arc-1 0.1.0

package/dist/server/sinks/file.js

@@ -0,0 +1,59 @@
+/**
+ * File log sink for ARC-1.
+ *
+ * Appends JSON-line audit events to a file.
+ * Useful in Docker (mount volume) or for post-hoc log analysis.
+ *
+ * Writes are fire-and-forget — errors are logged to stderr but never thrown.
+ * All events are written regardless of level (file is the full audit trail).
+ */
+import { appendFile } from 'node:fs/promises';
+export class FileSink {
+    filePath;
+    buffer = [];
+    flushTimer;
+    constructor(filePath) {
+        this.filePath = filePath;
+        // Flush buffer every 500ms to balance write frequency vs latency
+        this.flushTimer = setInterval(() => {
+            this.flushSync();
+        }, 500);
+        // Don't prevent process exit
+        if (this.flushTimer.unref) {
+            this.flushTimer.unref();
+        }
+    }
+    write(event) {
+        this.buffer.push(JSON.stringify(event));
+    }
+    async flush() {
+        if (this.flushTimer) {
+            clearInterval(this.flushTimer);
+            this.flushTimer = undefined;
+        }
+        await this.writeBuffer();
+    }
+    flushSync() {
+        if (this.buffer.length === 0)
+            return;
+        const lines = this.buffer.splice(0);
+        const data = `${lines.join('\n')}\n`;
+        // Fire-and-forget — errors go to stderr
+        appendFile(this.filePath, data, 'utf-8').catch((err) => {
+            process.stderr.write(`[FileSink] Failed to write to ${this.filePath}: ${err}\n`);
+        });
+    }
+    async writeBuffer() {
+        if (this.buffer.length === 0)
+            return;
+        const lines = this.buffer.splice(0);
+        const data = `${lines.join('\n')}\n`;
+        try {
+            await appendFile(this.filePath, data, 'utf-8');
+        }
+        catch (err) {
+            process.stderr.write(`[FileSink] Failed to write to ${this.filePath}: ${err}\n`);
+        }
+    }
+}
+//# sourceMappingURL=file.js.map

package/dist/server/sinks/file.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file.js","sourceRoot":"","sources":["../../../ts-src/server/sinks/file.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAI9C,MAAM,OAAO,QAAQ;IAIC;IAHZ,MAAM,GAAa,EAAE,CAAC;IACtB,UAAU,CAA6C;IAE/D,YAAoB,QAAgB;QAAhB,aAAQ,GAAR,QAAQ,CAAQ;QAClC,iEAAiE;QACjE,IAAI,CAAC,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE;YACjC,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,CAAC,EAAE,GAAG,CAAC,CAAC;QACR,6BAA6B;QAC7B,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YAC1B,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAiB;QACrB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC/B,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC9B,CAAC;QACD,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;IAC3B,CAAC;IAEO,SAAS;QACf,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QACrC,wCAAwC;QACxC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACrD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,IAAI,CAAC,QAAQ,KAAK,GAAG,IAAI,CAAC,CAAC;QACnF,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,IAAI,CAAC,QAAQ,KAAK,GAAG,IAAI,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;CACF"}

package/dist/server/sinks/stderr.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Stderr log sink for ARC-1.
+ *
+ * Writes audit events to stderr in text or JSON format.
+ * This is the default sink — always active.
+ *
+ * Critical: never write to stdout (reserved for MCP JSON-RPC).
+ */
+import type { AuditEvent } from '../audit.js';
+import type { LogLevel } from '../logger.js';
+import type { LogSink } from './types.js';
+export type LogFormat = 'text' | 'json';
+export declare class StderrSink implements LogSink {
+    private format;
+    private minLevel;
+    constructor(format?: LogFormat, minLevel?: LogLevel);
+    write(event: AuditEvent): void;
+}
+//# sourceMappingURL=stderr.d.ts.map

package/dist/server/sinks/stderr.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stderr.d.ts","sourceRoot":"","sources":["../../../ts-src/server/sinks/stderr.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,MAAM,CAAC;AASxC,qBAAa,UAAW,YAAW,OAAO;IAItC,OAAO,CAAC,MAAM;IAHhB,OAAO,CAAC,QAAQ,CAAS;gBAGf,MAAM,GAAE,SAAkB,EAClC,QAAQ,GAAE,QAAiB;IAK7B,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;CAa/B"}

package/dist/server/sinks/stderr.js

@@ -0,0 +1,63 @@
+/**
+ * Stderr log sink for ARC-1.
+ *
+ * Writes audit events to stderr in text or JSON format.
+ * This is the default sink — always active.
+ *
+ * Critical: never write to stdout (reserved for MCP JSON-RPC).
+ */
+const LEVEL_PRIORITY = {
+    debug: 0,
+    info: 1,
+    warn: 2,
+    error: 3,
+};
+export class StderrSink {
+    format;
+    minLevel;
+    constructor(format = 'text', minLevel = 'info') {
+        this.format = format;
+        this.minLevel = LEVEL_PRIORITY[minLevel];
+    }
+    write(event) {
+        if (LEVEL_PRIORITY[event.level] < this.minLevel)
+            return;
+        const safeEvent = redactSensitive(event);
+        if (this.format === 'json') {
+            process.stderr.write(`${JSON.stringify(safeEvent)}\n`);
+        }
+        else {
+            const { timestamp, level, event: eventType, ...rest } = safeEvent;
+            const ctx = Object.keys(rest).length > 0 ? ` ${JSON.stringify(rest)}` : '';
+            process.stderr.write(`[${timestamp}] ${level.toUpperCase()}: [${eventType}]${ctx}\n`);
+        }
+    }
+}
+/** Redact known sensitive fields to prevent credential leakage in logs */
+function redactSensitive(event) {
+    const sensitiveKeys = ['password', 'token', 'cookie', 'authorization', 'secret', 'csrf'];
+    const result = {};
+    for (const [key, value] of Object.entries(event)) {
+        if (sensitiveKeys.some((s) => key.toLowerCase().includes(s))) {
+            result[key] = '[REDACTED]';
+        }
+        else if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+            // Shallow redaction for nested objects (e.g., args)
+            const nested = {};
+            for (const [nk, nv] of Object.entries(value)) {
+                if (sensitiveKeys.some((s) => nk.toLowerCase().includes(s))) {
+                    nested[nk] = '[REDACTED]';
+                }
+                else {
+                    nested[nk] = nv;
+                }
+            }
+            result[key] = nested;
+        }
+        else {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=stderr.js.map

package/dist/server/sinks/stderr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"stderr.js","sourceRoot":"","sources":["../../../ts-src/server/sinks/stderr.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,MAAM,cAAc,GAA6B;IAC/C,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,CAAC;IACP,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,MAAM,OAAO,UAAU;IAIX;IAHF,QAAQ,CAAS;IAEzB,YACU,SAAoB,MAAM,EAClC,WAAqB,MAAM;QADnB,WAAM,GAAN,MAAM,CAAoB;QAGlC,IAAI,CAAC,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,KAAiB;QACrB,IAAI,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ;YAAE,OAAO;QAExD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QAEzC,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,SAAS,CAAC;YAClE,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,SAAS,KAAK,KAAK,CAAC,WAAW,EAAE,MAAM,SAAS,IAAI,GAAG,IAAI,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;CACF;AAED,0EAA0E;AAC1E,SAAS,eAAe,CAAC,KAAiB;IACxC,MAAM,aAAa,GAAG,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IACzF,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;QAC7B,CAAC;aAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChF,oDAAoD;YACpD,MAAM,MAAM,GAA4B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC,EAAE,CAAC;gBACxE,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC5D,MAAM,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC;gBAC5B,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC;gBAClB,CAAC;YACH,CAAC;YACD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,MAA+B,CAAC;AACzC,CAAC"}

package/dist/server/sinks/types.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Log sink interface for ARC-1.
+ *
+ * Sinks receive structured audit events and persist them.
+ * write() is fire-and-forget — sinks must not throw.
+ */
+import type { AuditEvent } from '../audit.js';
+export interface LogSink {
+    /** Write an audit event. Must not throw. */
+    write(event: AuditEvent): void;
+    /** Flush pending writes (for graceful shutdown). */
+    flush?(): Promise<void>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/server/sinks/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../ts-src/server/sinks/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,WAAW,OAAO;IACtB,4CAA4C;IAC5C,KAAK,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI,CAAC;IAC/B,oDAAoD;IACpD,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACzB"}

package/dist/server/sinks/types.js

@@ -0,0 +1,8 @@
+/**
+ * Log sink interface for ARC-1.
+ *
+ * Sinks receive structured audit events and persist them.
+ * write() is fire-and-forget — sinks must not throw.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/server/sinks/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../ts-src/server/sinks/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG"}

package/dist/server/types.d.ts

@@ -0,0 +1,54 @@
+/**
+ * Server configuration types for ARC-1.
+ *
+ * Configuration priority (highest to lowest):
+ * 1. CLI flags (--url, --user, etc.)
+ * 2. Environment variables (SAP_URL, SAP_USER, etc.)
+ * 3. .env file
+ * 4. Defaults
+ *
+ * This matches the Go version's configuration precedence.
+ */
+/** MCP transport type */
+export type TransportType = 'stdio' | 'http-streamable';
+/** Feature toggle: auto detects from SAP system, on/off forces */
+export type FeatureToggle = 'auto' | 'on' | 'off';
+/** Server configuration — all fields needed to start ARC-1 */
+export interface ServerConfig {
+    url: string;
+    username: string;
+    password: string;
+    client: string;
+    language: string;
+    insecure: boolean;
+    cookieFile?: string;
+    cookieString?: string;
+    transport: TransportType;
+    httpAddr: string;
+    readOnly: boolean;
+    blockFreeSQL: boolean;
+    allowedOps: string;
+    disallowedOps: string;
+    allowedPackages: string[];
+    allowTransportableEdits: boolean;
+    enableTransports: boolean;
+    featureAbapGit: FeatureToggle;
+    featureRap: FeatureToggle;
+    featureAmdp: FeatureToggle;
+    featureUi5: FeatureToggle;
+    featureTransport: FeatureToggle;
+    featureHana: FeatureToggle;
+    apiKey?: string;
+    oidcIssuer?: string;
+    oidcAudience?: string;
+    xsuaaAuth: boolean;
+    ppEnabled: boolean;
+    ppStrict: boolean;
+    logFile?: string;
+    logLevel: 'debug' | 'info' | 'warn' | 'error';
+    logFormat: 'text' | 'json';
+    verbose: boolean;
+}
+/** Default configuration values */
+export declare const DEFAULT_CONFIG: ServerConfig;
+//# sourceMappingURL=types.d.ts.map

package/dist/server/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../ts-src/server/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,yBAAyB;AACzB,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,iBAAiB,CAAC;AAExD,kEAAkE;AAClE,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,IAAI,GAAG,KAAK,CAAC;AAElD,8DAA8D;AAC9D,MAAM,WAAW,YAAY;IAE3B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,OAAO,CAAC;IAGlB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IAGtB,SAAS,EAAE,aAAa,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IAGjB,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,uBAAuB,EAAE,OAAO,CAAC;IACjC,gBAAgB,EAAE,OAAO,CAAC;IAG1B,cAAc,EAAE,aAAa,CAAC;IAC9B,UAAU,EAAE,aAAa,CAAC;IAC1B,WAAW,EAAE,aAAa,CAAC;IAC3B,UAAU,EAAE,aAAa,CAAC;IAC1B,gBAAgB,EAAE,aAAa,CAAC;IAChC,WAAW,EAAE,aAAa,CAAC;IAG3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IAGnB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;IAGlB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC9C,SAAS,EAAE,MAAM,GAAG,MAAM,CAAC;IAG3B,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,mCAAmC;AACnC,eAAO,MAAM,cAAc,EAAE,YA4B5B,CAAC"}

package/dist/server/types.js

@@ -0,0 +1,42 @@
+/**
+ * Server configuration types for ARC-1.
+ *
+ * Configuration priority (highest to lowest):
+ * 1. CLI flags (--url, --user, etc.)
+ * 2. Environment variables (SAP_URL, SAP_USER, etc.)
+ * 3. .env file
+ * 4. Defaults
+ *
+ * This matches the Go version's configuration precedence.
+ */
+/** Default configuration values */
+export const DEFAULT_CONFIG = {
+    url: '',
+    username: '',
+    password: '',
+    client: '001',
+    language: 'EN',
+    insecure: false,
+    transport: 'stdio',
+    httpAddr: '0.0.0.0:8080',
+    readOnly: false,
+    blockFreeSQL: false,
+    allowedOps: '',
+    disallowedOps: '',
+    allowedPackages: [],
+    allowTransportableEdits: false,
+    enableTransports: false,
+    featureAbapGit: 'auto',
+    featureRap: 'auto',
+    featureAmdp: 'auto',
+    featureUi5: 'auto',
+    featureTransport: 'auto',
+    featureHana: 'auto',
+    xsuaaAuth: false,
+    ppEnabled: false,
+    ppStrict: false,
+    logLevel: 'info',
+    logFormat: 'text',
+    verbose: false,
+};
+//# sourceMappingURL=types.js.map

package/dist/server/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../ts-src/server/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AA8DH,mCAAmC;AACnC,MAAM,CAAC,MAAM,cAAc,GAAiB;IAC1C,GAAG,EAAE,EAAE;IACP,QAAQ,EAAE,EAAE;IACZ,QAAQ,EAAE,EAAE;IACZ,MAAM,EAAE,KAAK;IACb,QAAQ,EAAE,IAAI;IACd,QAAQ,EAAE,KAAK;IACf,SAAS,EAAE,OAAO;IAClB,QAAQ,EAAE,cAAc;IACxB,QAAQ,EAAE,KAAK;IACf,YAAY,EAAE,KAAK;IACnB,UAAU,EAAE,EAAE;IACd,aAAa,EAAE,EAAE;IACjB,eAAe,EAAE,EAAE;IACnB,uBAAuB,EAAE,KAAK;IAC9B,gBAAgB,EAAE,KAAK;IACvB,cAAc,EAAE,MAAM;IACtB,UAAU,EAAE,MAAM;IAClB,WAAW,EAAE,MAAM;IACnB,UAAU,EAAE,MAAM;IAClB,gBAAgB,EAAE,MAAM;IACxB,WAAW,EAAE,MAAM;IACnB,SAAS,EAAE,KAAK;IAChB,SAAS,EAAE,KAAK;IAChB,QAAQ,EAAE,KAAK;IACf,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,MAAM;IACjB,OAAO,EAAE,KAAK;CACf,CAAC"}

package/dist/server/xsuaa.d.ts

@@ -0,0 +1,77 @@
+/**
+ * XSUAA OAuth proxy for MCP-native clients.
+ *
+ * Enables Claude Desktop, Cursor, VS Code, and MCP Inspector to authenticate
+ * via BTP XSUAA using the MCP specification's OAuth discovery (RFC 8414).
+ *
+ * Uses the MCP SDK's ProxyOAuthServerProvider to delegate the OAuth flow
+ * to XSUAA, and @sap/xssec for SAP-specific JWT validation.
+ *
+ * Design decisions:
+ *
+ * 1. @sap/xssec for token validation (not jose):
+ *    - SAP-specific x5t thumbprint and proof-of-possession validation
+ *    - Proper XSUAA audience format handling
+ *    - Offline validation with automatic JWKS caching
+ *    - checkLocalScope() for scope enforcement
+ *
+ * 2. In-memory client store for dynamic registration:
+ *    - MCP clients (Claude Desktop, Cursor) register dynamically via RFC 7591
+ *    - Registrations are lost on restart — clients re-register on reconnect
+ *    - XSUAA clientId is pre-registered as the default client
+ *
+ * 3. Chained token verifier:
+ *    - Tries XSUAA → Entra ID OIDC → API key in order
+ *    - All three auth modes coexist on the same /mcp endpoint
+ */
+import type { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import { ProxyOAuthServerProvider } from '@modelcontextprotocol/sdk/server/auth/providers/proxyProvider.js';
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import type { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+/** XSUAA credentials from VCAP_SERVICES */
+export interface XsuaaCredentials {
+    url: string;
+    clientid: string;
+    clientsecret: string;
+    xsappname: string;
+    uaadomain: string;
+    verificationkey?: string;
+}
+/**
+ * In-memory store for OAuth client registrations.
+ *
+ * MCP clients dynamically register via RFC 7591. The XSUAA service binding
+ * clientId is pre-registered as the default client so that clients can
+ * use it directly without registration.
+ */
+export declare class InMemoryClientStore implements OAuthRegisteredClientsStore {
+    private clients;
+    constructor(xsuaaClientId: string, xsuaaClientSecret: string);
+    getClient(clientId: string): Promise<OAuthClientInformationFull | undefined>;
+    registerClient(client: Omit<OAuthClientInformationFull, 'client_id' | 'client_id_issued_at'>): Promise<OAuthClientInformationFull>;
+}
+/**
+ * Verify a JWT token using @sap/xssec.
+ *
+ * Creates a security context from the token using the XSUAA service,
+ * then maps it to the MCP SDK's AuthInfo format.
+ */
+export declare function createXsuaaTokenVerifier(credentials: XsuaaCredentials): (token: string) => Promise<AuthInfo>;
+/**
+ * Create a token verifier that chains multiple auth methods.
+ *
+ * Tries in order:
+ * 1. XSUAA (@sap/xssec) — if XSUAA credentials are available
+ * 2. Entra ID OIDC (jose) — if SAP_OIDC_ISSUER is configured
+ * 3. API Key — if ARC1_API_KEY is configured
+ */
+export declare function createChainedTokenVerifier(config: {
+    apiKey?: string;
+    oidcIssuer?: string;
+    oidcAudience?: string;
+}, xsuaaVerifier?: (token: string) => Promise<AuthInfo>, oidcVerifier?: (token: string) => Promise<AuthInfo>): (token: string) => Promise<AuthInfo>;
+export declare function createXsuaaOAuthProvider(credentials: XsuaaCredentials, appUrl: string): {
+    provider: ProxyOAuthServerProvider;
+    clientStore: InMemoryClientStore;
+};
+//# sourceMappingURL=xsuaa.d.ts.map

package/dist/server/xsuaa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xsuaa.d.ts","sourceRoot":"","sources":["../../ts-src/server/xsuaa.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,EAAE,wBAAwB,EAAE,MAAM,kEAAkE,CAAC;AAC5G,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAe3F,2CAA2C;AAC3C,MAAM,WAAW,gBAAgB;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAID;;;;;;GAMG;AACH,qBAAa,mBAAoB,YAAW,2BAA2B;IACrE,OAAO,CAAC,OAAO,CAAiD;gBAEpD,aAAa,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM;IAsBtD,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IAW5E,cAAc,CAClB,MAAM,EAAE,IAAI,CAAC,0BAA0B,EAAE,WAAW,GAAG,qBAAqB,CAAC,GAC5E,OAAO,CAAC,0BAA0B,CAAC;CAcvC;AAID;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,gBAAgB,GAAG,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CA2C5G;AAID;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,EACvE,aAAa,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,EACpD,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,GAClD,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CAsDtC;AAmMD,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,gBAAgB,EAC7B,MAAM,EAAE,MAAM,GACb;IAAE,QAAQ,EAAE,wBAAwB,CAAC;IAAC,WAAW,EAAE,mBAAmB,CAAA;CAAE,CAa1E"}