arc-1-lsp 0.0.1

package/LICENSE

@@ -0,0 +1,30 @@
+MIT License
+
+Copyright (c) 2026 Marian Zeis and contributors
+
+Portions of this software are derived from ARC-1 (https://github.com/marianfoo/arc-1),
+MIT License, Copyright (c) 2025-2026 Alice Vinogradova and contributors — specifically
+the MCP server shell, configuration, authorization/scope model, audit, logging, and
+Zod schema patterns that arc-1-lsp reuses.
+
+This project does NOT include or redistribute SAP's `adt-ls` language server or any
+other SAP binaries; those remain under SAP's own license and must be brought by the
+user (see docs/adr/0002-byo-adt-ls-no-redistribution.md).
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,295 @@
+# arc-1-lsp
+
+An edition of **ARC-1** — a Model Context Protocol (MCP) server for SAP ABAP
+development — that delegates **all** ABAP/ADT interaction to SAP's own embedded
+**`adt-ls`** language server instead of a hand-rolled ADT HTTP client. arc-1-lsp
+owns the MCP front-end, auth/scopes, write-safety, and orchestration; `adt-ls`
+owns CSRF, locking, XML, activation, transport — everything system-specific.
+
+> **Status:** working — connects headless to a SAP system, exposes 16 MCP tools
+> (reads + a full create→edit→activate→test→delete authoring loop), runs locally
+> over stdio or as a Docker app on SAP BTP Cloud Foundry. Single-tenant / one
+> technical user today; per-user principal propagation is on the roadmap.
+
+## Where `adt-ls` comes from
+
+`adt-ls` is **SAP's** language server: the headless core of the Eclipse-based
+**ABAP Development Tools (ADT)**, shipped inside the official
+[**ABAP Development Tools for VS Code**](https://marketplace.visualstudio.com/items?itemName=SAPSE.adt-vscode)
+extension (`sapse.adt-vscode`). It speaks a private LSP namespace (`adtLs/*` —
+destinations, logon, filesystem, activation, transport, unit tests) and embeds an
+**experimental MCP server** (object creation, activation, generators, …).
+
+arc-1-lsp does not reimplement any of that — it **discovers, spawns, and drives**
+the developer-provided `adt-ls` headless (no Eclipse, no VS Code, no browser). The
+`adt-ls` binary is under SAP's Developer License and is **never bundled or
+redistributed** — you bring your own (see [Prerequisites](#prerequisites) and
+[ADR-0002](docs/adr/0002-byo-adt-ls-no-redistribution.md)).
+
+## arc-1-lsp vs. main ARC-1 — which should I use?
+
+Both are MCP servers for SAP ABAP and share the same tool shape. They differ in
+*how* they talk to SAP, and therefore in what they can do.
+
+| | **[ARC-1](https://github.com/marianfoo/arc-1)** (main) | **arc-1-lsp** (this repo) |
+|---|---|---|
+| ADT protocol | Hand-rolled (CSRF, locking, XML, version quirks) | Delegated to SAP's `adt-ls` |
+| System-specific code to maintain | ~29 ADT modules | ~zero (it's SAP's job) |
+| Object-type coverage | **All** — classic *and* modern (programs, tables, function groups, domains, CDS, classes, RAP, …) | **Modern ABAP-Cloud types only** (class, interface, CDS, behavior def, service def/binding, …) |
+| Free SQL / data preview | ✅ | ❌ (absent in adt-ls) |
+| Navigation / where-used, ATC/lint | ✅ | ❌ (not reachable headless) |
+| Git (gCTS / abapGit) | ✅ | ❌ (absent in adt-ls) |
+| Maturity | Production, multi-user, write-capable | Working; reads + authoring loop; single technical user |
+
+**Use main ARC-1** for the broadest coverage (classic objects, SQL, ATC, git,
+where-used) and production multi-user deployments. **Use arc-1-lsp** when you want
+SAP itself to own the ADT protocol — less code to maintain, and behavior that
+tracks ADT exactly — and your work is on modern ABAP-Cloud objects.
+
+The honest, line-by-line map of what is and isn't wired (and *why*) lives in
+[`docs/arc-1-feature-parity.md`](docs/arc-1-feature-parity.md); the live-verified
+capability boundary of `adt-ls` itself is in
+[`docs/adt-ls-reference.md`](docs/adt-ls-reference.md).
+
+## What works today
+
+**16 MCP tools.** Reads work read-only; the authoring loop is gated behind
+`ARC1_ALLOW_WRITES` + a package allowlist.
+
+- **Reads (11):** `health`, `list_destinations`, `list_creatable_objects`,
+  `search_objects`, `list_inactive_objects`, `list_users`, `list_generators`,
+  `get_generator_schema`, `get_object_type_details`, `get_service_binding`,
+  `read_source`.
+- **Authoring loop (5, write-gated):** `create_object`, `update_source`,
+  `activate_object`, `run_unit_tests`, `delete_object` — a full
+  create → edit → activate → test → delete cycle, by object name, for modern
+  ABAP-Cloud types. `activate_object` returns ranged syntax diagnostics so an
+  agent can self-correct.
+
+**Out of scope here (use main ARC-1):** classic object types (program/table/
+function group/domain/…), free SQL, navigation/where-used, ATC/lint, transport
+*writes*, and git. These are honest limits of `adt-ls`'s headless surface, not
+missing features — details in [`docs/arc-1-feature-parity.md`](docs/arc-1-feature-parity.md).
+
+The SAP session behind `adt-ls` self-heals: if it expires (idle timeout →
+"logged off"), arc-1-lsp transparently re-logs on and retries the call once.
+
+## Architecture
+
+```
+agent (Claude / Copilot / Cursor / …)
+   │  MCP (stdio | http-streamable)
+   ▼
+arc-1-lsp  (Node/TS — discovers, spawns & supervises adt-ls; auth + scopes; owns SAP logon)
+   ├─ LSP over pipe ───────────▶ adt-ls (headless, BYO)   ← bootstrap, destinations, logon, filesystem, activation
+   └─ HTTP localhost ─────────▶ adt-ls's own /mcp         ← federated tools
+                                      │ HTTPS
+                                      ▼
+                          TLS reverse proxy (CN=localhost, in arc-1-lsp)
+                                      │  DIRECT ───────────────▶ SAP ABAP (internet-reachable)
+                                      └  CC ─▶ connectivity bridge ─▶ BTP Connectivity ─▶ Cloud Connector ─▶ SAP ABAP
+```
+
+`adt-ls` requires an **HTTPS** backend and validates its hostname; SAP's default
+self-signed cert (`CN=*.dummy.nodomain`) fails that. So arc-1-lsp runs a local
+**TLS-terminating reverse proxy** (cert `CN=localhost`, trusted via a truststore
+built from `adt-ls`'s own JRE) and re-originates to the real backend — directly,
+or through the connectivity bridge on BTP. Logon is **headless reentrance-ticket**
+emulation (no browser). Full recipe + decisions:
+[`docs/adt-ls-headless-notes.md`](docs/adt-ls-headless-notes.md) +
+[`docs/adr/`](docs/adr/README.md).
+
+## Prerequisites
+
+1. **Node.js 22+**.
+2. **A developer-provided `adt-ls`** (BYO — never redistributed). Install the
+   official **ABAP Development Tools for VS Code** extension (`sapse.adt-vscode`,
+   which accepts SAP's Developer License) and arc-1-lsp finds its `adt-ls`
+   automatically. Discovery order:
+   1. `ARC1_ADT_LS_PATH` (explicit path)
+   2. `vendor/adt-ls/<platform>/…` (build-time injection, for containers)
+   3. the newest installed `sapse.adt-vscode-*` VS Code extension
+3. **A reachable SAP ABAP system** to connect to (optional — the server also
+   starts disconnected and still serves `health`/`tools`). Runtime cert/proxy
+   deps: `openssl` + `keytool` (the latter ships inside `adt-ls`'s JRE). See
+   [`docs/native-deps.md`](docs/native-deps.md).
+
+## Install & run
+
+### From source (stdio)
+
+```bash
+npm install
+npm run build
+node dist/index.js          # or: npm run dev (tsx, no build)
+```
+
+Point an MCP client at the process over **stdio**. With no SAP vars set it starts
+disconnected (handy for inspecting the tool list); set `ARC1_SAP_*` to auto-connect
+(see [Connect a SAP system](#connect-a-sap-system)).
+
+### As a CLI (npm)
+
+```bash
+npm install -g arc1-lsp
+arc1-lsp                    # stdio MCP server (honors the same env/flags)
+```
+
+The npm package ships the Node wrapper only — it still discovers your BYO `adt-ls`
+(it does **not** contain any SAP binary).
+
+### Docker / http-streamable
+
+The container bundles a **build-time-injected** linux `adt-ls` and serves MCP over
+http-streamable behind an API key — this is the artifact deployed to BTP CF.
+
+```bash
+# stage the linux adt-ls (admin provides the licensed VSIX → vendor/)
+node scripts/extract-adt-ls.mjs
+# build the linux/amd64 image (host-builds dist; only prod deps + adt-ls are amd64)
+IMAGE=arc-1-lsp:dev bash scripts/docker-build.sh
+# run
+docker run -e ARC1_API_KEYS=devkey -p 8080:8080 arc-1-lsp:dev
+```
+
+`GET /healthz` (no auth) for health checks; `POST /mcp` with
+`Authorization: Bearer <key>` for MCP.
+
+## Connect a SAP system
+
+Set the `ARC1_SAP_*` vars (or `--sap-*` flags) and arc-1-lsp logs on at startup.
+
+```bash
+ARC1_SAP_HOST=a4h.example.com ARC1_SAP_PORT=50001 \
+ARC1_SAP_USER=DEVELOPER ARC1_SAP_PASSWORD=… ARC1_SAP_DESTINATION=A4H \
+node dist/index.js
+```
+
+`health` then reports `connectedDestination`, and `list_creatable_objects` returns
+the system's object catalog. Two connection modes:
+
+- **DIRECT** (default) — the reverse proxy connects straight to an
+  internet-reachable backend. All four of `HOST`/`PORT`/`USER`/`PASSWORD` must be set.
+- **CC** (on-prem via Cloud Connector, on BTP) — bind the `connectivity` +
+  `destination` services and set only `ARC1_SAP_DESTINATION <btp-destination-name>`;
+  the engine resolves it and routes through the connectivity bridge automatically.
+
+### Connect an MCP client
+
+```jsonc
+// Claude Code (HTTP):
+//   claude mcp add --transport http arc1lsp https://<host>/mcp \
+//     --header "Authorization: Bearer <api-key>"
+//
+// Cursor / Claude Desktop / VS Code — mcp.json:
+{
+  "mcpServers": {
+    "arc1lsp": {
+      "url": "https://<host>/mcp",
+      "headers": { "Authorization": "Bearer <api-key>" }
+    }
+  }
+}
+```
+
+For local stdio, point the client at the `node dist/index.js` (or `arc1-lsp`)
+process instead of a URL. GUI inspector: `npx @modelcontextprotocol/inspector`.
+
+## Configuration (precedence: CLI flag > env var > default)
+
+| Env / flag | Default | Meaning |
+|------------|---------|---------|
+| `ARC1_ADT_LS_PATH` / `--adt-ls-path` | (discovered) | explicit `adt-ls` binary |
+| `ARC1_ADT_LS_MCP_PORT` / `--adt-ls-mcp-port` | `2240` | port for `adt-ls`'s own MCP server |
+| `ARC1_ADT_LS_MCP_TOKEN` / `--adt-ls-mcp-token` | (generated) | bearer for `adt-ls`'s MCP server |
+| `ARC1_TRANSPORT` / `--transport` | `stdio` | `stdio` \| `http-streamable` |
+| `ARC1_PORT` / `--port` | `8080` | HTTP port (http-streamable; CF `$PORT` honored) |
+| `ARC1_API_KEYS` / `--api-keys` | (none) | edge auth: `key[:label][,key2…]`; empty disables auth (local only) |
+| `ARC1_ALLOW_WRITES` / `--allow-writes` | `false` | enable mutating tools (create/update/activate/delete) |
+| `ARC1_ALLOWED_PACKAGES` / `--allowed-packages` | `$TMP` | packages writes may target — exact / `PREFIX*` / `*` |
+| `ARC1_LOG_LEVEL` | `info` | `debug`\|`info`\|`warn`\|`error` (stderr only) |
+| **SAP connection — DIRECT mode** (internet-reachable backend) | | |
+| `ARC1_SAP_HOST` / `--sap-host` | — | backend host |
+| `ARC1_SAP_PORT` / `--sap-port` | — | backend **HTTPS** port |
+| `ARC1_SAP_USER` / `--sap-user` | — | SAP user (the reentrance ticket is fetched with these creds) |
+| `ARC1_SAP_PASSWORD` / `--sap-password` | — | SAP password (set via env / `cf set-env`, never committed) |
+| `ARC1_SAP_DESTINATION` / `--sap-destination` | `SAP` | `adt-ls` destination id (DIRECT) **or** BTP destination name (CC) |
+| `ARC1_SAP_CLIENT` / `--sap-client` | `001` | SAP client |
+| `ARC1_SAP_LANGUAGE` / `--sap-language` | `EN` | SAP logon language |
+| `ARC1_SAP_INSECURE` / `--sap-insecure` | `true` | accept the backend's self-signed cert (the proxy's own TLS is trusted separately) |
+| **SAP connection — CC mode** (on-prem via Cloud Connector) | | |
+| `ARC1_SAP_DESTINATION` | — | BTP Destination Service name; resolved when `connectivity` is bound |
+
+> Config is read from CLI flags and the process environment only (no `.env`
+> auto-loading) — export the vars in your shell or set them via `cf set-env`.
+
+## Deploy to BTP Cloud Foundry
+
+The image deploys to CF as a docker app (see `manifest.yml`). Secrets stay out of
+git — the API key, SAP creds, and the registry pull token are passed at deploy time:
+
+```bash
+docker push ghcr.io/<owner>/arc-1-lsp:0.0.1
+# secrets via cf set-env (never committed):
+cf set-env arc-1-lsp ARC1_API_KEYS "$(openssl rand -hex 16)"
+cf set-env arc-1-lsp ARC1_SAP_HOST   <host>
+cf set-env arc-1-lsp ARC1_SAP_PORT   50001
+cf set-env arc-1-lsp ARC1_SAP_USER   <user>
+cf set-env arc-1-lsp ARC1_SAP_PASSWORD <secret>
+cf set-env arc-1-lsp ARC1_SAP_DESTINATION <id>
+cf set-env arc-1-lsp ARC1_ALLOW_WRITES true          # optional, to enable the authoring loop
+cf set-env arc-1-lsp ARC1_ALLOWED_PACKAGES '$TMP'    # scope writes
+# re-push (stop first if the org memory quota is tight — avoids a transient 2×2G):
+cf stop arc-1-lsp
+CF_DOCKER_PASSWORD=$(gh auth token) cf push arc-1-lsp -f manifest.yml
+```
+
+`cf logs` shows `engine: connected destination …`; the MCP `health` tool reports
+`connectedDestination`. `cf push` preserves `cf set-env` vars not listed in the
+manifest. If the ghcr image is private, CF pulls it with `CF_DOCKER_PASSWORD`;
+make the package public to drop that.
+
+## Test a running instance (local or CF)
+
+The `/mcp` endpoint is **stateless** StreamableHTTP — a bare `tools/call` works, no
+session handshake.
+
+```bash
+ARC1_URL=https://<host>/mcp ARC1_KEY=<api-key> bash scripts/smoke-remote.sh
+# → /healthz ok · health {connectedDestination} · tools/list · list_creatable_objects
+```
+
+## Documentation
+
+| Doc | What it covers |
+|-----|----------------|
+| [`docs/adt-ls-reference.md`](docs/adt-ls-reference.md) | **The authoritative, live-verified `adt-ls` capability map** — URI model, the `getLsUri` name→URI resolver, the method/tool matrix, the object-type boundary, the proven lifecycle, session self-heal, gotchas |
+| [`docs/arc-1-feature-parity.md`](docs/arc-1-feature-parity.md) | arc-1 vs arc-1-lsp coverage, per-capability "implemented? why / why not" |
+| [`docs/adt-ls-headless-notes.md`](docs/adt-ls-headless-notes.md) | The reverse-engineered headless connection recipe (initialize, reentrance-ticket logon, TLS/truststore) |
+| [`docs/adr/`](docs/adr/README.md) | Architecture Decision Records — each decision, its context, and **when to revisit** it |
+| [`docs/assumptions-and-future-changes.md`](docs/assumptions-and-future-changes.md) | The watch-list: what to re-verify against new `adt-ls` releases, and what would let us delete complexity |
+| [`docs/native-deps.md`](docs/native-deps.md) | System libraries `adt-ls` needs in a slim container |
+| [`docs/journey.md`](docs/journey.md) | The chronological story, including dead-ends (so they aren't re-walked) |
+
+Working on the code with Claude Code? [`CLAUDE.md`](CLAUDE.md) is the contributor
+guide (design principles, codebase map, conventions).
+
+## Status & roadmap
+
+✅ foundation → ✅ containerize → ✅ deploy to BTP CF → ✅ headless connect
+(DIRECT) → ✅ read + authoring-loop tools (16) → ✅ session self-heal.
+
+**Next:** CC-mode deploy (code ready; needs a running Cloud Connector + bound
+`connectivity`/`destination`), then **per-user principal propagation** (one
+`adt-ls` session per user via the BTP Destination Service). Roadmap detail in
+[`docs/plans/`](docs/plans/) and [`docs/assumptions-and-future-changes.md`](docs/assumptions-and-future-changes.md).
+
+## License & credits
+
+[MIT](LICENSE) © 2026 Marian Zeis and contributors.
+
+Built on the shell of **[ARC-1](https://github.com/marianfoo/arc-1)** (MIT,
+© Alice Vinogradova and contributors) — arc-1-lsp reuses its MCP server,
+configuration, authorization model, audit, and logging patterns. SAP's `adt-ls`
+is **not** included or redistributed (SAP Developer License) — bring your own; see
+[ADR-0002](docs/adr/0002-byo-adt-ls-no-redistribution.md).

package/dist/adt-ls/cert.js

@@ -0,0 +1,121 @@
+/**
+ * TLS material for the headless adt-ls connection (ADR-0006).
+ *
+ * Two artifacts, both ephemeral (built at startup into a temp dir, never
+ * persisted):
+ *   1. a `CN=localhost` keypair+cert for the TLS reverse proxy
+ *      (`tls-reverse-proxy.ts`), and
+ *   2. a JVM truststore = a copy of adt-ls's own JRE `cacerts` (so all public CAs
+ *      still validate — needed for BTP later) + that localhost cert, so the JVM
+ *      trusts the proxy. Injected into adt-ls via `JAVA_TOOL_OPTIONS`
+ *      (launcher-agnostic; no `-vmargs` parsing risk).
+ *
+ * `keytool` is required and always ships with adt-ls's JRE; `openssl` is required
+ * for cert generation (present on macOS/Linux + the container image).
+ */
+import { execFile } from 'node:child_process';
+import { promises as fsp } from 'node:fs';
+import fs from 'node:fs';
+import path from 'node:path';
+import { promisify } from 'node:util';
+const execFileP = promisify(execFile);
+export const TRUSTSTORE_PASSWORD = 'changeit'; // JRE cacerts default; truststore holds only public certs
+export const PROXY_CERT_ALIAS = 'arc1-proxy-localhost';
+/**
+ * Locate the bundled SAP Machine JRE's `keytool` + `cacerts` relative to the
+ * adt-ls binary. Layouts differ by platform:
+ *   - linux/win: binDir/plugins/com.sap.adt.jvm.<ver>/jre/...
+ *   - macOS:     binDir/../Eclipse/plugins/com.sap.adt.jvm.<ver>/jre/...
+ */
+export function resolveJreTools(adtLsBin) {
+    const binDir = path.dirname(adtLsBin);
+    const pluginRoots = [
+        path.join(binDir, 'plugins'),
+        path.join(binDir, '..', 'Eclipse', 'plugins'),
+        path.join(binDir, '..', '..', 'Eclipse', 'plugins'),
+    ];
+    const keytoolName = process.platform === 'win32' ? 'keytool.exe' : 'keytool';
+    for (const plugins of pluginRoots) {
+        if (!fs.existsSync(plugins))
+            continue;
+        const jvm = fs.readdirSync(plugins).find((d) => d.startsWith('com.sap.adt.jvm.'));
+        if (!jvm)
+            continue;
+        const jreLib = path.join(plugins, jvm, 'jre');
+        const keytool = path.join(jreLib, 'bin', keytoolName);
+        const cacerts = path.join(jreLib, 'lib', 'security', 'cacerts');
+        if (fs.existsSync(keytool))
+            return { keytool, cacerts };
+    }
+    throw new Error(`Could not locate the adt-ls JRE keytool relative to ${adtLsBin}. Looked under: ${pluginRoots.join(', ')}`);
+}
+/** Generate an ephemeral `CN=localhost` self-signed keypair+cert via openssl. */
+export async function generateLocalhostCert(dir) {
+    await fsp.mkdir(dir, { recursive: true });
+    const keyPath = path.join(dir, 'proxy-key.pem');
+    const certPath = path.join(dir, 'proxy-cert.pem');
+    // CN=localhost (no SAN): adt-ls's verifier falls back to CN when no SAN is
+    // present, and the proxy is only ever reached as `localhost`. Avoiding -addext
+    // keeps this portable across OpenSSL and macOS LibreSSL.
+    await execFileP('openssl', [
+        'req',
+        '-x509',
+        '-newkey',
+        'rsa:2048',
+        '-nodes',
+        '-keyout',
+        keyPath,
+        '-out',
+        certPath,
+        '-days',
+        '825',
+        '-subj',
+        '/CN=localhost',
+    ]);
+    const [keyPem, certPem] = await Promise.all([fsp.readFile(keyPath, 'utf8'), fsp.readFile(certPath, 'utf8')]);
+    return { keyPath, certPath, keyPem, certPem };
+}
+/**
+ * Build a JVM truststore: copy the JRE cacerts (preserving public CAs) and import
+ * the proxy cert under PROXY_CERT_ALIAS. Returns the truststore path.
+ */
+export async function buildTruststore(opts) {
+    const password = opts.password ?? TRUSTSTORE_PASSWORD;
+    await fsp.mkdir(path.dirname(opts.outPath), { recursive: true });
+    await fsp.copyFile(opts.cacerts, opts.outPath);
+    await execFileP(opts.keytool, [
+        '-importcert',
+        '-noprompt',
+        '-keystore',
+        opts.outPath,
+        '-storepass',
+        password,
+        '-alias',
+        PROXY_CERT_ALIAS,
+        '-file',
+        opts.certPath,
+    ]);
+    return opts.outPath;
+}
+/**
+ * One-shot: generate the localhost proxy cert + build the truststore from adt-ls's
+ * own JRE, into `workDir`. Returns everything the engine needs to start the proxy
+ * and spawn adt-ls trusting it.
+ */
+export async function prepareAdtLsTls(opts) {
+    const { keytool, cacerts } = resolveJreTools(opts.adtLsBin);
+    const cert = await generateLocalhostCert(opts.workDir);
+    const trustStorePath = await buildTruststore({
+        keytool,
+        cacerts,
+        certPath: cert.certPath,
+        outPath: path.join(opts.workDir, 'truststore.p12'),
+    });
+    const javaToolOptions = [
+        `-Djavax.net.ssl.trustStore=${trustStorePath}`,
+        `-Djavax.net.ssl.trustStorePassword=${TRUSTSTORE_PASSWORD}`,
+        '-Djavax.net.ssl.trustStoreType=PKCS12',
+    ].join(' ');
+    return { proxyKeyPem: cert.keyPem, proxyCertPem: cert.certPem, trustStorePath, javaToolOptions };
+}
+//# sourceMappingURL=cert.js.map

package/dist/adt-ls/cert.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert.js","sourceRoot":"","sources":["../../src/adt-ls/cert.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,QAAQ,IAAI,GAAG,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEtC,MAAM,CAAC,MAAM,mBAAmB,GAAG,UAAU,CAAC,CAAC,0DAA0D;AACzG,MAAM,CAAC,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAOvD;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,WAAW,GAAG;QAClB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;QAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC;QAC7C,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC;KACpD,CAAC;IACF,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,SAAS;QACtC,MAAM,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAClF,IAAI,CAAC,GAAG;YAAE,SAAS;QACnB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;QAChE,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC1D,CAAC;IACD,MAAM,IAAI,KAAK,CACb,uDAAuD,QAAQ,mBAAmB,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3G,CAAC;AACJ,CAAC;AASD,iFAAiF;AACjF,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAW;IACrD,MAAM,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAClD,2EAA2E;IAC3E,+EAA+E;IAC/E,yDAAyD;IACzD,MAAM,SAAS,CAAC,SAAS,EAAE;QACzB,KAAK;QACL,OAAO;QACP,SAAS;QACT,UAAU;QACV,QAAQ;QACR,SAAS;QACT,OAAO;QACP,MAAM;QACN,QAAQ;QACR,OAAO;QACP,KAAK;QACL,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;IAC7G,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAMrC;IACC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,mBAAmB,CAAC;IACtD,MAAM,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjE,MAAM,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE;QAC5B,aAAa;QACb,WAAW;QACX,WAAW;QACX,IAAI,CAAC,OAAO;QACZ,YAAY;QACZ,QAAQ;QACR,QAAQ;QACR,gBAAgB;QAChB,OAAO;QACP,IAAI,CAAC,QAAQ;KACd,CAAC,CAAC;IACH,OAAO,IAAI,CAAC,OAAO,CAAC;AACtB,CAAC;AAWD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,IAA2C;IAC/E,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5D,MAAM,IAAI,GAAG,MAAM,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvD,MAAM,cAAc,GAAG,MAAM,eAAe,CAAC;QAC3C,OAAO;QACP,OAAO;QACP,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC;KACnD,CAAC,CAAC;IACH,MAAM,eAAe,GAAG;QACtB,8BAA8B,cAAc,EAAE;QAC9C,sCAAsC,mBAAmB,EAAE;QAC3D,uCAAuC;KACxC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,CAAC,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,CAAC;AACnG,CAAC"}

package/dist/adt-ls/destinations.js

@@ -0,0 +1,116 @@
+/**
+ * adt-ls destination + headless reentrance-ticket logon (ADR-0006).
+ *
+ * Proven end-to-end against a4h → `logonState:"connected"`. The recipe (see
+ * `docs/adt-ls-headless-notes.md`):
+ *   1. initializeService with an ISOLATED store path (never the global
+ *      ~/.adtls/destinations.json, which is shared with the user's IDEs).
+ *   2. create with protocol:"http" (URL scheme lives in systemUrl) and
+ *      authenticationKind:"reentranceTicket" (NOT basicAuth — that fails session
+ *      dispatch: "password must not be null"). systemUrl points at the local TLS
+ *      reverse proxy (https://localhost:<port>).
+ *   3. ensureLoggedOn triggers the server→client request
+ *      `adtLs/destinations/requestBrowserBasedLogon`; our handler emulates the
+ *      browser: GET logonUrl with real creds → 307 + reentrance-ticket → deliver
+ *      to adt-ls's 127.0.0.1 listener → return TRUE IMMEDIATELY (fire-and-forget;
+ *      awaiting the delivery deadlocks).
+ */
+import http from 'node:http';
+import https from 'node:https';
+import { logger } from '../server/logger.js';
+export const REQUEST_BROWSER_LOGON = 'adtLs/destinations/requestBrowserBasedLogon';
+/** Must run before any destination op. Empty path = global store — DO NOT use. */
+export function initializeDestinationsService(driver, storePath) {
+    return driver.sendRequest('adtLs/destinations/initializeService', {
+        destinationsStorePath: storePath,
+        workspaceFolderUris: [],
+        fileUris: [],
+    });
+}
+/** Create a reentrance-ticket destination. Returns the destination id on success. */
+export function createDestination(driver, cfg) {
+    return driver.sendRequest('adtLs/destinations/create', {
+        id: cfg.id,
+        protocol: 'http', // ADT-over-HTTP (vs RFC); the URL scheme lives in systemUrl
+        properties: {
+            systemUrl: cfg.systemUrl,
+            authenticationKind: 'reentranceTicket',
+            ...(cfg.user ? { user: cfg.user } : {}),
+            client: cfg.client ?? '001',
+            language: cfg.language ?? 'EN',
+        },
+    });
+}
+export function ensureLoggedOn(driver, destinationId) {
+    return driver.sendRequest('adtLs/destinations/ensureLoggedOn', destinationId);
+}
+export function getLogonInfo(driver, destinationId) {
+    return driver.sendRequest('adtLs/destinations/getLogonInfo', destinationId);
+}
+/** Pull the reentrance `logonUrl` out of a requestBrowserBasedLogon params payload. */
+export function extractLogonUrl(params) {
+    const p = params;
+    for (const item of p?.params ?? []) {
+        if (item?.field?.key === 'logonUrl' && typeof item.field.value === 'string')
+            return item.field.value;
+    }
+    // Fallback: find any reentranceticket URL in the payload.
+    const m = JSON.stringify(params ?? null).match(/https?:[^"\\]*reentranceticket[^"\\]*/);
+    return m ? m[0] : undefined;
+}
+function authHeader(creds) {
+    if (creds.kind === 'bearer')
+        return { Authorization: `Bearer ${creds.token}` };
+    return { Authorization: `Basic ${Buffer.from(`${creds.user}:${creds.password}`).toString('base64')}` };
+}
+/** GET without following redirects; resolves with status + Location. */
+function httpGet(urlStr, opts = {}) {
+    return new Promise((resolve, reject) => {
+        const u = new URL(urlStr);
+        const lib = u.protocol === 'https:' ? https : http;
+        const req = lib.request({
+            hostname: u.hostname,
+            port: u.port,
+            path: `${u.pathname}${u.search}`,
+            method: 'GET',
+            headers: opts.headers,
+            ...(u.protocol === 'https:' ? { rejectUnauthorized: !opts.insecure } : {}),
+        }, (res) => {
+            res.resume(); // drain so the socket frees
+            resolve({ status: res.statusCode ?? 0, location: res.headers.location });
+        });
+        req.on('error', reject);
+        req.end();
+    });
+}
+/**
+ * Emulate the browser reentrance flow: GET logonUrl with real creds → 307 +
+ * reentrance-ticket in Location → deliver it to adt-ls's local 127.0.0.1 listener.
+ * `insecure` skips TLS verification when WE call the proxy/backend (self-signed).
+ */
+export async function performReentranceLogon(logonUrl, creds, opts = {}) {
+    const r1 = await httpGet(logonUrl, { headers: authHeader(creds), insecure: opts.insecure });
+    if (!r1.location) {
+        throw new Error(`reentrance: no redirect Location (status ${r1.status}) from ${logonUrl}`);
+    }
+    // adt-ls's listener is bound on 127.0.0.1; the redirect uses `localhost`.
+    const deliver = r1.location.replace('localhost', '127.0.0.1');
+    await httpGet(deliver, { insecure: opts.insecure });
+}
+/**
+ * Build the `requestBrowserBasedLogon` handler. Fires the reentrance delivery
+ * fire-and-forget and returns `true` immediately — adt-ls's listener won't respond
+ * until this resolves (browser-flow semantics), so awaiting it deadlocks.
+ */
+export function makeReentranceLogonHandler(creds, opts = {}) {
+    return (params) => {
+        const logonUrl = extractLogonUrl(params);
+        if (!logonUrl) {
+            logger.warn('requestBrowserBasedLogon: could not find logonUrl in params');
+            return false;
+        }
+        performReentranceLogon(logonUrl, creds, opts).catch((e) => logger.warn(`reentrance logon failed: ${e instanceof Error ? e.message : String(e)}`));
+        return true;
+    };
+}
+//# sourceMappingURL=destinations.js.map

package/dist/adt-ls/destinations.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"destinations.js","sourceRoot":"","sources":["../../src/adt-ls/destinations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,KAAK,MAAM,YAAY,CAAC;AAC/B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAG7C,MAAM,CAAC,MAAM,qBAAqB,GAAG,6CAA6C,CAAC;AAqBnF,kFAAkF;AAClF,MAAM,UAAU,6BAA6B,CAAC,MAAmB,EAAE,SAAiB;IAClF,OAAO,MAAM,CAAC,WAAW,CAAC,sCAAsC,EAAE;QAChE,qBAAqB,EAAE,SAAS;QAChC,mBAAmB,EAAE,EAAE;QACvB,QAAQ,EAAE,EAAE;KACb,CAAC,CAAC;AACL,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,iBAAiB,CAAC,MAAmB,EAAE,GAAsB;IAC3E,OAAO,MAAM,CAAC,WAAW,CAAC,2BAA2B,EAAE;QACrD,EAAE,EAAE,GAAG,CAAC,EAAE;QACV,QAAQ,EAAE,MAAM,EAAE,4DAA4D;QAC9E,UAAU,EAAE;YACV,SAAS,EAAE,GAAG,CAAC,SAAS;YACxB,kBAAkB,EAAE,kBAAkB;YACtC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvC,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,KAAK;YAC3B,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,IAAI;SAC/B;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAmB,EAAE,aAAqB;IACvE,OAAO,MAAM,CAAC,WAAW,CAAY,mCAAmC,EAAE,aAAa,CAAC,CAAC;AAC3F,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAmB,EAAE,aAAqB;IACrE,OAAO,MAAM,CAAC,WAAW,CAAY,iCAAiC,EAAE,aAAa,CAAC,CAAC;AACzF,CAAC;AAED,uFAAuF;AACvF,MAAM,UAAU,eAAe,CAAC,MAAe;IAC7C,MAAM,CAAC,GAAG,MAAuF,CAAC;IAClG,KAAK,MAAM,IAAI,IAAI,CAAC,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;QACnC,IAAI,IAAI,EAAE,KAAK,EAAE,GAAG,KAAK,UAAU,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;IACvG,CAAC;IACD,0DAA0D;IAC1D,MAAM,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;IACxF,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC9B,CAAC;AAED,SAAS,UAAU,CAAC,KAAuB;IACzC,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,EAAE,aAAa,EAAE,UAAU,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC;IAC/E,OAAO,EAAE,aAAa,EAAE,SAAS,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;AACzG,CAAC;AAED,wEAAwE;AACxE,SAAS,OAAO,CACd,MAAc,EACd,OAAiE,EAAE;IAEnE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1B,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;QACnD,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CACrB;YACE,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,GAAG,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,MAAM,EAAE;YAChC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,GAAG,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,kBAAkB,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC3E,EACD,CAAC,GAAG,EAAE,EAAE;YACN,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,4BAA4B;YAC1C,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3E,CAAC,CACF,CAAC;QACF,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACxB,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,QAAgB,EAChB,KAAuB,EACvB,OAA+B,EAAE;IAEjC,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC5F,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,4CAA4C,EAAE,CAAC,MAAM,UAAU,QAAQ,EAAE,CAAC,CAAC;IAC7F,CAAC;IACD,0EAA0E;IAC1E,MAAM,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC9D,MAAM,OAAO,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;AACtD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,KAAuB,EACvB,OAA+B,EAAE;IAEjC,OAAO,CAAC,MAAe,EAAE,EAAE;QACzB,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,6DAA6D,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;QACD,sBAAsB,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CACxD,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CACtF,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC"}

package/dist/adt-ls/discovery.js

@@ -0,0 +1,59 @@
+/**
+ * Locate a developer-provided `adt-ls` binary. arc-1-lsp never ships or
+ * redistributes adt-ls (SAP Developer License) — it discovers one the developer
+ * already installed.
+ *
+ * Resolution order:
+ *   1. explicit path (opts.explicitPath / ARC1_ADT_LS_PATH)
+ *   2. vendor/adt-ls/ in the repo (build-time injection for containers)
+ *   3. newest installed `sapse.adt-vscode-*` VS Code extension
+ */
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+/** Platform/arch-specific sub-path under an `adt-ls/` root. */
+export function platformSubPath(platform = process.platform, arch = process.arch) {
+    const a = arch === 'arm64' ? 'aarch64' : arch === 'x64' ? 'x86_64' : arch;
+    switch (platform) {
+        case 'darwin':
+            return ['macosx', 'cocoa', a, 'Adt-ls.app', 'Contents', 'MacOS', 'adt-ls'];
+        case 'linux':
+            return ['linux', 'gtk', a, 'adt-ls'];
+        case 'win32':
+            return ['win32', 'win32', a, 'adt-lsc.exe'];
+        default:
+            throw new Error(`Unsupported platform: ${platform}`);
+    }
+}
+export function resolveAdtLsPath(opts = {}) {
+    const tried = [];
+    const sub = platformSubPath(opts.platform, opts.arch);
+    const explicit = opts.explicitPath ?? process.env.ARC1_ADT_LS_PATH;
+    if (explicit) {
+        tried.push(explicit);
+        if (fs.existsSync(explicit))
+            return explicit;
+    }
+    const repoRoot = opts.repoRoot ?? process.cwd();
+    const vendor = path.join(repoRoot, 'vendor', 'adt-ls', ...sub);
+    tried.push(vendor);
+    if (fs.existsSync(vendor))
+        return vendor;
+    const extDir = opts.extensionsDir ?? path.join(os.homedir(), '.vscode', 'extensions');
+    if (fs.existsSync(extDir)) {
+        const candidates = fs
+            .readdirSync(extDir)
+            .filter((d) => d.startsWith('sapse.adt-vscode-'))
+            .sort()
+            .reverse();
+        for (const c of candidates) {
+            const p = path.join(extDir, c, 'adt-ls', ...sub);
+            tried.push(p);
+            if (fs.existsSync(p))
+                return p;
+        }
+    }
+    const triedList = tried.map((t) => `  - ${t}`).join('\n');
+    throw new Error(`adt-ls binary not found. Set ARC1_ADT_LS_PATH, drop it in vendor/adt-ls/, or install the 'sapse.adt-vscode' extension. Tried:\n${triedList}`);
+}
+//# sourceMappingURL=discovery.js.map

package/dist/adt-ls/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/adt-ls/discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,+DAA+D;AAC/D,MAAM,UAAU,eAAe,CAAC,WAA4B,OAAO,CAAC,QAAQ,EAAE,OAAe,OAAO,CAAC,IAAI;IACvG,MAAM,CAAC,GAAG,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC1E,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC7E,KAAK,OAAO;YACV,OAAO,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC;QACvC,KAAK,OAAO;YACV,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,aAAa,CAAC,CAAC;QAC9C;YACE,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAUD,MAAM,UAAU,gBAAgB,CAAC,OAAwB,EAAE;IACzD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;IACnE,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACrB,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,OAAO,QAAQ,CAAC;IAC/C,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,CAAC;IAC/D,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnB,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAEzC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;IACtF,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,MAAM,UAAU,GAAG,EAAE;aAClB,WAAW,CAAC,MAAM,CAAC;aACnB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,mBAAmB,CAAC,CAAC;aAChD,IAAI,EAAE;aACN,OAAO,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,QAAQ,EAAE,GAAG,GAAG,CAAC,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACd,IAAI,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;gBAAE,OAAO,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,IAAI,KAAK,CACb,kIAAkI,SAAS,EAAE,CAC9I,CAAC;AACJ,CAAC"}