp-abap-adt --transport=http --port 8080
+mcp-abap-adt --transport=http --port=8080
 ```
 
 ### Example 2: SSE Server Accessible from Network
 ```bash
-mcp-abap-adt --transport=sse --host 0.0.0.0 --port 3000
+mcp-abap-adt --transport=sse --host=0.0.0.0 --port=3000
 ```
 
 ### Example 3: Custom Environment File
 ```bash
-mcp-abap-adt --transport=http --env-path /opt/config/.env.production --port 8080
+mcp-abap-adt --transport=http --env-path /opt/config/.env.production --port=8080
 ```

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@mcp-abap-adt/core",
   "mcpName": "io.github.fr0ster/mcp-abap-adt",
-  "version": "7.1.1",
+  "version": "7.2.0",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "exports": {
@@ -50,6 +50,7 @@
     "shared:setup": "jest --testPathPatterns='admin/shared-deps/setup' --testPathIgnorePatterns='[]' --runInBand --passWithNoTests",
     "shared:teardown": "jest --testPathPatterns='admin/shared-deps/teardown' --testPathIgnorePatterns='[]' --runInBand --passWithNoTests",
     "shared:check": "jest --testPathPatterns='admin/shared-deps/check' --testPathIgnorePatterns='[]' --passWithNoTests",
+    "polygon:backup": "adt-backup backup --package ZMCP_SHR_PKG --env-path trial.env --output tests/fixtures/polygon.backup.yaml",
     "lint": "npx biome check --write src",
     "lint:check": "npx biome check src",
     "format": "npx biome format --write src",
@@ -169,8 +170,7 @@
     "CHANGELOG.md"
   ],
   "bin": {
-    "mcp-abap-adt": "./bin/mcp-abap-adt.js",
-    "mcp-abap-adt-v2": "./bin/mcp-abap-adt-v2.js"
+    "mcp-abap-adt": "./bin/mcp-abap-adt.js"
   },
   "jest": {
     "preset": "ts-jest",