@sap-ux/backend-proxy-middleware-cf 0.1.2 → 0.1.3

package/dist/config/config.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DEFAULT_REWRITE_CONTENT_TYPES = void 0;
 exports.mergeEffectiveOptions = mergeEffectiveOptions;
+const adp_tooling_1 = require("@sap-ux/adp-tooling");
 exports.DEFAULT_REWRITE_CONTENT_TYPES = [
     'text/html',
     'application/json',
@@ -28,6 +29,9 @@ function mergeEffectiveOptions(configuration) {
         appendAuthRoute: false,
         disableWelcomeFile: false,
         disableUi5ServerRoutes: false,
+        disableSshTunnel: false,
+        tunnelAppName: adp_tooling_1.DEFAULT_TUNNEL_APP_NAME,
+        skipSshEnable: false,
         extensions: [],
         ...configuration
     };

package/dist/config/env.d.ts

@@ -1,18 +1,33 @@
 import type { ToolsLogger } from '@sap-ux/logger';
-import type { EffectiveOptions } from '../types';
+import type { AppRouterEnvOptions } from '@sap-ux/adp-tooling';
+import type { ConnectivityProxyInfo, EffectiveOptions } from '../types';
 /**
- * Load env options from file or CF, apply to process.env, and add destinations from effectiveOptions.
+ * Extract connectivity proxy host and port from VCAP_SERVICES.
+ *
+ * @param vcapServices - Parsed VCAP_SERVICES object.
+ * @returns Proxy info or undefined if no connectivity service is present.
+ */
+export declare function getConnectivityProxyInfo(vcapServices: Record<string, unknown> | undefined): ConnectivityProxyInfo | undefined;
+/**
+ * Apply options to process.env with JSON-stringified destinations and VCAP_SERVICES.
+ * Overrides the connectivity proxy host to localhost so traffic flows through the local SSH tunnel.
+ *
+ * @param options - Env options to apply.
+ */
+export declare function applyToProcessEnv(options: AppRouterEnvOptions): void;
+/**
+ * Load env options from file or CF and merge destinations from effectiveOptions.
  *
  * When effectiveOptions.envOptionsPath is set, loads that JSON file. When null, loads mta.yaml one level
- * above rootPath and fetches VCAP_SERVICES from CF. effectiveOptions.destinations is applied so
+ * above rootPath and fetches VCAP_SERVICES from CF. effectiveOptions.destinations is appended so
  * middleware config takes precedence over file/env.
  *
  * @param rootPath - Project root path.
  * @param effectiveOptions - Merged config; envOptionsPath and destinations are used.
  * @param logger - Logger for CF path.
- * @returns Promise resolving when env options are loaded and applied.
+ * @returns Loaded and merged env options.
  */
-export declare function loadAndApplyEnvOptions(rootPath: string, effectiveOptions: EffectiveOptions, logger: ToolsLogger): Promise<void>;
+export declare function loadEnvOptions(rootPath: string, effectiveOptions: EffectiveOptions, logger: ToolsLogger): Promise<AppRouterEnvOptions>;
 /**
  * Ensure the ui5-server destination exists and has the correct URL.
  * If ui5-server doesn't exist in configuration, it will be auto-created.

package/dist/config/env.js

@@ -3,12 +3,37 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.loadAndApplyEnvOptions = loadAndApplyEnvOptions;
+exports.getConnectivityProxyInfo = getConnectivityProxyInfo;
+exports.applyToProcessEnv = applyToProcessEnv;
+exports.loadEnvOptions = loadEnvOptions;
 exports.updateUi5ServerDestinationPort = updateUi5ServerDestinationPort;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const adp_tooling_1 = require("@sap-ux/adp-tooling");
 const constants_1 = require("./constants");
+/**
+ * Extract connectivity proxy host and port from VCAP_SERVICES.
+ *
+ * @param vcapServices - Parsed VCAP_SERVICES object.
+ * @returns Proxy info or undefined if no connectivity service is present.
+ */
+function getConnectivityProxyInfo(vcapServices) {
+    if (!vcapServices) {
+        return undefined;
+    }
+    const connectivity = vcapServices['connectivity'];
+    if (!Array.isArray(connectivity)) {
+        return undefined;
+    }
+    for (const entry of connectivity) {
+        const host = entry.credentials?.onpremise_proxy_host;
+        const port = entry.credentials?.onpremise_proxy_port;
+        if (host && port) {
+            return { host: String(host), port: Number(port) };
+        }
+    }
+    return undefined;
+}
 /**
  * Load and parse env options JSON file.
  *
@@ -32,10 +57,21 @@ function loadEnvOptionsFromFile(rootPath, envOptionsPath) {
 }
 /**
  * Apply options to process.env with JSON-stringified destinations and VCAP_SERVICES.
+ * Overrides the connectivity proxy host to localhost so traffic flows through the local SSH tunnel.
  *
  * @param options - Env options to apply.
  */
 function applyToProcessEnv(options) {
+    if (options.VCAP_SERVICES) {
+        const connectivity = options.VCAP_SERVICES['connectivity'];
+        if (Array.isArray(connectivity)) {
+            for (const entry of connectivity) {
+                if (entry.credentials?.onpremise_proxy_host) {
+                    entry.credentials.onpremise_proxy_host = 'localhost';
+                }
+            }
+        }
+    }
     const envOptions = {
         ...options,
         ...(options.destinations ? { destinations: JSON.stringify(options.destinations) } : {}),
@@ -44,44 +80,40 @@ function applyToProcessEnv(options) {
     Object.assign(process.env, envOptions);
 }
 /**
- * Load env options from file or CF, apply to process.env, and add destinations from effectiveOptions.
+ * Load env options from file or CF and merge destinations from effectiveOptions.
  *
  * When effectiveOptions.envOptionsPath is set, loads that JSON file. When null, loads mta.yaml one level
- * above rootPath and fetches VCAP_SERVICES from CF. effectiveOptions.destinations is applied so
+ * above rootPath and fetches VCAP_SERVICES from CF. effectiveOptions.destinations is appended so
  * middleware config takes precedence over file/env.
  *
  * @param rootPath - Project root path.
  * @param effectiveOptions - Merged config; envOptionsPath and destinations are used.
  * @param logger - Logger for CF path.
- * @returns Promise resolving when env options are loaded and applied.
+ * @returns Loaded and merged env options.
  */
-async function loadAndApplyEnvOptions(rootPath, effectiveOptions, logger) {
+async function loadEnvOptions(rootPath, effectiveOptions, logger) {
     const { envOptionsPath, destinations: middlewareDestinations } = effectiveOptions;
-    let options;
     if (envOptionsPath) {
         const envOptions = loadEnvOptionsFromFile(rootPath, envOptionsPath);
         const destinations = envOptions.destinations
             ? [...envOptions.destinations, ...middlewareDestinations]
             : middlewareDestinations;
-        options = { ...envOptions, destinations };
+        return { ...envOptions, destinations };
     }
-    else {
-        const mtaPath = node_path_1.default.resolve(rootPath, '..', 'mta.yaml');
-        const spaceGuid = await (0, adp_tooling_1.getSpaceGuidFromUi5Yaml)(rootPath, logger);
-        if (!spaceGuid) {
-            throw new Error('No space GUID (from config or ui5.yaml). Cannot load CF env options.');
-        }
-        if (!node_fs_1.default.existsSync(mtaPath)) {
-            throw new Error(`mta.yaml not found at "${mtaPath}". Cannot load CF env options.`);
-        }
-        const mtaYaml = (0, adp_tooling_1.getYamlContent)(mtaPath);
-        const VCAP_SERVICES = await (0, adp_tooling_1.buildVcapServicesFromResources)(mtaYaml.resources, spaceGuid, logger);
-        options = {
-            VCAP_SERVICES,
-            destinations: middlewareDestinations
-        };
+    const mtaPath = node_path_1.default.resolve(rootPath, '..', 'mta.yaml');
+    const spaceGuid = await (0, adp_tooling_1.getSpaceGuidFromUi5Yaml)(rootPath, logger);
+    if (!spaceGuid) {
+        throw new Error('No space GUID (from config or ui5.yaml). Cannot load CF env options.');
+    }
+    if (!node_fs_1.default.existsSync(mtaPath)) {
+        throw new Error(`mta.yaml not found at "${mtaPath}". Cannot load CF env options.`);
     }
-    applyToProcessEnv(options);
+    const mtaYaml = (0, adp_tooling_1.getYamlContent)(mtaPath);
+    const VCAP_SERVICES = await (0, adp_tooling_1.buildVcapServicesFromResources)(mtaYaml.resources, spaceGuid, logger);
+    return {
+        VCAP_SERVICES,
+        destinations: middlewareDestinations
+    };
 }
 /**
  * Ensure the ui5-server destination exists and has the correct URL.

package/dist/middleware.js

@@ -16,6 +16,7 @@ const xssecurity_1 = require("./platform/xssecurity");
 const bas_1 = require("./platform/bas");
 const routes_1 = require("./proxy/routes");
 const env_1 = require("./config/env");
+const tunnel_1 = require("./tunnel/tunnel");
 dotenv_1.default.config();
 /**
  * UI5 server middleware: runs `@sap/approuter` and proxies matching requests to it.
@@ -45,8 +46,13 @@ async function backendProxyMiddlewareCf({ options, middlewareUtil }) {
     if (!node_fs_1.default.existsSync(xsappJsonPath)) {
         throw new Error(`xs-app.json not found at "${xsappJsonPath}"`);
     }
-    await (0, env_1.loadAndApplyEnvOptions)(rootPath, effectiveOptions, logger);
+    const envOptions = await (0, env_1.loadEnvOptions)(rootPath, effectiveOptions, logger);
+    const connectivityInfo = (0, env_1.getConnectivityProxyInfo)(envOptions.VCAP_SERVICES);
+    (0, env_1.applyToProcessEnv)(envOptions);
     await (0, xssecurity_1.updateXsuaaService)(rootPath, logger);
+    if (!effectiveOptions.disableSshTunnel && connectivityInfo) {
+        await (0, tunnel_1.setupSshTunnel)(rootPath, connectivityInfo, effectiveOptions, logger);
+    }
     const sourcePath = project.getSourcePath();
     const xsappConfig = (0, routes_1.loadAndPrepareXsappConfig)({
         rootPath,

package/dist/proxy/routes.js

@@ -18,6 +18,41 @@ const UI5_SERVER_AUTH_ROUTE = {
     destination: constants_1.UI5_SERVER_DESTINATION,
     authenticationType: 'xsuaa'
 };
+/**
+ * Inject localDir routes for ADP live-reload so adaptation project changes
+ * and i18n files are served directly from webapp/ without a build.
+ *
+ * Routes are prepended so they take priority over the catch-all approuter routes.
+ *
+ * @param routes - Mutable routes array to prepend ADP routes into.
+ * @param rootPath - Project root used to locate webapp/manifest.appdescr_variant.
+ * @param logger - Logger for info/warn messages.
+ */
+function injectAdpLiveReloadRoutes(routes, rootPath, logger) {
+    const manifestPath = node_path_1.default.join(rootPath, 'webapp', 'manifest.appdescr_variant');
+    if (!node_fs_1.default.existsSync(manifestPath)) {
+        return;
+    }
+    try {
+        const manifest = JSON.parse(node_fs_1.default.readFileSync(manifestPath, 'utf8'));
+        const variantId = manifest.id.replaceAll('.', '_');
+        routes.unshift({
+            source: `^/changes/${variantId}/(.*)$`,
+            target: 'changes/$1',
+            localDir: 'webapp',
+            authenticationType: 'none'
+        }, {
+            source: `^/${variantId}/i18n/(.*)$`,
+            target: 'i18n/$1',
+            localDir: 'webapp',
+            authenticationType: 'none'
+        });
+        logger.info(`ADP live-reload: injected localDir routes for /changes/${variantId}/* and /${variantId}/i18n/*`);
+    }
+    catch (e) {
+        logger.warn(`Failed to read manifest.appdescr_variant: ${e.message}`);
+    }
+}
 /**
  * Load xs-app.json and prepare it for the approuter (filter routes, set auth, optionally append auth route).
  * Mutates and returns the config; does not build RouteEntry[].
@@ -41,6 +76,7 @@ function loadAndPrepareXsappConfig(options) {
         }
         return true;
     });
+    injectAdpLiveReloadRoutes(xsappConfig.routes, rootPath, logger);
     if (effectiveOptions.disableWelcomeFile) {
         delete xsappConfig.welcomeFile;
     }

package/dist/tunnel/destination-check.d.ts

@@ -0,0 +1,11 @@
+import type { ToolsLogger } from '@sap-ux/logger';
+/**
+ * Check whether the adaptation project's webapp/xs-app.json exists and contains at least
+ * one route whose destination is configured as OnPremise in the BTP Destination Service.
+ *
+ * @param rootPath - Project root path.
+ * @param logger - Logger instance.
+ * @returns True if an OnPremise destination is found; false otherwise.
+ */
+export declare function hasOnPremiseDestination(rootPath: string, logger: ToolsLogger): Promise<boolean>;
+//# sourceMappingURL=destination-check.d.ts.map

package/dist/tunnel/destination-check.js

@@ -0,0 +1,110 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hasOnPremiseDestination = hasOnPremiseDestination;
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_path_1 = __importDefault(require("node:path"));
+const btp_utils_1 = require("@sap-ux/btp-utils");
+const adp_tooling_1 = require("@sap-ux/adp-tooling");
+/**
+ * Extract unique destination names from the routes in webapp/xs-app.json.
+ *
+ * @param rootPath - Project root path.
+ * @returns Array of unique destination names, or empty array if no webapp/xs-app.json or no destinations.
+ */
+function getWebappXsappDestinationNames(rootPath) {
+    const xsappPath = node_path_1.default.join(rootPath, 'webapp', 'xs-app.json');
+    if (!node_fs_1.default.existsSync(xsappPath)) {
+        return [];
+    }
+    try {
+        const xsappConfig = JSON.parse(node_fs_1.default.readFileSync(xsappPath, 'utf8'));
+        const names = new Set();
+        for (const route of xsappConfig.routes ?? []) {
+            if (route.destination) {
+                names.add(route.destination);
+            }
+        }
+        return [...names];
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Extract BTP destination service auth from process.env.VCAP_SERVICES.
+ *
+ * @returns Auth info or undefined if no destination service is bound.
+ */
+function getBtpDestinationServiceAuth() {
+    const raw = process.env.VCAP_SERVICES;
+    if (!raw) {
+        return undefined;
+    }
+    let vcapServices;
+    try {
+        vcapServices = JSON.parse(raw);
+    }
+    catch {
+        return undefined;
+    }
+    const entries = vcapServices['destination'];
+    if (!Array.isArray(entries) || entries.length === 0) {
+        return undefined;
+    }
+    const credentials = entries[0].credentials;
+    if (!credentials?.clientid || !credentials?.clientsecret || !credentials?.url || !credentials?.uri) {
+        return undefined;
+    }
+    return {
+        uaa: { clientid: credentials.clientid, clientsecret: credentials.clientsecret, url: credentials.url },
+        uri: String(credentials.uri)
+    };
+}
+/**
+ * Check whether the adaptation project's webapp/xs-app.json exists and contains at least
+ * one route whose destination is configured as OnPremise in the BTP Destination Service.
+ *
+ * @param rootPath - Project root path.
+ * @param logger - Logger instance.
+ * @returns True if an OnPremise destination is found; false otherwise.
+ */
+async function hasOnPremiseDestination(rootPath, logger) {
+    const destinationNames = getWebappXsappDestinationNames(rootPath);
+    if (destinationNames.length === 0) {
+        logger.debug('No webapp/xs-app.json or no destinations in routes, skipping OnPremise check.');
+        return false;
+    }
+    const auth = getBtpDestinationServiceAuth();
+    if (!auth) {
+        logger.debug('No destination service credentials in VCAP_SERVICES, cannot check destination types.');
+        return false;
+    }
+    let token;
+    try {
+        token = await (0, adp_tooling_1.getToken)(auth.uaa, logger);
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        logger.warn(`Failed to obtain OAuth token for destination service: ${message}`);
+        return false;
+    }
+    for (const name of destinationNames) {
+        try {
+            const config = await (0, adp_tooling_1.getBtpDestinationConfig)(auth.uri, token, name, logger);
+            if (config?.ProxyType === btp_utils_1.DestinationProxyType.ON_PREMISE) {
+                logger.info(`Destination "${name}" is OnPremise, SSH tunnel is needed.`);
+                return true;
+            }
+        }
+        catch (e) {
+            const message = e instanceof Error ? e.message : String(e);
+            logger.debug(`Could not check destination "${name}": ${message}`);
+        }
+    }
+    logger.debug('No OnPremise destinations found in webapp/xs-app.json routes.');
+    return false;
+}
+//# sourceMappingURL=destination-check.js.map

package/dist/tunnel/tunnel.d.ts

@@ -0,0 +1,26 @@
+import type { ChildProcess } from 'node:child_process';
+import type { ToolsLogger } from '@sap-ux/logger';
+import type { ConnectivityProxyInfo, SshTunnelOptions, EffectiveOptions } from '../types';
+/**
+ * Start an SSH tunnel to the connectivity proxy if needed.
+ * Skips if running in BAS, if the port is already in use, or if no connectivity service is present.
+ * Errors are logged as warnings; the middleware continues without the tunnel.
+ *
+ * @param connectivityInfo - Original connectivity proxy host and port from VCAP_SERVICES.
+ * @param tunnelAppName - CF app name to SSH into.
+ * @param logger - Logger instance.
+ * @param options - Optional tunnel configuration.
+ * @returns The SSH tunnel child process, or undefined if not started.
+ */
+export declare function startSshTunnelIfNeeded(connectivityInfo: ConnectivityProxyInfo, tunnelAppName: string, logger: ToolsLogger, options?: SshTunnelOptions): Promise<ChildProcess | undefined>;
+/**
+ * Check for OnPremise destinations and set up an SSH tunnel if needed.
+ * Handles the full lifecycle: destination check, tunnel app deployment, SSH enable, and tunnel spawn.
+ *
+ * @param rootPath - Project root path.
+ * @param connectivityInfo - Connectivity proxy host and port from VCAP_SERVICES.
+ * @param effectiveOptions - Merged middleware options.
+ * @param logger - Logger instance.
+ */
+export declare function setupSshTunnel(rootPath: string, connectivityInfo: ConnectivityProxyInfo, effectiveOptions: EffectiveOptions, logger: ToolsLogger): Promise<void>;
+//# sourceMappingURL=tunnel.d.ts.map

package/dist/tunnel/tunnel.js

@@ -0,0 +1,168 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startSshTunnelIfNeeded = startSshTunnelIfNeeded;
+exports.setupSshTunnel = setupSshTunnel;
+const node_net_1 = __importDefault(require("node:net"));
+const node_child_process_1 = require("node:child_process");
+const btp_utils_1 = require("@sap-ux/btp-utils");
+const adp_tooling_1 = require("@sap-ux/adp-tooling");
+const destination_check_1 = require("./destination-check");
+/**
+ * Check if a port is already in use.
+ *
+ * @param port - Port number to check.
+ * @returns True if the port is in use.
+ */
+function isPortInUse(port) {
+    return new Promise((resolve) => {
+        const server = node_net_1.default.createServer();
+        server.once('error', () => resolve(true));
+        server.once('listening', () => {
+            server.close(() => resolve(false));
+        });
+        server.listen(port, '127.0.0.1');
+    });
+}
+/**
+ * Wait for a port to become reachable via TCP connect.
+ *
+ * @param port - Port to connect to.
+ * @param timeoutMs - Maximum wait time in ms.
+ * @returns True if the port became reachable within the timeout.
+ */
+function waitForPort(port, timeoutMs) {
+    const start = Date.now();
+    return new Promise((resolve) => {
+        function attempt() {
+            if (Date.now() - start > timeoutMs) {
+                resolve(false);
+                return;
+            }
+            const socket = node_net_1.default.connect(port, '127.0.0.1');
+            socket.once('connect', () => {
+                socket.destroy();
+                resolve(true);
+            });
+            socket.once('error', () => {
+                socket.destroy();
+                setTimeout(attempt, 500);
+            });
+        }
+        attempt();
+    });
+}
+/**
+ * Spawn the long-running cf ssh tunnel process.
+ *
+ * @param appName - CF app name.
+ * @param localPort - Local port to bind.
+ * @param remoteHost - Remote connectivity proxy host.
+ * @param remotePort - Remote connectivity proxy port.
+ * @param logger - Logger instance.
+ * @returns The spawned child process.
+ */
+function spawnSshTunnel(appName, localPort, remoteHost, remotePort, logger) {
+    const tunnelArg = `${localPort}:${remoteHost}:${remotePort}`;
+    logger.info(`Starting SSH tunnel: cf ssh ${appName} -N -T -L ${tunnelArg}`);
+    const child = (0, node_child_process_1.spawn)('cf', ['ssh', appName, '-N', '-T', '-L', tunnelArg], {
+        stdio: 'pipe',
+        shell: process.platform === 'win32'
+    });
+    child.stderr?.on('data', (data) => {
+        logger.warn(`SSH tunnel stderr: ${data.toString().trim()}`);
+    });
+    child.on('error', (err) => {
+        logger.warn(`SSH tunnel process error: ${err.message}`);
+    });
+    child.on('exit', (code) => {
+        if (code !== null && code !== 0) {
+            logger.warn(`SSH tunnel exited with code ${code}`);
+        }
+    });
+    return child;
+}
+/**
+ * Register cleanup handlers to kill the SSH tunnel on process exit.
+ *
+ * @param tunnelProcess - The SSH tunnel child process.
+ * @param logger - Logger instance.
+ */
+function registerCleanup(tunnelProcess, logger) {
+    const cleanup = () => {
+        if (!tunnelProcess.killed) {
+            logger.debug('Killing SSH tunnel process.');
+            tunnelProcess.kill('SIGTERM');
+        }
+    };
+    process.on('exit', cleanup);
+    process.once('SIGTERM', cleanup);
+    process.once('SIGINT', cleanup);
+}
+/**
+ * Start an SSH tunnel to the connectivity proxy if needed.
+ * Skips if running in BAS, if the port is already in use, or if no connectivity service is present.
+ * Errors are logged as warnings; the middleware continues without the tunnel.
+ *
+ * @param connectivityInfo - Original connectivity proxy host and port from VCAP_SERVICES.
+ * @param tunnelAppName - CF app name to SSH into.
+ * @param logger - Logger instance.
+ * @param options - Optional tunnel configuration.
+ * @returns The SSH tunnel child process, or undefined if not started.
+ */
+async function startSshTunnelIfNeeded(connectivityInfo, tunnelAppName, logger, options) {
+    try {
+        if ((0, btp_utils_1.isAppStudio)()) {
+            logger.debug('Running in BAS, SSH tunnel not needed.');
+            return undefined;
+        }
+        const localPort = options?.localPort ?? connectivityInfo.port;
+        if (await isPortInUse(localPort)) {
+            logger.info(`Port ${localPort} already in use, assuming SSH tunnel is already running.`);
+            return undefined;
+        }
+        if (!options?.skipSshEnable) {
+            await (0, adp_tooling_1.enableSshAndRestart)(tunnelAppName, logger);
+        }
+        const child = spawnSshTunnel(tunnelAppName, localPort, connectivityInfo.host, connectivityInfo.port, logger);
+        registerCleanup(child, logger);
+        const ready = await waitForPort(localPort, 10_000);
+        if (ready) {
+            logger.info(`SSH tunnel ready on localhost:${localPort}`);
+        }
+        else {
+            logger.warn(`SSH tunnel did not become ready within 10s on localhost:${localPort}`);
+        }
+        return child;
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        logger.warn(`SSH tunnel setup failed: ${message}. On-premise connectivity may not work.`);
+        return undefined;
+    }
+}
+/**
+ * Check for OnPremise destinations and set up an SSH tunnel if needed.
+ * Handles the full lifecycle: destination check, tunnel app deployment, SSH enable, and tunnel spawn.
+ *
+ * @param rootPath - Project root path.
+ * @param connectivityInfo - Connectivity proxy host and port from VCAP_SERVICES.
+ * @param effectiveOptions - Merged middleware options.
+ * @param logger - Logger instance.
+ */
+async function setupSshTunnel(rootPath, connectivityInfo, effectiveOptions, logger) {
+    const needsSshTunnel = await (0, destination_check_1.hasOnPremiseDestination)(rootPath, logger);
+    if (!needsSshTunnel) {
+        logger.info('No OnPremise destination found in webapp/xs-app.json, skipping SSH tunnel setup.');
+        return;
+    }
+    const tunnelAppName = effectiveOptions.tunnelAppName ?? adp_tooling_1.DEFAULT_TUNNEL_APP_NAME;
+    await (0, adp_tooling_1.ensureTunnelAppExists)(tunnelAppName, logger);
+    await startSshTunnelIfNeeded(connectivityInfo, tunnelAppName, logger, {
+        localPort: effectiveOptions.tunnelLocalPort,
+        skipSshEnable: effectiveOptions.skipSshEnable
+    });
+}
+//# sourceMappingURL=tunnel.js.map

package/dist/types.d.ts

@@ -52,6 +52,14 @@ export interface BackendProxyMiddlewareCfConfig {
     disableWelcomeFile?: boolean;
     /** Disable automatic injection of ui5-server routes (resources, test-resources, catch-all) */
     disableUi5ServerRoutes?: boolean;
+    /** Disable SSH tunnel to connectivity proxy for OnPremise destinations */
+    disableSshTunnel?: boolean;
+    /** CF app name used as SSH tunnel target */
+    tunnelAppName?: string;
+    /** Local port for the SSH tunnel (defaults to connectivity proxy port) */
+    tunnelLocalPort?: number;
+    /** Skip cf enable-ssh and cf restart (assume SSH is already enabled on the tunnel app) */
+    skipSshEnable?: boolean;
 }
 /** Effective options with defaults applied. */
 export interface EffectiveOptions extends BackendProxyMiddlewareCfConfig {
@@ -129,6 +137,22 @@ export interface CreateProxyOptions {
     /** External URL for BAS (from exposePort). Overrides x-forwarded-host/proto in proxy requests. */
     basExternalUrl?: URL;
 }
+/**
+ * Connectivity proxy coordinates from VCAP_SERVICES.
+ */
+export interface ConnectivityProxyInfo {
+    host: string;
+    port: number;
+}
+/**
+ * Options for the SSH tunnel setup.
+ */
+export interface SshTunnelOptions {
+    /** Local port to bind the tunnel to (defaults to remotePort). */
+    localPort?: number;
+    /** Skip cf enable-ssh and cf restart (assume SSH is already enabled). */
+    skipSshEnable?: boolean;
+}
 /**
  * Approuter extension handler: Express-like (req, res, next) with optional 4th params from config
  */

package/package.json

@@ -9,7 +9,7 @@
   "bugs": {
     "url": "https://github.com/SAP/open-ux-tools/issues?q=is%3Aopen+is%3Aissue+label%3Abug+label%3Abackend-proxy-middleware-cf"
   },
-  "version": "0.1.2",
+  "version": "0.1.3",
   "license": "Apache-2.0",
   "author": "@SAP/ux-tools-team",
   "main": "dist/index.js",
@@ -27,7 +27,7 @@
     "http-proxy-middleware": "3.0.5",
     "mime-types": "^2.1.35",
     "portfinder": "^1.0.32",
-    "@sap-ux/adp-tooling": "0.18.112",
+    "@sap-ux/adp-tooling": "0.18.113",
     "@sap-ux/btp-utils": "1.1.12",
     "@sap-ux/logger": "0.8.5"
   },