arc-1-lsp 0.0.1

package/dist/btp/bridge.js

@@ -0,0 +1,75 @@
+/**
+ * Connectivity bridge: a local HTTP forward proxy that adt-ls routes through.
+ * adt-ls sends absolute-form proxy requests (`GET http://target/path`); the
+ * bridge re-emits them to the BTP connectivity proxy using **standard HTTP-proxy
+ * protocol** (NOT CONNECT — the connectivity proxy 405s on CONNECT), adding
+ * `Proxy-Authorization: Bearer <connectivity token>` and the Cloud-Connector
+ * `SAP-Connectivity-SCC-Location_ID` header. Mirrors arc-1's `doProxyRequest`.
+ *
+ * Backend auth (e.g. basic `DEVELOPER`) is adt-ls's concern and flows through
+ * untouched — the bridge only owns the connectivity-proxy hop.
+ */
+import { createServer, request as httpRequest, } from 'node:http';
+import { logger } from '../server/logger.js';
+const HOP_BY_HOP = new Set([
+    'proxy-authorization',
+    'proxy-connection',
+    'connection',
+    'host',
+    'keep-alive',
+    'te',
+    'trailer',
+    'transfer-encoding',
+    'upgrade',
+]);
+export async function startConnectivityBridge(proxy) {
+    const server = createServer((req, res) => {
+        void handle(req, res, proxy);
+    });
+    await new Promise((resolve) => server.listen(0, '127.0.0.1', () => resolve()));
+    const port = server.address().port;
+    logger.info(`connectivity bridge on 127.0.0.1:${port} → ${proxy.host}:${proxy.port}`);
+    return {
+        server,
+        port,
+        close: () => new Promise((resolve) => server.close(() => resolve())),
+    };
+}
+async function handle(req, res, proxy) {
+    const target = req.url ?? '';
+    if (!target.startsWith('http://') && !target.startsWith('https://')) {
+        res.writeHead(400, { 'content-type': 'text/plain' }).end('expected absolute-form proxy request');
+        return;
+    }
+    try {
+        const token = await proxy.getProxyToken();
+        const targetUrl = new URL(target);
+        const headers = {};
+        for (const [k, v] of Object.entries(req.headers)) {
+            if (v == null || HOP_BY_HOP.has(k.toLowerCase()))
+                continue;
+            headers[k] = Array.isArray(v) ? v.join(', ') : v;
+        }
+        headers.Host = targetUrl.port ? `${targetUrl.hostname}:${targetUrl.port}` : targetUrl.hostname;
+        headers['Proxy-Authorization'] = `Bearer ${token}`;
+        if (proxy.locationId)
+            headers['SAP-Connectivity-SCC-Location_ID'] = proxy.locationId;
+        // Standard HTTP proxy: send the FULL target URL as the request path.
+        const proxyReq = httpRequest({ host: proxy.host, port: proxy.port, method: req.method, path: target, headers }, (proxyRes) => {
+            res.writeHead(proxyRes.statusCode ?? 502, proxyRes.headers);
+            proxyRes.pipe(res);
+        });
+        proxyReq.on('error', (e) => {
+            logger.error(`bridge upstream error: ${e.message}`);
+            if (!res.headersSent)
+                res.writeHead(502, { 'content-type': 'text/plain' }).end('bridge upstream error');
+        });
+        req.pipe(proxyReq);
+    }
+    catch (e) {
+        logger.error(`bridge error: ${e instanceof Error ? e.message : String(e)}`);
+        if (!res.headersSent)
+            res.writeHead(502, { 'content-type': 'text/plain' }).end('bridge error');
+    }
+}
+//# sourceMappingURL=bridge.js.map

package/dist/btp/bridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge.js","sourceRoot":"","sources":["../../src/btp/bridge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAIL,YAAY,EACZ,OAAO,IAAI,WAAW,GACvB,MAAM,WAAW,CAAC;AAEnB,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAS7C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,qBAAqB;IACrB,kBAAkB;IAClB,YAAY;IACZ,MAAM;IACN,YAAY;IACZ,IAAI;IACJ,SAAS;IACT,mBAAmB;IACnB,SAAS;CACV,CAAC,CAAC;AAEH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,KAAqB;IACjE,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;QACxE,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IACH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IACrF,MAAM,IAAI,GAAI,MAAM,CAAC,OAAO,EAAkB,CAAC,IAAI,CAAC;IACpD,MAAM,CAAC,IAAI,CAAC,oCAAoC,IAAI,MAAM,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACtF,OAAO;QACL,MAAM;QACN,IAAI;QACJ,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;KAC3E,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,GAAoB,EAAE,GAAmB,EAAE,KAAqB;IACpF,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACpE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QACjG,OAAO;IACT,CAAC;IACD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YACjD,IAAI,CAAC,IAAI,IAAI,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;gBAAE,SAAS;YAC3D,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,CAAC;QACD,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC;QAC/F,OAAO,CAAC,qBAAqB,CAAC,GAAG,UAAU,KAAK,EAAE,CAAC;QACnD,IAAI,KAAK,CAAC,UAAU;YAAE,OAAO,CAAC,kCAAkC,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC;QAErF,qEAAqE;QACrE,MAAM,QAAQ,GAAG,WAAW,CAC1B,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EACjF,CAAC,QAAQ,EAAE,EAAE;YACX,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,IAAI,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC5D,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC,CACF,CAAC;QACF,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;YACzB,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACpD,IAAI,CAAC,GAAG,CAAC,WAAW;gBAAE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAC1G,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,GAAG,CAAC,WAAW;YAAE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACjG,CAAC;AACH,CAAC"}

package/dist/btp/connectivity.js

@@ -0,0 +1,27 @@
+/**
+ * Connectivity proxy config (Cloud Connector hop). Ported from arc-1's
+ * `src/adt/btp.ts` `createConnectivityProxy` — caches the connectivity JWT and
+ * refreshes 60s before expiry.
+ */
+import { fetchClientCredentialsToken } from './token.js';
+export function createConnectivityProxy(btpConfig, locationId) {
+    if (!btpConfig.connectivityProxyHost)
+        return null;
+    let cachedToken = '';
+    let expiresAt = 0;
+    return {
+        host: btpConfig.connectivityProxyHost,
+        port: Number.parseInt(btpConfig.connectivityProxyPort || '20003', 10),
+        protocol: 'http',
+        locationId,
+        getProxyToken: async () => {
+            if (cachedToken && Date.now() < expiresAt)
+                return cachedToken;
+            const { accessToken, expiresIn } = await fetchClientCredentialsToken(btpConfig.connectivityTokenUrl, btpConfig.connectivityClientId, btpConfig.connectivitySecret);
+            cachedToken = accessToken;
+            expiresAt = Date.now() + (expiresIn - 60) * 1000;
+            return cachedToken;
+        },
+    };
+}
+//# sourceMappingURL=connectivity.js.map

package/dist/btp/connectivity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connectivity.js","sourceRoot":"","sources":["../../src/btp/connectivity.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,2BAA2B,EAAE,MAAM,YAAY,CAAC;AAGzD,MAAM,UAAU,uBAAuB,CAAC,SAAoB,EAAE,UAAmB;IAC/E,IAAI,CAAC,SAAS,CAAC,qBAAqB;QAAE,OAAO,IAAI,CAAC;IAElD,IAAI,WAAW,GAAG,EAAE,CAAC;IACrB,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,OAAO;QACL,IAAI,EAAE,SAAS,CAAC,qBAAqB;QACrC,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,qBAAqB,IAAI,OAAO,EAAE,EAAE,CAAC;QACrE,QAAQ,EAAE,MAAM;QAChB,UAAU;QACV,aAAa,EAAE,KAAK,IAAI,EAAE;YACxB,IAAI,WAAW,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAAE,OAAO,WAAW,CAAC;YAC9D,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,MAAM,2BAA2B,CAClE,SAAS,CAAC,oBAAoB,EAC9B,SAAS,CAAC,oBAAoB,EAC9B,SAAS,CAAC,kBAAkB,CAC7B,CAAC;YACF,WAAW,GAAG,WAAW,CAAC;YAC1B,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;YACjD,OAAO,WAAW,CAAC;QACrB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/btp/destination.js

@@ -0,0 +1,22 @@
+/**
+ * BTP Destination Service lookup (client-credentials, fixed-user path). Ported
+ * from arc-1's `src/adt/btp.ts` `lookupDestination`. Per-user PP (the SAP Cloud
+ * SDK + jwt-bearer exchange) is plan 05.
+ */
+import { logger } from '../server/logger.js';
+import { fetchClientCredentialsToken } from './token.js';
+export async function lookupDestination(btpConfig, destinationName) {
+    const tokenUrl = btpConfig.destinationTokenUrl || `${btpConfig.xsuaaUrl}/oauth/token`;
+    const { accessToken } = await fetchClientCredentialsToken(tokenUrl, btpConfig.destinationClientId, btpConfig.destinationSecret);
+    const destUrl = `${btpConfig.destinationUrl.replace(/\/$/, '')}/destination-configuration/v1/destinations/${encodeURIComponent(destinationName)}`;
+    const resp = await fetch(destUrl, { headers: { Authorization: `Bearer ${accessToken}` } });
+    if (!resp.ok) {
+        const text = await resp.text();
+        throw new Error(`Destination Service returned HTTP ${resp.status}: ${text.slice(0, 200)}`);
+    }
+    const data = (await resp.json());
+    const d = data.destinationConfiguration;
+    logger.info(`BTP destination resolved: name=${d.Name} url=${d.URL} auth=${d.Authentication} proxyType=${d.ProxyType} locationId=${d.CloudConnectorLocationId ?? ''}`);
+    return d;
+}
+//# sourceMappingURL=destination.js.map

package/dist/btp/destination.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"destination.js","sourceRoot":"","sources":["../../src/btp/destination.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,2BAA2B,EAAE,MAAM,YAAY,CAAC;AAGzD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAoB,EAAE,eAAuB;IACnF,MAAM,QAAQ,GAAG,SAAS,CAAC,mBAAmB,IAAI,GAAG,SAAS,CAAC,QAAQ,cAAc,CAAC;IACtF,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,2BAA2B,CACvD,QAAQ,EACR,SAAS,CAAC,mBAAmB,EAC7B,SAAS,CAAC,iBAAiB,CAC5B,CAAC;IAEF,MAAM,OAAO,GAAG,GAAG,SAAS,CAAC,cAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,8CAA8C,kBAAkB,CAAC,eAAe,CAAC,EAAE,CAAC;IAClJ,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;IAE3F,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA8C,CAAC;IAC9E,MAAM,CAAC,GAAG,IAAI,CAAC,wBAAwB,CAAC;IACxC,MAAM,CAAC,IAAI,CACT,kCAAkC,CAAC,CAAC,IAAI,QAAQ,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,cAAc,cAAc,CAAC,CAAC,SAAS,eAAe,CAAC,CAAC,wBAAwB,IAAI,EAAE,EAAE,CACzJ,CAAC;IACF,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/btp/token.js

@@ -0,0 +1,23 @@
+/**
+ * OAuth2 client_credentials token fetch — used for both Destination Service and
+ * Connectivity Service tokens. Ported from arc-1's `src/adt/btp.ts`.
+ */
+export async function fetchClientCredentialsToken(tokenUrl, clientId, clientSecret) {
+    const body = new URLSearchParams({
+        grant_type: 'client_credentials',
+        client_id: clientId,
+        client_secret: clientSecret,
+    });
+    const resp = await fetch(tokenUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: body.toString(),
+    });
+    if (!resp.ok) {
+        const text = await resp.text();
+        throw new Error(`Token endpoint returned HTTP ${resp.status}: ${text.slice(0, 200)}`);
+    }
+    const data = (await resp.json());
+    return { accessToken: data.access_token, expiresIn: data.expires_in };
+}
+//# sourceMappingURL=token.js.map

package/dist/btp/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/btp/token.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,QAAgB,EAChB,QAAgB,EAChB,YAAoB;IAEpB,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;QAC/B,UAAU,EAAE,oBAAoB;QAChC,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;KAC5B,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;QACjC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;QAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,gCAAgC,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAiD,CAAC;IACjF,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC;AACxE,CAAC"}

package/dist/btp/types.js

@@ -0,0 +1,7 @@
+/**
+ * BTP service-binding + destination types. Ported from arc-1's `src/adt/btp.ts`
+ * (kept dependency-light + engine-agnostic so it can later become a shared
+ * `@marianfoo/btp-connectivity` module consumed by both arc-1 and arc-1-lsp).
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/btp/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/btp/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG"}

package/dist/btp/vcap.js

@@ -0,0 +1,58 @@
+/**
+ * Parse VCAP_SERVICES → BTPConfig. Ported from arc-1's `src/adt/btp.ts`.
+ * Returns null when not running on BTP (VCAP_SERVICES unset).
+ */
+import { logger } from '../server/logger.js';
+export function parseVCAPServices(env = process.env) {
+    const vcapJson = env.VCAP_SERVICES;
+    if (!vcapJson)
+        return null;
+    const vcap = JSON.parse(vcapJson);
+    const config = {
+        xsuaaUrl: '',
+        xsuaaClientId: '',
+        xsuaaSecret: '',
+        destinationUrl: '',
+        destinationClientId: '',
+        destinationSecret: '',
+        destinationTokenUrl: '',
+        connectivityProxyHost: '',
+        connectivityProxyPort: '',
+        connectivityClientId: '',
+        connectivitySecret: '',
+        connectivityTokenUrl: '',
+    };
+    if (vcap.xsuaa?.[0]?.credentials) {
+        const c = vcap.xsuaa[0].credentials;
+        config.xsuaaUrl = c.url || '';
+        config.xsuaaClientId = c.clientid || '';
+        config.xsuaaSecret = c.clientsecret || '';
+    }
+    if (vcap.destination?.[0]?.credentials) {
+        const c = vcap.destination[0].credentials;
+        config.destinationUrl = c.uri || c.url || '';
+        config.destinationClientId = c.clientid || '';
+        config.destinationSecret = c.clientsecret || '';
+        config.destinationTokenUrl = c.token_service_url || '';
+        if (!config.destinationTokenUrl && c.url) {
+            config.destinationTokenUrl = `${c.url.replace(/\/$/, '')}/oauth/token`;
+        }
+    }
+    if (vcap.connectivity?.[0]?.credentials) {
+        const c = vcap.connectivity[0].credentials;
+        config.connectivityProxyHost = c.onpremise_proxy_host || '';
+        config.connectivityProxyPort = c.onpremise_proxy_http_port || '';
+        config.connectivityClientId = c.clientid || '';
+        config.connectivitySecret = c.clientsecret || '';
+        config.connectivityTokenUrl = c.token_service_url || '';
+        if (!config.connectivityTokenUrl && c.url) {
+            config.connectivityTokenUrl = `${c.url.replace(/\/$/, '')}/oauth/token`;
+        }
+        else if (config.connectivityTokenUrl && !config.connectivityTokenUrl.endsWith('/oauth/token')) {
+            config.connectivityTokenUrl = `${config.connectivityTokenUrl.replace(/\/$/, '')}/oauth/token`;
+        }
+    }
+    logger.info(`BTP VCAP_SERVICES parsed: xsuaa=${!!config.xsuaaUrl} destination=${!!config.destinationUrl} connectivity=${!!config.connectivityProxyHost}`);
+    return config;
+}
+//# sourceMappingURL=vcap.js.map

package/dist/btp/vcap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vcap.js","sourceRoot":"","sources":["../../src/btp/vcap.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAa7C,MAAM,UAAU,iBAAiB,CAAC,MAAyB,OAAO,CAAC,GAAG;IACpE,MAAM,QAAQ,GAAG,GAAG,CAAC,aAAa,CAAC;IACnC,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,IAAI,GAAiB,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,MAAM,GAAc;QACxB,QAAQ,EAAE,EAAE;QACZ,aAAa,EAAE,EAAE;QACjB,WAAW,EAAE,EAAE;QACf,cAAc,EAAE,EAAE;QAClB,mBAAmB,EAAE,EAAE;QACvB,iBAAiB,EAAE,EAAE;QACrB,mBAAmB,EAAE,EAAE;QACvB,qBAAqB,EAAE,EAAE;QACzB,qBAAqB,EAAE,EAAE;QACzB,oBAAoB,EAAE,EAAE;QACxB,kBAAkB,EAAE,EAAE;QACtB,oBAAoB,EAAE,EAAE;KACzB,CAAC;IAEF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QACpC,MAAM,CAAC,QAAQ,GAAI,CAAC,CAAC,GAAc,IAAI,EAAE,CAAC;QAC1C,MAAM,CAAC,aAAa,GAAI,CAAC,CAAC,QAAmB,IAAI,EAAE,CAAC;QACpD,MAAM,CAAC,WAAW,GAAI,CAAC,CAAC,YAAuB,IAAI,EAAE,CAAC;IACxD,CAAC;IAED,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAC1C,MAAM,CAAC,cAAc,GAAI,CAAC,CAAC,GAAc,IAAK,CAAC,CAAC,GAAc,IAAI,EAAE,CAAC;QACrE,MAAM,CAAC,mBAAmB,GAAI,CAAC,CAAC,QAAmB,IAAI,EAAE,CAAC;QAC1D,MAAM,CAAC,iBAAiB,GAAI,CAAC,CAAC,YAAuB,IAAI,EAAE,CAAC;QAC5D,MAAM,CAAC,mBAAmB,GAAI,CAAC,CAAC,iBAA4B,IAAI,EAAE,CAAC;QACnE,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;YACzC,MAAM,CAAC,mBAAmB,GAAG,GAAI,CAAC,CAAC,GAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QACrF,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;QACxC,MAAM,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAC3C,MAAM,CAAC,qBAAqB,GAAI,CAAC,CAAC,oBAA+B,IAAI,EAAE,CAAC;QACxE,MAAM,CAAC,qBAAqB,GAAI,CAAC,CAAC,yBAAoC,IAAI,EAAE,CAAC;QAC7E,MAAM,CAAC,oBAAoB,GAAI,CAAC,CAAC,QAAmB,IAAI,EAAE,CAAC;QAC3D,MAAM,CAAC,kBAAkB,GAAI,CAAC,CAAC,YAAuB,IAAI,EAAE,CAAC;QAC7D,MAAM,CAAC,oBAAoB,GAAI,CAAC,CAAC,iBAA4B,IAAI,EAAE,CAAC;QACpE,IAAI,CAAC,MAAM,CAAC,oBAAoB,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,CAAC,oBAAoB,GAAG,GAAI,CAAC,CAAC,GAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QACtF,CAAC;aAAM,IAAI,MAAM,CAAC,oBAAoB,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAChG,MAAM,CAAC,oBAAoB,GAAG,GAAG,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,cAAc,CAAC;QAChG,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAI,CACT,mCAAmC,CAAC,CAAC,MAAM,CAAC,QAAQ,gBAAgB,CAAC,CAAC,MAAM,CAAC,cAAc,iBAAiB,CAAC,CAAC,MAAM,CAAC,qBAAqB,EAAE,CAC7I,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/index.js

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+/**
+ * arc-1-lsp entry point. Boots the embedded adt-ls engine and serves an MCP
+ * server. Foundation supports stdio; the http-streamable transport (needed for
+ * the BTP CF deploy) lands in the deploy plan.
+ */
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { loadConfig } from './server/config.js';
+import { startEngine } from './server/engine.js';
+import { startHttpServer } from './server/http.js';
+import { logger } from './server/logger.js';
+import { createMcpServer } from './server/server.js';
+async function main() {
+    const config = loadConfig();
+    const engine = await startEngine(config);
+    if (config.transport === 'http-streamable') {
+        startHttpServer(() => createMcpServer(engine), config);
+    }
+    else {
+        await createMcpServer(engine).connect(new StdioServerTransport());
+        logger.info('arc-1-lsp MCP server ready (stdio)');
+    }
+    const shutdown = async () => {
+        logger.info('shutting down…');
+        await engine.dispose();
+        process.exit(0);
+    };
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
+}
+main().catch((e) => {
+    logger.error(`fatal: ${e instanceof Error ? e.message : String(e)}`);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;GAIG;AACH,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAErD,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;IAC5B,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,CAAC;IAEzC,IAAI,MAAM,CAAC,SAAS,KAAK,iBAAiB,EAAE,CAAC;QAC3C,eAAe,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;IACzD,CAAC;SAAM,CAAC;QACN,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,oBAAoB,EAAE,CAAC,CAAC;QAClE,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;QAC1B,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC9B,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC;IACF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACjB,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACrE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/server/auth.js

@@ -0,0 +1,26 @@
+export function parseApiKeys(raw) {
+    if (!raw)
+        return [];
+    return raw
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean)
+        .map((entry) => {
+        const idx = entry.indexOf(':');
+        return idx > 0 ? { key: entry.slice(0, idx), label: entry.slice(idx + 1) } : { key: entry };
+    });
+}
+function header(value) {
+    return Array.isArray(value) ? value[0] : value;
+}
+export function checkApiKey(headers, keys) {
+    if (keys.length === 0)
+        return true; // auth disabled
+    const auth = header(headers.authorization);
+    const bearer = auth?.startsWith('Bearer ') ? auth.slice(7) : undefined;
+    const presented = bearer ?? header(headers['x-api-key']);
+    if (!presented)
+        return false;
+    return keys.some((k) => k.key === presented);
+}
+//# sourceMappingURL=auth.js.map

package/dist/server/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAUA,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,OAAO,GAAG;SACP,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACb,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC/B,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC9F,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,MAAM,CAAC,KAAoC;IAClD,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,OAA+E,EAC/E,IAAc;IAEd,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,gBAAgB;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,IAAI,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACvE,MAAM,SAAS,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC;AAC/C,CAAC"}

package/dist/server/config.js

@@ -0,0 +1,53 @@
+function bool(v, dflt) {
+    if (v === undefined)
+        return dflt;
+    return v === 'true' || v === '1' || v === 'yes';
+}
+/** Build the SAP target from flags/env, or undefined if host/port/creds missing. */
+function loadSapTarget(argv, env) {
+    const host = flag(argv, 'sap-host') ?? env.ARC1_SAP_HOST;
+    const port = flag(argv, 'sap-port') ?? env.ARC1_SAP_PORT;
+    const user = flag(argv, 'sap-user') ?? env.ARC1_SAP_USER;
+    const password = flag(argv, 'sap-password') ?? env.ARC1_SAP_PASSWORD;
+    if (!host || !port || !user || !password)
+        return undefined;
+    return {
+        destinationId: flag(argv, 'sap-destination') ?? env.ARC1_SAP_DESTINATION ?? 'SAP',
+        host,
+        port: Number(port),
+        user,
+        password,
+        client: flag(argv, 'sap-client') ?? env.ARC1_SAP_CLIENT ?? '001',
+        language: flag(argv, 'sap-language') ?? env.ARC1_SAP_LANGUAGE ?? 'EN',
+        insecure: bool(flag(argv, 'sap-insecure') ?? env.ARC1_SAP_INSECURE, true),
+    };
+}
+function flag(argv, name) {
+    const i = argv.indexOf(`--${name}`);
+    return i >= 0 && i + 1 < argv.length ? argv[i + 1] : undefined;
+}
+export function loadConfig(argv = process.argv.slice(2), env = process.env) {
+    const transport = (flag(argv, 'transport') ?? env.ARC1_TRANSPORT ?? 'stdio');
+    if (transport !== 'stdio' && transport !== 'http-streamable') {
+        throw new Error(`Invalid transport "${transport}" (expected stdio | http-streamable)`);
+    }
+    const port = flag(argv, 'adt-ls-mcp-port') ?? env.ARC1_ADT_LS_MCP_PORT;
+    // CF assigns $PORT at runtime — honor it (after explicit flag/ARC1_PORT).
+    const httpPort = flag(argv, 'port') ?? env.ARC1_PORT ?? env.PORT;
+    return {
+        adtLsPath: flag(argv, 'adt-ls-path') ?? env.ARC1_ADT_LS_PATH,
+        adtLsMcpPort: port ? Number(port) : 2240,
+        adtLsMcpToken: flag(argv, 'adt-ls-mcp-token') ?? env.ARC1_ADT_LS_MCP_TOKEN,
+        transport,
+        httpPort: httpPort ? Number(httpPort) : 8080,
+        apiKeys: flag(argv, 'api-keys') ?? env.ARC1_API_KEYS,
+        sapTarget: loadSapTarget(argv, env),
+        sapDestination: flag(argv, 'sap-destination') ?? env.ARC1_SAP_DESTINATION,
+        allowWrites: bool(flag(argv, 'allow-writes') ?? env.ARC1_ALLOW_WRITES, false),
+        allowedPackages: (flag(argv, 'allowed-packages') ?? env.ARC1_ALLOWED_PACKAGES ?? '$TMP')
+            .split(',')
+            .map((p) => p.trim())
+            .filter(Boolean),
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/server/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/server/config.ts"],"names":[],"mappings":"AAsDA,SAAS,IAAI,CAAC,CAAqB,EAAE,IAAa;IAChD,IAAI,CAAC,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,CAAC,KAAK,MAAM,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,CAAC;AAClD,CAAC;AAED,oFAAoF;AACpF,SAAS,aAAa,CAAC,IAAc,EAAE,GAAsB;IAC3D,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,aAAa,CAAC;IACzD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,aAAa,CAAC;IACzD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,aAAa,CAAC;IACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,IAAI,GAAG,CAAC,iBAAiB,CAAC;IACrE,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC3D,OAAO;QACL,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,iBAAiB,CAAC,IAAI,GAAG,CAAC,oBAAoB,IAAI,KAAK;QACjF,IAAI;QACJ,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC;QAClB,IAAI;QACJ,QAAQ;QACR,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,GAAG,CAAC,eAAe,IAAI,KAAK;QAChE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,IAAI,GAAG,CAAC,iBAAiB,IAAI,IAAI;QACrE,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,IAAI,GAAG,CAAC,iBAAiB,EAAE,IAAI,CAAC;KAC1E,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CAAC,IAAc,EAAE,IAAY;IACxC,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IACpC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,OAAiB,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EACtC,MAAyB,OAAO,CAAC,GAAG;IAEpC,MAAM,SAAS,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,GAAG,CAAC,cAAc,IAAI,OAAO,CAAc,CAAC;IAC1F,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,sBAAsB,SAAS,sCAAsC,CAAC,CAAC;IACzF,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,iBAAiB,CAAC,IAAI,GAAG,CAAC,oBAAoB,CAAC;IACvE,0EAA0E;IAC1E,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,IAAI,CAAC;IACjE,OAAO;QACL,SAAS,EAAE,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,IAAI,GAAG,CAAC,gBAAgB;QAC5D,YAAY,EAAE,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI;QACxC,aAAa,EAAE,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,IAAI,GAAG,CAAC,qBAAqB;QAC1E,SAAS;QACT,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI;QAC5C,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,GAAG,CAAC,aAAa;QACpD,SAAS,EAAE,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC;QACnC,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE,iBAAiB,CAAC,IAAI,GAAG,CAAC,oBAAoB;QACzE,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,IAAI,GAAG,CAAC,iBAAiB,EAAE,KAAK,CAAC;QAC7E,eAAe,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,kBAAkB,CAAC,IAAI,GAAG,CAAC,qBAAqB,IAAI,MAAM,CAAC;aACrF,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC;KACnB,CAAC;AACJ,CAAC"}

package/dist/server/engine.js

@@ -0,0 +1,239 @@
+/**
+ * The arc-1-lsp engine: discovers a developer-provided adt-ls, spawns it
+ * headless, starts adt-ls's own MCP server over LSP, and connects a federation
+ * client to it. All ABAP/ADT work happens inside adt-ls — arc-1-lsp orchestrates.
+ *
+ * When a SAP target is configured, the engine also performs the headless
+ * connection (ADR-0005/0006): build TLS material from adt-ls's own JRE, start a
+ * TLS-terminating reverse proxy, spawn adt-ls trusting it, then create the
+ * destination + reentrance-logon + bind it to adt-ls's MCP server. Two paths:
+ *   - DIRECT (local, ARC1_SAP_*): reverse proxy connects straight to the backend.
+ *   - CONNECTIVITY (CF, ARC1_SAP_DESTINATION + bound connectivity): resolve the
+ *     BTP destination, start the connectivity bridge, and forward the reverse
+ *     proxy's upstream through it → Cloud Connector → backend.
+ */
+import crypto from 'node:crypto';
+import { promises as fsp } from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { prepareAdtLsTls } from '../adt-ls/cert.js';
+import { REQUEST_BROWSER_LOGON, createDestination, ensureLoggedOn, initializeDestinationsService, makeReentranceLogonHandler, } from '../adt-ls/destinations.js';
+import { resolveAdtLsPath } from '../adt-ls/discovery.js';
+import { AdtLsDriver } from '../adt-ls/driver.js';
+import { createLifecycle } from '../adt-ls/lifecycle.js';
+import { AdtLsMcpClient } from '../adt-ls/mcp-federation.js';
+import { setMcpDestination, startMcpServer, stopMcpServer } from '../adt-ls/mcp-lifecycle.js';
+import { getInactiveObjects, getUsers, quickSearch } from '../adt-ls/repository.js';
+import { isLoggedOffFederatedResult, makeRelogon, makeWithRelogon } from '../adt-ls/session-retry.js';
+import { startTlsReverseProxy } from '../adt-ls/tls-reverse-proxy.js';
+import { startConnectivityBridge } from '../btp/bridge.js';
+import { createConnectivityProxy } from '../btp/connectivity.js';
+import { lookupDestination } from '../btp/destination.js';
+import { parseVCAPServices } from '../btp/vcap.js';
+import { logger } from './logger.js';
+/**
+ * Decide how to connect (pure). On BTP (connectivity bound) a destination name
+ * wins → Cloud-Connector path. Otherwise a full local target → direct. Else none.
+ */
+export function planConnection(config, btp) {
+    const onBtp = !!btp?.connectivityProxyHost;
+    if (onBtp && config.sapDestination)
+        return { mode: 'connectivity', destinationName: config.sapDestination };
+    if (config.sapTarget)
+        return { mode: 'direct', target: config.sapTarget };
+    return { mode: 'none' };
+}
+export async function startEngine(config) {
+    const bin = resolveAdtLsPath({ explicitPath: config.adtLsPath });
+    logger.info(`engine: using adt-ls at ${bin}`);
+    const btp = parseVCAPServices();
+    const plan = planConnection(config, btp);
+    // TLS material must exist before adt-ls spawns (JAVA_TOOL_OPTIONS truststore).
+    let tlsWorkDir;
+    let proxyKeyPem;
+    let proxyCertPem;
+    const driverOpts = {};
+    if (plan.mode !== 'none') {
+        tlsWorkDir = path.join(os.tmpdir(), `arc1lsp-tls-${crypto.randomBytes(6).toString('hex')}`);
+        const tls = await prepareAdtLsTls({ adtLsBin: bin, workDir: tlsWorkDir });
+        proxyKeyPem = tls.proxyKeyPem;
+        proxyCertPem = tls.proxyCertPem;
+        driverOpts.extraEnv = { JAVA_TOOL_OPTIONS: tls.javaToolOptions };
+    }
+    const driver = new AdtLsDriver(bin, driverOpts);
+    const init = await driver.start();
+    const token = config.adtLsMcpToken || crypto.randomBytes(24).toString('hex');
+    const started = await startMcpServer(driver, { port: config.adtLsMcpPort, token });
+    logger.info(`engine: adt-ls MCP server on http://localhost:${started.port}/mcp`);
+    const federation = new AdtLsMcpClient(`http://localhost:${started.port}/mcp`, started.token);
+    await federation.connect();
+    let proxy;
+    let bridge;
+    let connectedDestination;
+    if (plan.mode !== 'none') {
+        // Non-fatal: a logon/connectivity failure must NOT crash the MCP server —
+        // health/tools still come up (reporting disconnected) so it's diagnosable.
+        try {
+            const conn = await connect(plan, btp, driver, {
+                keyPem: proxyKeyPem,
+                certPem: proxyCertPem,
+                tlsWorkDir: tlsWorkDir,
+            });
+            proxy = conn.proxy;
+            bridge = conn.bridge;
+            connectedDestination = conn.destinationId;
+        }
+        catch (e) {
+            logger.error(`engine: SAP connection failed (server starts disconnected): ${e instanceof Error ? e.message : String(e)}`);
+        }
+    }
+    // Self-healing SAP session: the backend security session behind adt-ls expires
+    // on inactivity; afterwards every call fails with "logged off" until a reconnect
+    // (previously: restart the instance). On detecting that, re-fire the proven
+    // startup logon (ensureLoggedOn re-triggers our still-registered reentrance
+    // handler) and retry the call once. Wrap BOTH channels — federated MCP tool
+    // calls and raw LSP requests — since either can hit the dead session.
+    const relogon = makeRelogon(async () => {
+        if (!connectedDestination)
+            return false;
+        logger.warn(`engine: SAP session lost — re-logging on to ${connectedDestination}`);
+        try {
+            const logon = await ensureLoggedOn(driver, connectedDestination);
+            if (logon.logonState !== 'connected') {
+                logger.error(`engine: re-logon to ${connectedDestination} returned ${logon.logonState}`);
+                return false;
+            }
+            // Re-point adt-ls's MCP server at the refreshed session (idempotent, best-effort).
+            await setMcpDestination(driver, connectedDestination).catch((e) => logger.warn(`engine: re-bind after re-logon failed: ${e instanceof Error ? e.message : String(e)}`));
+            logger.info(`engine: re-logon to ${connectedDestination} succeeded`);
+            return true;
+        }
+        catch (e) {
+            logger.error(`engine: re-logon failed: ${e instanceof Error ? e.message : String(e)}`);
+            return false;
+        }
+    });
+    const withRelogon = makeWithRelogon(relogon);
+    const sessionCallTool = (name, args = {}) => withRelogon(() => federation.callTool(name, args), isLoggedOffFederatedResult);
+    const sessionRequester = {
+        sendRequest: (method, params) => withRelogon(() => driver.sendRequest(method, params)),
+    };
+    const lifecycle = createLifecycle({
+        driver: sessionRequester,
+        callTool: sessionCallTool,
+        destination: () => connectedDestination,
+        safety: { allowWrites: config.allowWrites, allowedPackages: config.allowedPackages },
+    });
+    const engine = {
+        connectedDestination,
+        lifecycle,
+        health: () => ({
+            adtLs: { name: init.serverInfo?.name, version: init.serverInfo?.version, up: true },
+            mcpPort: started.port,
+            connectedDestination,
+        }),
+        listTools: () => federation.listTools(),
+        callTool: (name, args = {}) => sessionCallTool(name, args),
+        setDestination: async (destinationId) => {
+            await setMcpDestination(driver, destinationId);
+        },
+        search: async (pattern, opts = {}) => {
+            if (!connectedDestination)
+                throw new Error('No ABAP destination is connected.');
+            const r = await quickSearch(sessionRequester, {
+                destination: connectedDestination,
+                pattern,
+                maxResults: opts.maxResults,
+                types: opts.types,
+            });
+            return r.references ?? [];
+        },
+        listInactiveObjects: async () => {
+            if (!connectedDestination)
+                throw new Error('No ABAP destination is connected.');
+            return getInactiveObjects(sessionRequester, connectedDestination);
+        },
+        listUsers: async () => {
+            if (!connectedDestination)
+                throw new Error('No ABAP destination is connected.');
+            return getUsers(sessionRequester, connectedDestination);
+        },
+        reconnect: () => relogon(),
+        dispose: async () => {
+            await stopMcpServer(driver).catch(() => { });
+            await driver.dispose();
+            await proxy?.close().catch(() => { });
+            await bridge?.close().catch(() => { });
+            if (tlsWorkDir)
+                await fsp.rm(tlsWorkDir, { recursive: true, force: true }).catch(() => { });
+        },
+    };
+    return engine;
+}
+/** Resolve the backend, start the proxy (+bridge on CF), register the logon handler, connect. */
+async function connect(plan, btp, driver, tls) {
+    let backend;
+    let creds;
+    let proxy;
+    let bridge;
+    if (plan.mode === 'connectivity') {
+        const dest = await lookupDestination(btp, plan.destinationName);
+        const url = new URL(dest.URL);
+        const scheme = url.protocol === 'https:' ? 'https' : 'http';
+        const port = Number(url.port || (scheme === 'https' ? 443 : 80));
+        creds = { kind: 'basic', user: dest.User ?? '', password: dest.Password ?? '' };
+        backend = {
+            destinationId: plan.destinationName,
+            user: dest.User,
+            client: dest['sap-client'] ?? '001',
+            language: 'EN',
+        };
+        const proxyCfg = createConnectivityProxy(btp, dest.CloudConnectorLocationId);
+        if (!proxyCfg)
+            throw new Error('connectivity service binding missing onpremise_proxy_host');
+        bridge = await startConnectivityBridge(proxyCfg);
+        proxy = await startTlsReverseProxy({
+            key: tls.keyPem,
+            cert: tls.certPem,
+            target: { host: url.hostname, port, protocol: scheme },
+            forwardProxy: { host: '127.0.0.1', port: bridge.port },
+        });
+    }
+    else {
+        const t = plan.target;
+        creds = { kind: 'basic', user: t.user, password: t.password };
+        backend = { destinationId: t.destinationId, user: t.user, client: t.client, language: t.language };
+        proxy = await startTlsReverseProxy({
+            key: tls.keyPem,
+            cert: tls.certPem,
+            target: { host: t.host, port: t.port },
+            insecureUpstream: t.insecure,
+        });
+    }
+    // Register the reentrance handler (our own GET to the localhost proxy skips TLS).
+    driver.setRequestHandler(REQUEST_BROWSER_LOGON, makeReentranceLogonHandler(creds, { insecure: true }));
+    const destinationId = await connectDestination(driver, backend, proxy, tls.tlsWorkDir);
+    return { proxy, bridge, destinationId };
+}
+/** Create + reentrance-logon + bind the destination. Returns its id, or throws. */
+export async function connectDestination(driver, backend, proxy, tlsWorkDir) {
+    // Isolated store — NEVER the global ~/.adtls/destinations.json (shared with IDEs).
+    const storePath = path.join(tlsWorkDir, 'destinations');
+    await fsp.mkdir(storePath, { recursive: true });
+    await initializeDestinationsService(driver, storePath);
+    await createDestination(driver, {
+        id: backend.destinationId,
+        systemUrl: proxy.url,
+        user: backend.user,
+        client: backend.client,
+        language: backend.language,
+    });
+    const logon = await ensureLoggedOn(driver, backend.destinationId);
+    if (logon.logonState !== 'connected') {
+        throw new Error(`adt-ls logon to ${backend.destinationId} failed: ${logon.logonState}${logon.message ? ` — ${logon.message}` : ''}`);
+    }
+    await setMcpDestination(driver, backend.destinationId);
+    logger.info(`engine: connected destination ${backend.destinationId}`);
+    return backend.destinationId;
+}
+//# sourceMappingURL=engine.js.map