arc-1 0.1.0

package/dist/server/config.js

@@ -0,0 +1,101 @@
+/**
+ * Configuration parser for ARC-1.
+ *
+ * Resolves configuration from CLI flags, environment variables, and defaults.
+ * Priority: CLI > env > .env > defaults
+ *
+ * Environment variable names match the Go version exactly (SAP_URL, SAP_USER, etc.)
+ * for drop-in compatibility with existing deployments and documentation.
+ */
+import { DEFAULT_CONFIG } from './types.js';
+/**
+ * Parse CLI arguments and environment variables into a ServerConfig.
+ *
+ * We use a simple hand-rolled parser here (not commander) because
+ * the MCP server entry point needs to be fast and lightweight.
+ * Commander is used for the full CLI (cli.ts), not the server startup.
+ */
+export function parseArgs(args) {
+    const config = { ...DEFAULT_CONFIG };
+    // Helper: get a CLI flag value (--flag value or --flag=value)
+    const getFlag = (name) => {
+        const prefix = `--${name}=`;
+        for (let i = 0; i < args.length; i++) {
+            if (args[i] === `--${name}` && i + 1 < args.length) {
+                return args[i + 1];
+            }
+            if (args[i]?.startsWith(prefix)) {
+                return args[i].slice(prefix.length);
+            }
+        }
+        return undefined;
+    };
+    // Helper: resolve value from CLI > env > default
+    const resolve = (flag, envVar, defaultVal) => {
+        return getFlag(flag) ?? process.env[envVar] ?? defaultVal;
+    };
+    const resolveBool = (flag, envVar, defaultVal) => {
+        const val = getFlag(flag) ?? process.env[envVar];
+        if (val === undefined)
+            return defaultVal;
+        return val === 'true' || val === '1';
+    };
+    const resolveFeature = (flag, envVar) => {
+        const val = getFlag(flag) ?? process.env[envVar] ?? 'auto';
+        if (val === 'on' || val === 'off')
+            return val;
+        return 'auto';
+    };
+    // --- SAP Connection ---
+    config.url = resolve('url', 'SAP_URL', '');
+    config.username = resolve('user', 'SAP_USER', '');
+    config.password = resolve('password', 'SAP_PASSWORD', '');
+    config.client = resolve('client', 'SAP_CLIENT', '001');
+    config.language = resolve('language', 'SAP_LANGUAGE', 'EN');
+    config.insecure = resolveBool('insecure', 'SAP_INSECURE', false);
+    // --- Cookie Auth ---
+    config.cookieFile = getFlag('cookie-file') ?? process.env.SAP_COOKIE_FILE;
+    config.cookieString = getFlag('cookie-string') ?? process.env.SAP_COOKIE_STRING;
+    // --- Transport ---
+    const transport = resolve('transport', 'SAP_TRANSPORT', 'stdio');
+    config.transport = (transport === 'http-streamable' ? 'http-streamable' : 'stdio');
+    config.httpAddr = resolve('http-addr', 'SAP_HTTP_ADDR', '0.0.0.0:8080');
+    // --- Safety ---
+    config.readOnly = resolveBool('read-only', 'SAP_READ_ONLY', false);
+    config.blockFreeSQL = resolveBool('block-free-sql', 'SAP_BLOCK_FREE_SQL', false);
+    config.allowedOps = resolve('allowed-ops', 'SAP_ALLOWED_OPS', '');
+    config.disallowedOps = resolve('disallowed-ops', 'SAP_DISALLOWED_OPS', '');
+    const pkgs = resolve('allowed-packages', 'SAP_ALLOWED_PACKAGES', '');
+    config.allowedPackages = pkgs ? pkgs.split(',').map((p) => p.trim()) : [];
+    config.allowTransportableEdits = resolveBool('allow-transportable-edits', 'SAP_ALLOW_TRANSPORTABLE_EDITS', false);
+    config.enableTransports = resolveBool('enable-transports', 'SAP_ENABLE_TRANSPORTS', false);
+    // --- Features ---
+    config.featureAbapGit = resolveFeature('feature-abapgit', 'SAP_FEATURE_ABAPGIT');
+    config.featureRap = resolveFeature('feature-rap', 'SAP_FEATURE_RAP');
+    config.featureAmdp = resolveFeature('feature-amdp', 'SAP_FEATURE_AMDP');
+    config.featureUi5 = resolveFeature('feature-ui5', 'SAP_FEATURE_UI5');
+    config.featureTransport = resolveFeature('feature-transport', 'SAP_FEATURE_TRANSPORT');
+    config.featureHana = resolveFeature('feature-hana', 'SAP_FEATURE_HANA');
+    // --- Authentication (MCP client → ARC-1) ---
+    config.apiKey = getFlag('api-key') ?? process.env.ARC1_API_KEY;
+    config.oidcIssuer = getFlag('oidc-issuer') ?? process.env.SAP_OIDC_ISSUER;
+    config.oidcAudience = getFlag('oidc-audience') ?? process.env.SAP_OIDC_AUDIENCE;
+    config.xsuaaAuth = resolveBool('xsuaa-auth', 'SAP_XSUAA_AUTH', false);
+    // --- Principal Propagation ---
+    config.ppEnabled = resolveBool('pp-enabled', 'SAP_PP_ENABLED', false);
+    config.ppStrict = resolveBool('pp-strict', 'SAP_PP_STRICT', false);
+    // --- Logging ---
+    config.logFile = getFlag('log-file') ?? process.env.ARC1_LOG_FILE;
+    const logLevel = resolve('log-level', 'ARC1_LOG_LEVEL', 'info');
+    config.logLevel = (['debug', 'info', 'warn', 'error'].includes(logLevel) ? logLevel : 'info');
+    const logFormat = resolve('log-format', 'ARC1_LOG_FORMAT', 'text');
+    config.logFormat = (logFormat === 'json' ? 'json' : 'text');
+    // --- Misc ---
+    config.verbose = resolveBool('verbose', 'SAP_VERBOSE', false);
+    // --verbose is sugar for --log-level debug
+    if (config.verbose) {
+        config.logLevel = 'debug';
+    }
+    return config;
+}
+//# sourceMappingURL=config.js.map

package/dist/server/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../ts-src/server/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,IAAc;IACtC,MAAM,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,CAAC;IAErC,8DAA8D;IAC9D,MAAM,OAAO,GAAG,CAAC,IAAY,EAAsB,EAAE;QACnD,MAAM,MAAM,GAAG,KAAK,IAAI,GAAG,CAAC;QAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;gBACnD,OAAO,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACrB,CAAC;YACD,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;IAEF,iDAAiD;IACjD,MAAM,OAAO,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,UAAkB,EAAU,EAAE;QAC3E,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC;IAC5D,CAAC,CAAC;IAEF,MAAM,WAAW,GAAG,CAAC,IAAY,EAAE,MAAc,EAAE,UAAmB,EAAW,EAAE;QACjF,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACjD,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,UAAU,CAAC;QACzC,OAAO,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,GAAG,CAAC;IACvC,CAAC,CAAC;IAEF,MAAM,cAAc,GAAG,CAAC,IAAY,EAAE,MAAc,EAAiB,EAAE;QACrE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC;QAC3D,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,KAAK;YAAE,OAAO,GAAG,CAAC;QAC9C,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IAEF,yBAAyB;IACzB,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC3C,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,UAAU,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IAC5D,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,UAAU,EAAE,cAAc,EAAE,KAAK,CAAC,CAAC;IAEjE,sBAAsB;IACtB,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1E,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAEhF,oBAAoB;IACpB,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IACjE,MAAM,CAAC,SAAS,GAAG,CAAC,SAAS,KAAK,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,OAAO,CAAkB,CAAC;IACpG,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,EAAE,cAAc,CAAC,CAAC;IAExE,iBAAiB;IACjB,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,CAAC,CAAC;IACnE,MAAM,CAAC,YAAY,GAAG,WAAW,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,KAAK,CAAC,CAAC;IACjF,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;IAClE,MAAM,CAAC,aAAa,GAAG,OAAO,CAAC,gBAAgB,EAAE,oBAAoB,EAAE,EAAE,CAAC,CAAC;IAC3E,MAAM,IAAI,GAAG,OAAO,CAAC,kBAAkB,EAAE,sBAAsB,EAAE,EAAE,CAAC,CAAC;IACrE,MAAM,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,MAAM,CAAC,uBAAuB,GAAG,WAAW,CAAC,2BAA2B,EAAE,+BAA+B,EAAE,KAAK,CAAC,CAAC;IAClH,MAAM,CAAC,gBAAgB,GAAG,WAAW,CAAC,mBAAmB,EAAE,uBAAuB,EAAE,KAAK,CAAC,CAAC;IAE3F,mBAAmB;IACnB,MAAM,CAAC,cAAc,GAAG,cAAc,CAAC,iBAAiB,EAAE,qBAAqB,CAAC,CAAC;IACjF,MAAM,CAAC,UAAU,GAAG,cAAc,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,WAAW,GAAG,cAAc,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IACxE,MAAM,CAAC,UAAU,GAAG,cAAc,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;IACrE,MAAM,CAAC,gBAAgB,GAAG,cAAc,CAAC,mBAAmB,EAAE,uBAAuB,CAAC,CAAC;IACvF,MAAM,CAAC,WAAW,GAAG,cAAc,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAExE,8CAA8C;IAC9C,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAC/D,MAAM,CAAC,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAC1E,MAAM,CAAC,YAAY,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAChF,MAAM,CAAC,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IAEtE,gCAAgC;IAChC,MAAM,CAAC,SAAS,GAAG,WAAW,CAAC,YAAY,EAAE,gBAAgB,EAAE,KAAK,CAAC,CAAC;IACtE,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,WAAW,EAAE,eAAe,EAAE,KAAK,CAAC,CAAC;IAEnE,kBAAkB;IAClB,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAChE,MAAM,CAAC,QAAQ,GAAG,CAChB,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAC9C,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACnE,MAAM,CAAC,SAAS,GAAG,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAA8B,CAAC;IAEzF,eAAe;IACf,MAAM,CAAC,OAAO,GAAG,WAAW,CAAC,SAAS,EAAE,aAAa,EAAE,KAAK,CAAC,CAAC;IAC9D,2CAA2C;IAC3C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,MAAM,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC5B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/server/context.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Request context for ARC-1.
+ *
+ * Uses AsyncLocalStorage to thread a requestId through the entire
+ * call stack (intent handler → ADT client → HTTP client) without
+ * changing function signatures. The logger reads from the store
+ * automatically to attach requestId to every log entry.
+ */
+import { AsyncLocalStorage } from 'node:async_hooks';
+export interface RequestContext {
+    requestId: string;
+    user?: string;
+    tool?: string;
+}
+export declare const requestContext: AsyncLocalStorage<RequestContext>;
+/** Generate a monotonically increasing request ID */
+export declare function generateRequestId(): string;
+/** Get the current request context (if any) */
+export declare function getCurrentContext(): RequestContext | undefined;
+//# sourceMappingURL=context.d.ts.map

package/dist/server/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../../ts-src/server/context.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAErD,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,eAAO,MAAM,cAAc,mCAA0C,CAAC;AAItE,qDAAqD;AACrD,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,+CAA+C;AAC/C,wBAAgB,iBAAiB,IAAI,cAAc,GAAG,SAAS,CAE9D"}

package/dist/server/context.js

@@ -0,0 +1,20 @@
+/**
+ * Request context for ARC-1.
+ *
+ * Uses AsyncLocalStorage to thread a requestId through the entire
+ * call stack (intent handler → ADT client → HTTP client) without
+ * changing function signatures. The logger reads from the store
+ * automatically to attach requestId to every log entry.
+ */
+import { AsyncLocalStorage } from 'node:async_hooks';
+export const requestContext = new AsyncLocalStorage();
+let requestCounter = 0;
+/** Generate a monotonically increasing request ID */
+export function generateRequestId() {
+    return `REQ-${++requestCounter}`;
+}
+/** Get the current request context (if any) */
+export function getCurrentContext() {
+    return requestContext.getStore();
+}
+//# sourceMappingURL=context.js.map

package/dist/server/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../../ts-src/server/context.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAQrD,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,iBAAiB,EAAkB,CAAC;AAEtE,IAAI,cAAc,GAAG,CAAC,CAAC;AAEvB,qDAAqD;AACrD,MAAM,UAAU,iBAAiB;IAC/B,OAAO,OAAO,EAAE,cAAc,EAAE,CAAC;AACnC,CAAC;AAED,+CAA+C;AAC/C,MAAM,UAAU,iBAAiB;IAC/B,OAAO,cAAc,CAAC,QAAQ,EAAE,CAAC;AACnC,CAAC"}

package/dist/server/elicit.d.ts

@@ -0,0 +1,43 @@
+/**
+ * MCP Elicitation helpers for ARC-1.
+ *
+ * Wraps the MCP SDK's server.elicitInput() with:
+ * - Client capability detection (graceful fallback when unsupported)
+ * - Typed convenience methods for common patterns
+ * - Audit logging of all elicitation events
+ *
+ * Based on MCP spec 2025-06-18 / 2025-11-25 elicitation protocol.
+ * Dassian ADT uses similar patterns for confirmations and parameter prompts.
+ */
+import type { Server } from '@modelcontextprotocol/sdk/server/index.js';
+/**
+ * Confirm a destructive or irreversible operation with the user.
+ *
+ * Returns true if:
+ * - User confirms (action: 'accept')
+ * - Elicitation is not supported (graceful fallback — proceed without asking)
+ *
+ * Returns false if:
+ * - User declines or cancels
+ */
+export declare function confirmDestructive(server: Server | undefined, toolName: string, message: string): Promise<boolean>;
+/**
+ * Ask user to select from a list of options.
+ *
+ * Returns the selected value, or undefined if:
+ * - User cancels/declines
+ * - Elicitation is not supported
+ */
+export declare function selectOption(server: Server | undefined, toolName: string, message: string, options: Array<{
+    value: string;
+    title: string;
+}>): Promise<string | undefined>;
+/**
+ * Prompt user for a string value.
+ *
+ * Returns the entered value, or undefined if:
+ * - User cancels/declines
+ * - Elicitation is not supported
+ */
+export declare function promptString(server: Server | undefined, toolName: string, message: string, fieldName: string, description?: string): Promise<string | undefined>;
+//# sourceMappingURL=elicit.d.ts.map

package/dist/server/elicit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"elicit.d.ts","sourceRoot":"","sources":["../../ts-src/server/elicit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AAiBxE;;;;;;;;;GASG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,CAAC,CA8ClB;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,KAAK,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,GAC/C,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA+C7B;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,WAAW,CAAC,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CA6C7B"}

package/dist/server/elicit.js

@@ -0,0 +1,183 @@
+/**
+ * MCP Elicitation helpers for ARC-1.
+ *
+ * Wraps the MCP SDK's server.elicitInput() with:
+ * - Client capability detection (graceful fallback when unsupported)
+ * - Typed convenience methods for common patterns
+ * - Audit logging of all elicitation events
+ *
+ * Based on MCP spec 2025-06-18 / 2025-11-25 elicitation protocol.
+ * Dassian ADT uses similar patterns for confirmations and parameter prompts.
+ */
+import { logger } from './logger.js';
+/**
+ * Check if the connected MCP client supports form elicitation.
+ * Returns false if server is undefined or client doesn't declare the capability.
+ */
+function supportsElicitation(server) {
+    if (!server)
+        return false;
+    try {
+        const caps = server.getClientCapabilities();
+        return !!caps?.elicitation?.form;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Confirm a destructive or irreversible operation with the user.
+ *
+ * Returns true if:
+ * - User confirms (action: 'accept')
+ * - Elicitation is not supported (graceful fallback — proceed without asking)
+ *
+ * Returns false if:
+ * - User declines or cancels
+ */
+export async function confirmDestructive(server, toolName, message) {
+    if (!supportsElicitation(server)) {
+        return true; // Fallback: proceed without asking
+    }
+    logger.emitAudit({
+        timestamp: new Date().toISOString(),
+        level: 'info',
+        event: 'elicitation_sent',
+        tool: toolName,
+        message,
+        fields: ['confirm'],
+    });
+    try {
+        const result = await server.elicitInput({
+            message,
+            requestedSchema: {
+                type: 'object',
+                properties: {
+                    confirm: {
+                        type: 'boolean',
+                        title: 'Confirm',
+                        description: message,
+                    },
+                },
+                required: ['confirm'],
+            },
+        });
+        const accepted = result.action === 'accept' && result.content?.confirm === true;
+        logger.emitAudit({
+            timestamp: new Date().toISOString(),
+            level: 'info',
+            event: 'elicitation_response',
+            tool: toolName,
+            action: result.action,
+        });
+        return accepted;
+    }
+    catch {
+        // Elicitation failed (client doesn't support it, connection issue, etc.)
+        // Graceful fallback: proceed
+        return true;
+    }
+}
+/**
+ * Ask user to select from a list of options.
+ *
+ * Returns the selected value, or undefined if:
+ * - User cancels/declines
+ * - Elicitation is not supported
+ */
+export async function selectOption(server, toolName, message, options) {
+    if (!supportsElicitation(server)) {
+        return undefined;
+    }
+    logger.emitAudit({
+        timestamp: new Date().toISOString(),
+        level: 'info',
+        event: 'elicitation_sent',
+        tool: toolName,
+        message,
+        fields: ['selection'],
+    });
+    try {
+        const result = await server.elicitInput({
+            message,
+            requestedSchema: {
+                type: 'object',
+                properties: {
+                    selection: {
+                        type: 'string',
+                        title: 'Selection',
+                        description: message,
+                        enum: options.map((o) => o.value),
+                        enumNames: options.map((o) => o.title),
+                    },
+                },
+                required: ['selection'],
+            },
+        });
+        logger.emitAudit({
+            timestamp: new Date().toISOString(),
+            level: 'info',
+            event: 'elicitation_response',
+            tool: toolName,
+            action: result.action,
+        });
+        if (result.action === 'accept' && typeof result.content?.selection === 'string') {
+            return result.content.selection;
+        }
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Prompt user for a string value.
+ *
+ * Returns the entered value, or undefined if:
+ * - User cancels/declines
+ * - Elicitation is not supported
+ */
+export async function promptString(server, toolName, message, fieldName, description) {
+    if (!supportsElicitation(server)) {
+        return undefined;
+    }
+    logger.emitAudit({
+        timestamp: new Date().toISOString(),
+        level: 'info',
+        event: 'elicitation_sent',
+        tool: toolName,
+        message,
+        fields: [fieldName],
+    });
+    try {
+        const result = await server.elicitInput({
+            message,
+            requestedSchema: {
+                type: 'object',
+                properties: {
+                    [fieldName]: {
+                        type: 'string',
+                        title: fieldName,
+                        description: description ?? message,
+                    },
+                },
+                required: [fieldName],
+            },
+        });
+        logger.emitAudit({
+            timestamp: new Date().toISOString(),
+            level: 'info',
+            event: 'elicitation_response',
+            tool: toolName,
+            action: result.action,
+        });
+        if (result.action === 'accept' && typeof result.content?.[fieldName] === 'string') {
+            return result.content[fieldName];
+        }
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+//# sourceMappingURL=elicit.js.map

package/dist/server/elicit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"elicit.js","sourceRoot":"","sources":["../../ts-src/server/elicit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC;;;GAGG;AACH,SAAS,mBAAmB,CAAC,MAAe;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,qBAAqB,EAAE,CAAC;QAC5C,OAAO,CAAC,CAAC,IAAI,EAAE,WAAW,EAAE,IAAI,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAA0B,EAC1B,QAAgB,EAChB,OAAe;IAEf,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC,CAAC,mCAAmC;IAClD,CAAC;IAED,MAAM,CAAC,SAAS,CAAC;QACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,kBAAkB;QACzB,IAAI,EAAE,QAAQ;QACd,OAAO;QACP,MAAM,EAAE,CAAC,SAAS,CAAC;KACpB,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAO,CAAC,WAAW,CAAC;YACvC,OAAO;YACP,eAAe,EAAE;gBACf,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,OAAO,EAAE;wBACP,IAAI,EAAE,SAAS;wBACf,KAAK,EAAE,SAAS;wBAChB,WAAW,EAAE,OAAO;qBACrB;iBACF;gBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;aACtB;SACF,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,CAAC;QAEhF,MAAM,CAAC,SAAS,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,sBAAsB;YAC7B,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;QAEH,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,yEAAyE;QACzE,6BAA6B;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAgB,EAChB,OAAe,EACf,OAAgD;IAEhD,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,SAAS,CAAC;QACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,kBAAkB;QACzB,IAAI,EAAE,QAAQ;QACd,OAAO;QACP,MAAM,EAAE,CAAC,WAAW,CAAC;KACtB,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAO,CAAC,WAAW,CAAC;YACvC,OAAO;YACP,eAAe,EAAE;gBACf,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,SAAS,EAAE;wBACT,IAAI,EAAE,QAAiB;wBACvB,KAAK,EAAE,WAAW;wBAClB,WAAW,EAAE,OAAO;wBACpB,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;wBACjC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;qBACvC;iBACF;gBACD,QAAQ,EAAE,CAAC,WAAW,CAAC;aACxB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,SAAS,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,sBAAsB;YAC7B,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,OAAO,EAAE,SAAS,KAAK,QAAQ,EAAE,CAAC;YAChF,OAAO,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC;QAClC,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,QAAgB,EAChB,OAAe,EACf,SAAiB,EACjB,WAAoB;IAEpB,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,CAAC,SAAS,CAAC;QACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,kBAAkB;QACzB,IAAI,EAAE,QAAQ;QACd,OAAO;QACP,MAAM,EAAE,CAAC,SAAS,CAAC;KACpB,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAO,CAAC,WAAW,CAAC;YACvC,OAAO;YACP,eAAe,EAAE;gBACf,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,CAAC,SAAS,CAAC,EAAE;wBACX,IAAI,EAAE,QAAQ;wBACd,KAAK,EAAE,SAAS;wBAChB,WAAW,EAAE,WAAW,IAAI,OAAO;qBACpC;iBACF;gBACD,QAAQ,EAAE,CAAC,SAAS,CAAC;aACtB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,SAAS,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,sBAAsB;YAC7B,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,MAAM,CAAC,MAAM;SACtB,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,OAAO,MAAM,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,KAAK,QAAQ,EAAE,CAAC;YAClF,OAAO,MAAM,CAAC,OAAO,CAAC,SAAS,CAAW,CAAC;QAC7C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC"}

package/dist/server/http.d.ts

@@ -0,0 +1,34 @@
+/**
+ * HTTP Streamable transport for ARC-1.
+ *
+ * Provides an Express HTTP server that:
+ * - Serves MCP Streamable HTTP protocol on /mcp
+ * - Health check endpoint on /health
+ * - API key authentication via Bearer token
+ * - OIDC/JWT validation via JWKS discovery (Entra ID, etc.)
+ * - XSUAA OAuth proxy for MCP-native clients (Claude Desktop, Cursor)
+ *
+ * When XSUAA auth is enabled, the MCP SDK's mcpAuthRouter installs standard
+ * OAuth endpoints (authorize, token, register, revoke, discovery metadata).
+ *
+ * Design decisions:
+ *
+ * 1. Express is used because the MCP SDK's auth infrastructure (mcpAuthRouter,
+ *    requireBearerAuth) requires Express. Express 5.x is already a transitive
+ *    dependency of the MCP SDK.
+ *
+ * 2. Per-request server pattern: each MCP request gets a fresh Server + Transport.
+ *    This avoids "already connected" errors from concurrent clients.
+ *
+ * 3. Auth is checked BEFORE creating the MCP transport to avoid wasting resources.
+ *
+ * 4. Health endpoint is always unauthenticated — needed for CF health checks.
+ */
+import type { Server as McpServer } from '@modelcontextprotocol/sdk/server/index.js';
+import type { ServerConfig } from './types.js';
+import type { XsuaaCredentials } from './xsuaa.js';
+/**
+ * Start the HTTP Streamable server.
+ */
+export declare function startHttpServer(serverFactory: () => McpServer, config: ServerConfig, xsuaaCredentials?: XsuaaCredentials): Promise<void>;
+//# sourceMappingURL=http.d.ts.map

package/dist/server/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../ts-src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,2CAA2C,CAAC;AAMrF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AA4CnD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,SAAS,EAC9B,MAAM,EAAE,YAAY,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,IAAI,CAAC,CA8Jf"}