arc-1 0.1.0

package/dist/server/xsuaa.js

@@ -0,0 +1,364 @@
+/**
+ * XSUAA OAuth proxy for MCP-native clients.
+ *
+ * Enables Claude Desktop, Cursor, VS Code, and MCP Inspector to authenticate
+ * via BTP XSUAA using the MCP specification's OAuth discovery (RFC 8414).
+ *
+ * Uses the MCP SDK's ProxyOAuthServerProvider to delegate the OAuth flow
+ * to XSUAA, and @sap/xssec for SAP-specific JWT validation.
+ *
+ * Design decisions:
+ *
+ * 1. @sap/xssec for token validation (not jose):
+ *    - SAP-specific x5t thumbprint and proof-of-possession validation
+ *    - Proper XSUAA audience format handling
+ *    - Offline validation with automatic JWKS caching
+ *    - checkLocalScope() for scope enforcement
+ *
+ * 2. In-memory client store for dynamic registration:
+ *    - MCP clients (Claude Desktop, Cursor) register dynamically via RFC 7591
+ *    - Registrations are lost on restart — clients re-register on reconnect
+ *    - XSUAA clientId is pre-registered as the default client
+ *
+ * 3. Chained token verifier:
+ *    - Tries XSUAA → Entra ID OIDC → API key in order
+ *    - All three auth modes coexist on the same /mcp endpoint
+ */
+import { ProxyOAuthServerProvider } from '@modelcontextprotocol/sdk/server/auth/providers/proxyProvider.js';
+import { XsuaaService } from '@sap/xssec';
+import { logger } from './logger.js';
+// ─── In-Memory Client Store ──────────────────────────────────────────
+/**
+ * In-memory store for OAuth client registrations.
+ *
+ * MCP clients dynamically register via RFC 7591. The XSUAA service binding
+ * clientId is pre-registered as the default client so that clients can
+ * use it directly without registration.
+ */
+export class InMemoryClientStore {
+    clients = new Map();
+    constructor(xsuaaClientId, xsuaaClientSecret) {
+        // Pre-register the XSUAA client so MCP clients that use it directly work.
+        // The redirect_uris MUST include all URIs that MCP clients will use,
+        // because the MCP SDK validates redirect_uri against this list BEFORE
+        // calling our authorize override. These must also be registered in xs-security.json.
+        this.clients.set(xsuaaClientId, {
+            client_id: xsuaaClientId,
+            client_secret: xsuaaClientSecret,
+            redirect_uris: [
+                'http://localhost:6274/oauth/callback', // MCP Inspector
+                'http://localhost:3000/oauth/callback', // Local dev servers
+                'https://claude.ai/api/mcp/auth_callback', // Claude Desktop
+                'cursor://anysphere.cursor-retrieval/oauth/callback', // Cursor
+                'vscode://vscode.microsoft-authentication/callback', // VS Code
+            ],
+            grant_types: ['authorization_code', 'refresh_token'],
+            response_types: ['code'],
+            token_endpoint_auth_method: 'client_secret_post',
+            client_name: 'ARC-1 XSUAA Default Client',
+        });
+    }
+    async getClient(clientId) {
+        const client = this.clients.get(clientId);
+        logger.debug('OAuth client lookup', {
+            clientId,
+            found: !!client,
+            clientName: client?.client_name,
+            registeredClients: [...this.clients.keys()],
+        });
+        return client;
+    }
+    async registerClient(client) {
+        const clientId = `arc1-${crypto.randomUUID().slice(0, 8)}`;
+        const clientSecret = crypto.randomUUID();
+        const fullClient = {
+            ...client,
+            client_id: clientId,
+            client_secret: clientSecret,
+            client_id_issued_at: Math.floor(Date.now() / 1000),
+        };
+        this.clients.set(clientId, fullClient);
+        logger.debug('OAuth client registered', { clientId, clientName: client.client_name });
+        return fullClient;
+    }
+}
+// ─── XSUAA Token Verifier ────────────────────────────────────────────
+/**
+ * Verify a JWT token using @sap/xssec.
+ *
+ * Creates a security context from the token using the XSUAA service,
+ * then maps it to the MCP SDK's AuthInfo format.
+ */
+export function createXsuaaTokenVerifier(credentials) {
+    const xsuaaService = new XsuaaService({
+        clientid: credentials.clientid,
+        clientsecret: credentials.clientsecret,
+        url: credentials.url,
+        xsappname: credentials.xsappname,
+        uaadomain: credentials.uaadomain,
+    });
+    return async (token) => {
+        logger.debug('XSUAA token verification: creating security context');
+        const securityContext = await xsuaaService.createSecurityContext(token, { jwt: token });
+        // Extract scopes (remove xsappname prefix for local scope names)
+        const grantedScopes = [];
+        // The token contains scopes like "arc1-mcp!b12345.read"
+        // checkLocalScope strips the prefix for us
+        for (const scope of ['read', 'write', 'admin']) {
+            if (securityContext.checkLocalScope(scope)) {
+                grantedScopes.push(scope);
+            }
+        }
+        const expiresAt = securityContext.token?.payload?.exp;
+        const authInfo = {
+            token,
+            clientId: securityContext.getClientId(),
+            scopes: grantedScopes,
+            expiresAt: typeof expiresAt === 'number' ? expiresAt : undefined,
+            extra: {
+                userName: securityContext.getLogonName?.() ?? undefined,
+                email: securityContext.getEmail?.() ?? undefined,
+            },
+        };
+        logger.debug('XSUAA token verified', {
+            clientId: authInfo.clientId,
+            scopes: grantedScopes,
+            userName: authInfo.extra.userName,
+            email: authInfo.extra.email,
+        });
+        return authInfo;
+    };
+}
+// ─── Chained Token Verifier ──────────────────────────────────────────
+/**
+ * Create a token verifier that chains multiple auth methods.
+ *
+ * Tries in order:
+ * 1. XSUAA (@sap/xssec) — if XSUAA credentials are available
+ * 2. Entra ID OIDC (jose) — if SAP_OIDC_ISSUER is configured
+ * 3. API Key — if ARC1_API_KEY is configured
+ */
+export function createChainedTokenVerifier(config, xsuaaVerifier, oidcVerifier) {
+    return async (token) => {
+        const tokenPreview = `${token.slice(0, 20)}...${token.slice(-10)}`;
+        logger.debug('Chained token verifier: starting', { tokenPreview });
+        // 1. Try XSUAA
+        if (xsuaaVerifier) {
+            try {
+                const result = await xsuaaVerifier(token);
+                logger.debug('Chained token verifier: XSUAA succeeded', {
+                    clientId: result.clientId,
+                    scopes: result.scopes,
+                    user: result.extra?.email || result.extra?.userName,
+                });
+                return result;
+            }
+            catch (err) {
+                logger.debug('Chained token verifier: XSUAA failed, trying next', {
+                    error: err instanceof Error ? err.message : String(err),
+                });
+            }
+        }
+        // 2. Try Entra ID OIDC
+        if (oidcVerifier) {
+            try {
+                const result = await oidcVerifier(token);
+                logger.debug('Chained token verifier: OIDC succeeded', {
+                    clientId: result.clientId,
+                    scopes: result.scopes,
+                });
+                return result;
+            }
+            catch (err) {
+                logger.debug('Chained token verifier: OIDC failed, trying next', {
+                    error: err instanceof Error ? err.message : String(err),
+                });
+            }
+        }
+        // 3. Try API key
+        if (config.apiKey && token === config.apiKey) {
+            logger.debug('Chained token verifier: API key matched');
+            return {
+                token,
+                clientId: 'api-key',
+                scopes: ['read', 'write', 'admin'],
+                // MCP SDK's requireBearerAuth requires expiresAt — set to 1 year
+                expiresAt: Math.floor(Date.now() / 1000) + 365 * 24 * 60 * 60,
+                extra: {},
+            };
+        }
+        logger.debug('Chained token verifier: all methods failed', { tokenPreview });
+        throw new Error('Token validation failed: not a valid XSUAA, OIDC, or API key token');
+    };
+}
+// ─── OAuth Provider Factory ──────────────────────────────────────────
+/**
+ * Create a ProxyOAuthServerProvider that proxies OAuth to XSUAA.
+ */
+/**
+ * XSUAA-proxying OAuth provider.
+ *
+ * Extends ProxyOAuthServerProvider to replace the MCP client's local client_id
+ * with the XSUAA service binding client_id when forwarding to XSUAA.
+ *
+ * Problem: MCP clients register via DCR and get a local client_id (e.g., "arc1-f63afbab").
+ * But XSUAA only knows about its own client_id ("sb-arc1-mcp!t498139").
+ * The standard ProxyOAuthServerProvider forwards the local client_id to XSUAA, which rejects it.
+ *
+ * Solution: Override authorize() to swap the client_id and use a custom fetch() for
+ * the token exchange to inject the XSUAA credentials.
+ */
+class XsuaaProxyOAuthProvider extends ProxyOAuthServerProvider {
+    xsuaaClientId;
+    xsuaaClientSecret;
+    xsuaaTokenUrl;
+    xsuaaAuthUrl;
+    xsuaaXsappname;
+    _localClientStore;
+    constructor(credentials, verifier, localClientStore) {
+        const authUrl = `${credentials.url}/oauth/authorize`;
+        const tokenUrl = `${credentials.url}/oauth/token`;
+        super({
+            endpoints: {
+                authorizationUrl: authUrl,
+                tokenUrl: tokenUrl,
+                revocationUrl: `${credentials.url}/oauth/revoke`,
+            },
+            verifyAccessToken: verifier,
+            getClient: (clientId) => localClientStore.getClient(clientId),
+        });
+        this.xsuaaClientId = credentials.clientid;
+        this.xsuaaClientSecret = credentials.clientsecret;
+        this.xsuaaTokenUrl = tokenUrl;
+        this.xsuaaAuthUrl = authUrl;
+        this.xsuaaXsappname = credentials.xsappname;
+        this._localClientStore = localClientStore;
+        this.skipLocalPkceValidation = true;
+    }
+    /**
+     * Override clientsStore to expose registerClient for DCR.
+     * The MCP SDK checks this to decide whether to advertise
+     * registration_endpoint in OAuth metadata and handle POST /register.
+     */
+    get clientsStore() {
+        return this._localClientStore;
+    }
+    /**
+     * Override authorize to replace the MCP client's local client_id
+     * with the XSUAA service binding client_id.
+     */
+    async authorize(_client, params, res) {
+        const targetUrl = new URL(this.xsuaaAuthUrl);
+        const searchParams = new URLSearchParams({
+            client_id: this.xsuaaClientId, // Use XSUAA client, not local DCR client
+            response_type: 'code',
+            redirect_uri: params.redirectUri,
+            code_challenge: params.codeChallenge,
+            code_challenge_method: 'S256',
+        });
+        if (params.state)
+            searchParams.set('state', params.state);
+        if (params.scopes?.length) {
+            // Qualify short scope names (read, write, admin) with XSUAA xsappname prefix.
+            // XSUAA rejects unqualified scopes like "admin" — it needs "arc1-mcp!t498139.admin".
+            // Filter out empty strings (Copilot Studio sends scope="" which splits to [""]).
+            const qualifiedScopes = params.scopes
+                .filter((s) => s.length > 0)
+                .map((s) => (s.includes('.') ? s : `${this.xsuaaXsappname}.${s}`));
+            if (qualifiedScopes.length > 0) {
+                searchParams.set('scope', qualifiedScopes.join(' '));
+            }
+        }
+        if (params.resource)
+            searchParams.set('resource', params.resource.toString());
+        targetUrl.search = searchParams.toString();
+        logger.debug('XSUAA authorize redirect', {
+            xsuaaClient: this.xsuaaClientId,
+            redirectUri: params.redirectUri,
+        });
+        res.redirect(targetUrl.toString());
+    }
+    /**
+     * Override exchangeAuthorizationCode to use XSUAA credentials
+     * instead of the local DCR client credentials.
+     */
+    async exchangeAuthorizationCode(_client, authorizationCode, codeVerifier, redirectUri) {
+        logger.debug('XSUAA token exchange: authorization_code', {
+            hasCodeVerifier: !!codeVerifier,
+            redirectUri,
+        });
+        const params = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code: authorizationCode,
+            client_id: this.xsuaaClientId,
+            client_secret: this.xsuaaClientSecret,
+        });
+        if (codeVerifier)
+            params.set('code_verifier', codeVerifier);
+        if (redirectUri)
+            params.set('redirect_uri', redirectUri);
+        const response = await fetch(this.xsuaaTokenUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            logger.error('XSUAA token exchange failed', { status: response.status, body: text.slice(0, 200) });
+            throw new Error(`XSUAA token exchange failed: ${response.status}`);
+        }
+        const data = (await response.json());
+        logger.debug('XSUAA token exchange: success', {
+            tokenType: data.token_type,
+            expiresIn: data.expires_in,
+            hasRefreshToken: !!data.refresh_token,
+            scope: data.scope,
+        });
+        return {
+            access_token: data.access_token,
+            token_type: data.token_type ?? 'bearer',
+            expires_in: data.expires_in,
+            refresh_token: data.refresh_token,
+            scope: data.scope,
+        };
+    }
+    /**
+     * Override exchangeRefreshToken to use XSUAA credentials.
+     */
+    async exchangeRefreshToken(_client, refreshToken, _scopes) {
+        const params = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_id: this.xsuaaClientId,
+            client_secret: this.xsuaaClientSecret,
+        });
+        const response = await fetch(this.xsuaaTokenUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`XSUAA refresh token exchange failed: ${response.status}`);
+        }
+        const data = (await response.json());
+        return {
+            access_token: data.access_token,
+            token_type: data.token_type ?? 'bearer',
+            expires_in: data.expires_in,
+            refresh_token: data.refresh_token,
+            scope: data.scope,
+        };
+    }
+}
+export function createXsuaaOAuthProvider(credentials, appUrl) {
+    const clientStore = new InMemoryClientStore(credentials.clientid, credentials.clientsecret);
+    const verifier = createXsuaaTokenVerifier(credentials);
+    const provider = new XsuaaProxyOAuthProvider(credentials, verifier, clientStore);
+    logger.info('XSUAA OAuth provider created', {
+        xsappname: credentials.xsappname,
+        authorizationUrl: `${credentials.url}/oauth/authorize`,
+        appUrl,
+    });
+    return { provider, clientStore };
+}
+//# sourceMappingURL=xsuaa.js.map

package/dist/server/xsuaa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xsuaa.js","sourceRoot":"","sources":["../../ts-src/server/xsuaa.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,EAAE,wBAAwB,EAAE,MAAM,kEAAkE,CAAC;AAG5G,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAuBrC,wEAAwE;AAExE;;;;;;GAMG;AACH,MAAM,OAAO,mBAAmB;IACtB,OAAO,GAAG,IAAI,GAAG,EAAsC,CAAC;IAEhE,YAAY,aAAqB,EAAE,iBAAyB;QAC1D,0EAA0E;QAC1E,qEAAqE;QACrE,sEAAsE;QACtE,qFAAqF;QACrF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE;YAC9B,SAAS,EAAE,aAAa;YACxB,aAAa,EAAE,iBAAiB;YAChC,aAAa,EAAE;gBACb,sCAAsC,EAAE,gBAAgB;gBACxD,sCAAsC,EAAE,oBAAoB;gBAC5D,yCAAyC,EAAE,iBAAiB;gBAC5D,oDAAoD,EAAE,SAAS;gBAC/D,mDAAmD,EAAE,UAAU;aAChE;YACD,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YACpD,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,0BAA0B,EAAE,oBAAoB;YAChD,WAAW,EAAE,4BAA4B;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;YAClC,QAAQ;YACR,KAAK,EAAE,CAAC,CAAC,MAAM;YACf,UAAU,EAAE,MAAM,EAAE,WAAW;YAC/B,iBAAiB,EAAE,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;SAC5C,CAAC,CAAC;QACH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,MAA6E;QAE7E,MAAM,QAAQ,GAAG,QAAQ,MAAM,CAAC,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAC3D,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEzC,MAAM,UAAU,GAA+B;YAC7C,GAAG,MAAM;YACT,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACnD,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;QACtF,OAAO,UAAU,CAAC;IACpB,CAAC;CACF;AAED,wEAAwE;AAExE;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,WAA6B;IACpE,MAAM,YAAY,GAAG,IAAI,YAAY,CAAC;QACpC,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,GAAG,EAAE,WAAW,CAAC,GAAG;QACpB,SAAS,EAAE,WAAW,CAAC,SAAS;QAChC,SAAS,EAAE,WAAW,CAAC,SAAS;KACjC,CAAC,CAAC;IAEH,OAAO,KAAK,EAAE,KAAa,EAAqB,EAAE;QAChD,MAAM,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACpE,MAAM,eAAe,GAAG,MAAM,YAAY,CAAC,qBAAqB,CAAC,KAAK,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAExF,iEAAiE;QACjE,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,wDAAwD;QACxD,2CAA2C;QAC3C,KAAK,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC;YAC/C,IAAI,eAAe,CAAC,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3C,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC;QAEtD,MAAM,QAAQ,GAAG;YACf,KAAK;YACL,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE;YACvC,MAAM,EAAE,aAAa;YACrB,SAAS,EAAE,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;YAChE,KAAK,EAAE;gBACL,QAAQ,EAAE,eAAe,CAAC,YAAY,EAAE,EAAE,IAAI,SAAS;gBACvD,KAAK,EAAE,eAAe,CAAC,QAAQ,EAAE,EAAE,IAAI,SAAS;aACjD;SACF,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;YACnC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,MAAM,EAAE,aAAa;YACrB,QAAQ,EAAE,QAAQ,CAAC,KAAK,CAAC,QAAQ;YACjC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,KAAK;SAC5B,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE;;;;;;;GAOG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAAuE,EACvE,aAAoD,EACpD,YAAmD;IAEnD,OAAO,KAAK,EAAE,KAAa,EAAqB,EAAE;QAChD,MAAM,YAAY,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QACnE,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QAEnE,eAAe;QACf,IAAI,aAAa,EAAE,CAAC;YAClB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;gBAC1C,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE;oBACtD,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,IAAI,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ;iBACpD,CAAC,CAAC;gBACH,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,mDAAmD,EAAE;oBAChE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;oBACrD,QAAQ,EAAE,MAAM,CAAC,QAAQ;oBACzB,MAAM,EAAE,MAAM,CAAC,MAAM;iBACtB,CAAC,CAAC;gBACH,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE;oBAC/D,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,IAAI,MAAM,CAAC,MAAM,IAAI,KAAK,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;YAC7C,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;YACxD,OAAO;gBACL,KAAK;gBACL,QAAQ,EAAE,SAAS;gBACnB,MAAM,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;gBAClC,iEAAiE;gBACjE,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE;gBAC7D,KAAK,EAAE,EAAE;aACV,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,4CAA4C,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;QAC7E,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;IACxF,CAAC,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE;;GAEG;AACH;;;;;;;;;;;;GAYG;AACH,MAAM,uBAAwB,SAAQ,wBAAwB;IACpD,aAAa,CAAS;IACtB,iBAAiB,CAAS;IAC1B,aAAa,CAAS;IACtB,YAAY,CAAS;IACrB,cAAc,CAAS;IACvB,iBAAiB,CAAsB;IAE/C,YACE,WAA6B,EAC7B,QAA8C,EAC9C,gBAAqC;QAErC,MAAM,OAAO,GAAG,GAAG,WAAW,CAAC,GAAG,kBAAkB,CAAC;QACrD,MAAM,QAAQ,GAAG,GAAG,WAAW,CAAC,GAAG,cAAc,CAAC;QAElD,KAAK,CAAC;YACJ,SAAS,EAAE;gBACT,gBAAgB,EAAE,OAAO;gBACzB,QAAQ,EAAE,QAAQ;gBAClB,aAAa,EAAE,GAAG,WAAW,CAAC,GAAG,eAAe;aACjD;YACD,iBAAiB,EAAE,QAAQ;YAC3B,SAAS,EAAE,CAAC,QAAgB,EAAE,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,QAAQ,CAAC;SACtE,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC;QAC1C,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC,YAAY,CAAC;QAClD,IAAI,CAAC,aAAa,GAAG,QAAQ,CAAC;QAC9B,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC;QAC5B,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC;QAC5C,IAAI,CAAC,iBAAiB,GAAG,gBAAgB,CAAC;QAC1C,IAAI,CAAC,uBAAuB,GAAG,IAAI,CAAC;IACtC,CAAC;IAED;;;;OAIG;IACH,IAAa,YAAY;QACvB,OAAO,IAAI,CAAC,iBAAiB,CAAC;IAChC,CAAC;IAED;;;OAGG;IACM,KAAK,CAAC,SAAS,CACtB,OAAmC,EACnC,MAMC,EACD,GAAoC;QAEpC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,YAAY,GAAG,IAAI,eAAe,CAAC;YACvC,SAAS,EAAE,IAAI,CAAC,aAAa,EAAE,yCAAyC;YACxE,aAAa,EAAE,MAAM;YACrB,YAAY,EAAE,MAAM,CAAC,WAAW;YAChC,cAAc,EAAE,MAAM,CAAC,aAAa;YACpC,qBAAqB,EAAE,MAAM;SAC9B,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;YAC1B,8EAA8E;YAC9E,qFAAqF;YACrF,iFAAiF;YACjF,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM;iBAClC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;iBAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,cAAc,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YACrE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ;YAAE,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;QAE9E,SAAS,CAAC,MAAM,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAC;QAE3C,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE;YACvC,WAAW,EAAE,IAAI,CAAC,aAAa;YAC/B,WAAW,EAAE,MAAM,CAAC,WAAW;SAChC,CAAC,CAAC;QAEH,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IACrC,CAAC;IAED;;;OAGG;IACM,KAAK,CAAC,yBAAyB,CACtC,OAAmC,EACnC,iBAAyB,EACzB,YAAqB,EACrB,WAAoB;QAEpB,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE;YACvD,eAAe,EAAE,CAAC,CAAC,YAAY;YAC/B,WAAW;SACZ,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;YAChC,IAAI,EAAE,iBAAiB;YACvB,SAAS,EAAE,IAAI,CAAC,aAAa;YAC7B,aAAa,EAAE,IAAI,CAAC,iBAAiB;SACtC,CAAC,CAAC;QACH,IAAI,YAAY;YAAE,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,YAAY,CAAC,CAAC;QAC5D,IAAI,WAAW;YAAE,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;QAEzD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YACnG,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;QACtD,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;YAC5C,SAAS,EAAE,IAAI,CAAC,UAAU;YAC1B,SAAS,EAAE,IAAI,CAAC,UAAU;YAC1B,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,aAAa;YACrC,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC,CAAC;QACH,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,QAAQ;YACvC,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACM,KAAK,CAAC,oBAAoB,CAAC,OAAmC,EAAE,YAAoB,EAAE,OAAkB;QAC/G,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,eAAe;YAC3B,aAAa,EAAE,YAAY;YAC3B,SAAS,EAAE,IAAI,CAAC,aAAa;YAC7B,aAAa,EAAE,IAAI,CAAC,iBAAiB;SACtC,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,aAAa,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,wCAAwC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC7E,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;QACtD,OAAO;YACL,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,QAAQ;YACvC,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB,CAAC;IACJ,CAAC;CACF;AAED,MAAM,UAAU,wBAAwB,CACtC,WAA6B,EAC7B,MAAc;IAEd,MAAM,WAAW,GAAG,IAAI,mBAAmB,CAAC,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,YAAY,CAAC,CAAC;IAC5F,MAAM,QAAQ,GAAG,wBAAwB,CAAC,WAAW,CAAC,CAAC;IAEvD,MAAM,QAAQ,GAAG,IAAI,uBAAuB,CAAC,WAAW,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC;IAEjF,MAAM,CAAC,IAAI,CAAC,8BAA8B,EAAE;QAC1C,SAAS,EAAE,WAAW,CAAC,SAAS;QAChC,gBAAgB,EAAE,GAAG,WAAW,CAAC,GAAG,kBAAkB;QACtD,MAAM;KACP,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AACnC,CAAC"}

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "arc-1",
+  "version": "0.1.0",
+  "description": "ARC-1 — MCP Server for SAP ABAP Systems",
+  "author": "Marian Zeis",
+  "license": "MIT",
+  "type": "module",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "bin": {
+    "arc1": "./bin/arc1.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "bin",
+    "README.md",
+    "LICENSE"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx ts-src/index.ts",
+    "dev:http": "tsx ts-src/index.ts --transport http-streamable",
+    "start": "node dist/index.js",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:integration": "vitest run --config vitest.integration.config.ts",
+    "test:coverage": "vitest run --coverage",
+    "lint": "biome check .",
+    "lint:fix": "biome check --write .",
+    "format": "biome format --write .",
+    "typecheck": "tsc --noEmit",
+    "cli": "tsx ts-src/cli.ts",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@abaplint/core": "^2.115.27",
+    "@modelcontextprotocol/sdk": "^1.28.0",
+    "@sap/xsenv": "^6.1.0",
+    "@sap/xssec": "^4.13.0",
+    "axios": "^1.13.6",
+    "better-sqlite3": "^12.8.0",
+    "commander": "^14.0.3",
+    "dotenv": "^17.3.1",
+    "express": "^5.2.1",
+    "fast-xml-parser": "^5.5.9",
+    "jose": "^6.2.2",
+    "zod": "^3.24.0"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.4.8",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/express": "^5.0.6",
+    "@types/node": "^22.0.0",
+    "@types/supertest": "^7.2.0",
+    "supertest": "^7.2.2",
+    "tsx": "^4.21.0",
+    "typescript": "~5.8.0",
+    "vitest": "^4.1.1"
+  }
+}