hac-mcp 1.0.0

package/LICENSE

@@ -0,0 +1,41 @@
+MIT License
+
+Copyright (c) 2026 Yunus Emre Gül
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+Commons Clause License Condition
+
+The Software is provided to you by the Licensor under the License, as defined
+above, subject to the following condition:
+
+Without limiting other conditions in the License, the grant of rights under
+the License will not include, and the License does not grant to you, the right
+to Sell the Software.
+
+For purposes of the foregoing, "Sell" means practicing any or all of the rights
+granted to you under the License to provide to third parties, for a fee or other
+consideration (including without limitation fees for hosting or consulting/
+support services related to the Software), a product or service whose value
+derives, entirely or substantially, from the functionality of the Software.
+
+Any license notice or attribution required by the License must also include
+this Commons Clause License Condition notice.
+
+Licensor: Yunus Emre Gül

package/README.md

@@ -0,0 +1,145 @@
+# hac-mcp
+
+A [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) server that provides AI assistants (like Claude) with programmatic access to SAP Commerce Cloud's **Hybris Administration Console (HAC)**. It enables automated FlexibleSearch queries, ImpEx imports, Groovy script execution, and system administration tasks across multiple environments.
+
+It authenticates with HAC using your existing credentials, no backend changes or additional setup required. Permitted operations are configured per environment, so the AI can only do what you explicitly allow.
+
+## What You Can Do
+
+- *"Inspect the PromotionRule with code SUMMER25 in staging and recreate it in my local environment"*
+- *"My ImpEx is failing on staging, check the actual values in production and fill in the correct ones"*
+- *"Find all orders stuck in WAIT status for more than 3 days in production and give me a summary"*
+- *"Write a Groovy script to do ... and run it on local first, if it works I will approve it for staging"*
+- *"This code is not working as expected, can you check its edge cases using Groovy with real data on staging?"*
+- *"I want to test this CronJob on staging, it has a media field that accepts a CSV in txt format with source-product and target-product columns. Create multiple test medias, write them, run the job for each case, and validate the results with FlexibleSearch"*
+
+![Web UI showing environment list and live activity log](docs/screenshots/web-ui-overview.jpeg)
+
+## Features
+
+- **Multi-environment support**: configure and switch between local, staging, and production HAC instances
+- **Fine-grained permissions**: control which operations are allowed per environment
+- **Web UI**: browser-based management console for adding/editing environments and monitoring activity
+- **Real-time logging**: live HAC request and MCP tool execution logs via SSE
+- **Type search**: trigram-based fuzzy search for SAP Commerce type names with per-environment caching
+- **FlexSearch error recovery**: when a query fails due to an unknown field or type, valid field names are fetched and returned alongside the error so the AI can correct and retry without manual intervention
+- **ImpEx validation and enrichment**: scripts are pre-validated for missing mandatory fields before import runs, and any post-import attribute errors are resolved to valid field lists on the fly so the AI can fix and retry the script itself
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `list_environments` | List all configured HAC environments |
+| `flexible_search` | Execute FlexibleSearch queries |
+| `search_type` | Fuzzy search for type names |
+| `get_type_info` | Retrieve type metadata, attributes, and relationships |
+| `resolve_pk` | Resolve opaque PKs to type code and unique field values |
+| `impex_import` | Execute ImpEx import scripts |
+| `groovy_execute` | Execute Groovy scripts |
+| `read_property` | Search HAC configuration properties by key/value |
+| `media_read` | Read text/plain media content |
+| `media_write` | Create or overwrite media models |
+| `list_cronjobs` | List CronJobs with optional filtering |
+| `run_cronjob` | Execute a CronJob synchronously and wait for completion |
+
+## Installation
+
+### Via npx (recommended)
+
+```bash
+npx hac-mcp
+```
+
+### Global install
+
+```bash
+npm install -g hac-mcp
+hac-mcp
+```
+
+The server starts on `http://localhost:18432` by default.
+
+```
+Options:
+  -p, --port    Port to listen on (default: 18432)
+  -v, --version Print version
+  -h, --help    Show help
+```
+
+Environment configuration is stored in `~/.hac-mcp/environments.json`.
+
+### Auto-start on system boot (optional, recommended)
+
+To keep the server running across restarts, use the `startup` subcommand (requires [PM2](https://pm2.keymetrics.io/)):
+
+```bash
+npx hac-mcp startup
+npx hac-mcp startup --port 4000  # with custom port
+```
+
+This registers the server with PM2 and runs `pm2 startup`, which prints a one-time command to run (may require `sudo` on macOS/Linux) to hook PM2 into your OS boot sequence.
+
+## Configuration
+
+### Via Web UI
+
+Open `http://localhost:18432/` in your browser, click **+ Add Environment**, fill in the details (connection is tested automatically as you type), then click **Save**.
+
+![Add Environment form with live connection test](https://github.com/yunusemregul/hac-mcp/blob/master/docs/screenshots/add-environment-form.jpeg)
+
+### Environment options
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `name` | string | | Display name |
+| `description` | string | | Optional notes |
+| `url` | string | | HAC base URL (e.g. `https://host:9002/`) |
+| `username` | string | | HAC login username |
+| `password` | string | | HAC login password |
+| `dbType` | string | `MSSQL` | Database dialect: `MSSQL` or `MySQL` |
+| `allowFlexSearch` | boolean | `true` | Allow FlexibleSearch queries |
+| `allowImpexImport` | boolean | `false` | Allow ImpEx imports |
+| `allowGroovyExecution` | boolean | `false` | Allow Groovy script execution |
+| `allowGroovyCommitMode` | boolean | `false` | Allow Groovy scripts to commit changes |
+| `allowReadProperty` | boolean | `true` | Allow reading platform config properties |
+
+> **Tip for production:** Disable `allowImpexImport`, `allowGroovyCommitMode`, or both to prevent accidental data modifications.
+
+## Using with Claude
+
+Add the following to your MCP client configuration:
+
+```json
+{
+  "mcpServers": {
+    "hac-mcp": {
+      "url": "http://localhost:18432/mcp/sse"
+    }
+  }
+}
+```
+
+## Project Structure
+
+```
+hac-mcp/
+├── server.js           # Express app, MCP SSE endpoint, REST API
+├── hac.js              # HAC client (login, FlexSearch, ImpEx, Groovy, etc.)
+├── storage.js          # Environment config persistence
+├── type-index.js       # Trigram fuzzy type search with caching
+├── tools/
+│   ├── index.js        # Tool registry
+│   ├── context.js      # Shared runtime state (sessions, logging)
+│   ├── zodLoose.js     # Loose Zod validators (string -> number/bool)
+│   └── *.js            # One file per MCP tool
+└── static/
+    ├── index.html      # Management console UI
+    ├── app.js          # UI logic
+    └── style.css       # Styles
+```
+
+## Security Notes
+
+- Credentials are stored in plaintext in `~/.hac-mcp/environments.json`. Avoid exposing this file.
+- SSL certificate verification is disabled for HAC connections: be aware of this in untrusted networks.
+- Restrict write permissions (`allowImpexImport`, `allowGroovyCommitMode`) on production environments.

package/bin/hac-mcp.js

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const { version } = createRequire(import.meta.url)(join(__dirname, '../package.json'));
+
+// ─── Arg parsing ──────────────────────────────────────────────────────────────
+const args = process.argv.slice(2);
+
+function flag(name) {
+  return args.includes(name);
+}
+
+function option(name, short) {
+  const idx = args.findIndex(a => a === name || (short && a === short));
+  if (idx === -1) return null;
+  const val = args[idx + 1];
+  if (!val || val.startsWith('-')) { console.error(`Missing value for ${name}`); process.exit(1); }
+  return val;
+}
+
+if (flag('--help') || flag('-h')) {
+  console.log(`
+hac-mcp v${version}
+
+  A local MCP server for SAP Commerce Cloud HAC (Hybris Administration Console).
+
+Usage:
+  hac-mcp [options]
+  hac-mcp startup [options]
+
+Commands:
+  startup       Register hac-mcp as a startup service via PM2
+
+Options:
+  -p, --port    Port to listen on (default: 18432, env: PORT)
+  -v, --version Print version
+  -h, --help    Show this help
+  `.trim());
+  process.exit(0);
+}
+
+if (flag('--version') || flag('-v')) {
+  console.log(version);
+  process.exit(0);
+}
+
+const port = option('--port', '-p');
+if (port) process.env.PORT = port;
+
+// ─── Commands ─────────────────────────────────────────────────────────────────
+const command = args.find(a => !a.startsWith('-') && args.indexOf(a) === args.findIndex(x => x === a));
+
+if (command === 'startup') {
+  const { execSync } = await import('child_process');
+
+  try {
+    execSync('pm2 --version', { stdio: 'ignore' });
+  } catch {
+    console.error('PM2 is not installed. Run: npm install -g pm2');
+    process.exit(1);
+  }
+
+  const pm2Args = [
+    'pm2 start hac-mcp --name hac-mcp',
+    port ? `--env PORT=${port}` : '',
+  ].filter(Boolean).join(' ');
+
+  try {
+    execSync(pm2Args, { stdio: 'inherit' });
+    execSync('pm2 save', { stdio: 'inherit' });
+    console.log('');
+    const result = execSync('pm2 startup', { encoding: 'utf8' });
+    console.log(result);
+    console.log('Copy and run the command above to complete startup registration.');
+  } catch (e) {
+    console.error('Failed to set up PM2 startup:', e.message);
+    process.exit(1);
+  }
+} else if (command !== undefined) {
+  console.error(`Unknown command: ${command}`);
+  console.error('Run hac-mcp --help for usage.');
+  process.exit(1);
+} else {
+  await import('../server.js');
+}

package/hac.js

@@ -0,0 +1,320 @@
+import https from 'https';
+import dns from 'dns';
+import { URL } from 'url';
+
+const dnsLookup = dns.promises.lookup;
+
+// Per-hostname: resolved IP + keepalive agent (avoids repeated mDNS lookups)
+const dnsCache = {};
+const agentCache = {};
+
+// Logger - server.js sets this to broadcast to SSE clients
+let _log = () => {};
+export function setHacLogger(fn) { _log = fn; }
+function log(level, msg, envName) {
+  const prefix = envName ? `[${envName}] ` : '';
+  _log({ level, msg: prefix + msg, ts: Date.now() });
+}
+
+async function resolveHost(hostname) {
+  if (!dnsCache[hostname]) {
+    try {
+      const r = await dnsLookup(hostname, { family: 4 });
+      dnsCache[hostname] = r.address;
+      log('info', `Resolved ${hostname} → ${r.address}`);
+    } catch {
+      dnsCache[hostname] = hostname;
+    }
+  }
+  return dnsCache[hostname];
+}
+
+function getAgent(hostname) {
+  if (!agentCache[hostname]) {
+    agentCache[hostname] = new https.Agent({ rejectUnauthorized: false, keepAlive: true });
+  }
+  return agentCache[hostname];
+}
+
+const HTTP_TIMEOUT_MS = 60_000;
+
+function httpRequest(options, body = null) {
+  return new Promise((resolve, reject) => {
+    const t0 = Date.now();
+    const req = https.request(options, (res) => {
+      let data = '';
+      res.on('data', chunk => (data += chunk));
+      res.on('end', () => {
+        const envTag = options._envName ? `[${options._envName}] ` : '';
+        log('http', `${envTag}${options.method} ${options.path} → ${res.statusCode} (${Date.now() - t0}ms)`);
+        resolve({ status: res.statusCode, headers: res.headers, body: data });
+      });
+    });
+    req.setTimeout(HTTP_TIMEOUT_MS, () => {
+      req.destroy(new Error(`Request timed out after ${HTTP_TIMEOUT_MS}ms`));
+    });
+    req.on('error', err => {
+      const envTag = options._envName ? `[${options._envName}] ` : '';
+      log('error', `${envTag}${options.method} ${options.path} → ${err.message}`);
+      reject(err);
+    });
+    if (body) req.write(body);
+    req.end();
+  });
+}
+
+function extractCsrf(html) {
+  const m = html.match(/name="_csrf"\s+value="([^"]+)"/) ||
+            html.match(/<meta name="_csrf" content="([^"]+)"/);
+  return m?.[1] ?? null;
+}
+
+function extractCookies(headers) {
+  const cookies = {};
+  for (const c of (headers['set-cookie'] || [])) {
+    const [pair] = c.split(';');
+    const eq = pair.indexOf('=');
+    if (eq !== -1) cookies[pair.slice(0, eq).trim()] = pair.slice(eq + 1).trim();
+  }
+  return cookies;
+}
+
+function cookieStr(cookies) {
+  return Object.entries(cookies).map(([k, v]) => `${k}=${v}`).join('; ');
+}
+
+function htmlDecode(v) {
+  if (typeof v !== 'string') return v;
+  return v.replace(/&amp;/g, '&').replace(/&lt;/g, '<').replace(/&gt;/g, '>').replace(/&quot;/g, '"').replace(/&#034;/g, '"').replace(/&#39;/g, "'").replace(/&#039;/g, "'");
+}
+
+function opts(session, path, method, extra = {}) {
+  return {
+    hostname: session.ip,
+    servername: session.host,
+    port: session.port,
+    path,
+    method,
+    agent: session.agent,
+    _envName: session.envName,
+    headers: {
+      Host: session.host,
+      'User-Agent': 'hac-mcp/1.0',
+      Cookie: cookieStr(session.cookies),
+      ...extra,
+    },
+  };
+}
+
+export async function login(baseUrl, username, password, envName) {
+  const url = new URL(baseUrl);
+  const host = url.hostname;
+  const port = parseInt(url.port) || 443;
+  const ctx = url.pathname.replace(/\/+$/, '');
+
+  log('info', `Logging in to ${host}${ctx || '/'} as ${username}`, envName);
+
+  const ip = await resolveHost(host);
+  const agent = getAgent(host);
+  const proto = { host, ip, port, ctx, agent, cookies: {}, envName };
+
+  log('info', `Fetching login page - getting CSRF token + session cookie`, envName);
+  const loginPage = await httpRequest(opts(proto, ctx + '/login', 'GET'));
+  const cookies = extractCookies(loginPage.headers);
+  const csrf = extractCsrf(loginPage.body);
+  if (!csrf) throw new Error('Could not extract CSRF token from login page');
+  log('info', `Got CSRF token: ${csrf.slice(0, 16)}…`, envName);
+
+  log('info', `Submitting credentials for ${username}`, envName);
+  const body = new URLSearchParams({ j_username: username, j_password: password, _csrf: csrf }).toString();
+  const loginRes = await httpRequest(opts({ ...proto, cookies }, ctx + '/j_spring_security_check', 'POST', {
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Content-Length': Buffer.byteLength(body),
+    Referer: `https://${host}${ctx}/login`,
+  }), body);
+
+  const sessionCookies = { ...cookies, ...extractCookies(loginRes.headers) };
+  const session = { host, ip, port, ctx, agent, cookies: sessionCookies, envName };
+
+  const redirectPath = loginRes.headers.location || (ctx + '/');
+  log('info', `Following redirect → ${redirectPath}`, envName);
+  const home = await httpRequest(opts(session, redirectPath, 'GET'));
+
+  const loggedIn = home.body.includes("You're Administrator") || home.body.includes('logout');
+  if (!loggedIn) throw new Error('Login failed - check credentials');
+  log('ok', `Login successful for ${username}@${host}`, envName);
+
+  return session;
+}
+
+export class SessionExpiredError extends Error {
+  constructor() { super('Session expired - HAC redirected to login page'); this.name = 'SessionExpiredError'; }
+}
+
+function assertNotLoginPage(res) {
+  const location = res.headers.location || '';
+  if (res.status === 302 && location.includes('/login')) throw new SessionExpiredError();
+  if (res.status === 200 && res.body.includes('j_spring_security_check')) throw new SessionExpiredError();
+}
+
+export async function flexibleSearch(session, query, {
+  maxCount = 200, user = 'admin', locale = 'en', dataSource = 'master',
+} = {}) {
+  const { ctx, host, envName } = session;
+
+  log('info', `Fetching FlexSearch page for CSRF token`, envName);
+  const flexPage = await httpRequest(opts(session, ctx + '/console/flexsearch', 'GET'));
+  assertNotLoginPage(flexPage);
+  const csrf = extractCsrf(flexPage.body);
+  if (!csrf) throw new Error('Could not extract CSRF token from flexsearch page');
+  log('info', `Got CSRF token: ${csrf.slice(0, 16)}…`, envName);
+
+  log('info', `Executing query (maxCount=${maxCount}, dataSource=${dataSource}): ${query.slice(0, 80)}${query.length > 80 ? '…' : ''}`, envName);
+  const body = new URLSearchParams({
+    flexibleSearchQuery: query, sqlQuery: '', maxCount: String(maxCount),
+    user, locale, dataSource, commit: 'false',
+  }).toString();
+
+  const res = await httpRequest(opts(session, ctx + '/console/flexsearch/execute', 'POST', {
+    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+    'Content-Length': Buffer.byteLength(body),
+    'X-CSRF-TOKEN': csrf,
+    'X-Requested-With': 'XMLHttpRequest',
+    Accept: 'application/json',
+    Referer: `https://${host}${ctx}/console/flexsearch`,
+  }), body);
+
+  const result = JSON.parse(res.body);
+  if (result.resultList) result.resultList = result.resultList.map(row => row.map(htmlDecode));
+  if (result.exception) {
+    log('error', `Query failed: ${result.exception}`, envName);
+  } else {
+    log('ok', `Query returned ${result.resultCount} row(s) in ${result.executionTime}ms`, envName);
+  }
+  return result;
+}
+
+export async function impexImport(session, scriptContent, {
+  validationEnum = 'IMPORT_STRICT', maxThreads = 20, encoding = 'UTF-8',
+  legacyMode = false, enableCodeExecution = false, distributedMode = false, sldEnabled = false,
+} = {}) {
+  const { ctx, host, envName } = session;
+
+  log('info', `Fetching ImpEx page for CSRF token`, envName);
+  const impexPage = await httpRequest(opts(session, ctx + '/console/impex/import', 'GET'));
+  assertNotLoginPage(impexPage);
+  const csrf = extractCsrf(impexPage.body);
+  if (!csrf) throw new Error('Could not extract CSRF token from impex page');
+  log('info', `Got CSRF token: ${csrf.slice(0, 16)}…`, envName);
+
+  log('info', `Submitting ImpEx script (${scriptContent.length} chars, validation=${validationEnum}, threads=${maxThreads})`, envName);
+  const params = new URLSearchParams({
+    scriptContent, validationEnum, maxThreads: String(maxThreads), encoding,
+    _legacyMode: 'on', _enableCodeExecution: 'on', _distributedMode: 'on', _sldEnabled: 'on',
+    _csrf: csrf,
+  });
+  if (legacyMode) params.set('legacyMode', 'true');
+  if (enableCodeExecution) params.set('enableCodeExecution', 'true');
+  if (distributedMode) params.set('distributedMode', 'true');
+  if (sldEnabled) params.set('sldEnabled', 'true');
+
+  const body = params.toString();
+  const res = await httpRequest(opts(session, ctx + '/console/impex/import', 'POST', {
+    'Content-Type': 'application/x-www-form-urlencoded',
+    'Content-Length': Buffer.byteLength(body),
+    Referer: `https://${host}${ctx}/console/impex/import`,
+  }), body);
+
+  const levelM = res.body.match(/id="impexResult"[^>]*data-level="([^"]+)"/);
+  const resultM = res.body.match(/id="impexResult"[^>]*data-result="([^"]+)"/);
+  const preM = res.body.match(/<pre>([\s\S]*?)<\/pre>/);
+  const decode = s => s != null ? htmlDecode(s).trim() : null;
+
+  const result = {
+    level: levelM?.[1] ?? null,
+    result: resultM?.[1] ?? null,
+    details: decode(preM?.[1] ?? null),
+  };
+
+  if (result.level === 'error') {
+    log('error', `Import failed: ${result.result}`, envName);
+  } else {
+    log('ok', `Import complete: ${result.result || 'done'}`, envName);
+  }
+  return result;
+}
+
+export async function groovyExecute(session, script, { commit = false } = {}) {
+  const { ctx, host, envName } = session;
+
+  log('info', `Fetching scripting page for CSRF token`, envName);
+  const page = await httpRequest(opts(session, ctx + '/console/scripting', 'GET'));
+  assertNotLoginPage(page);
+  const csrf = extractCsrf(page.body);
+  if (!csrf) throw new Error('Could not extract CSRF token from scripting page');
+  log('info', `Got CSRF token: ${csrf.slice(0, 16)}…`, envName);
+
+  log('info', `Executing Groovy script (${script.length} chars, commit=${commit})`, envName);
+  const body = new URLSearchParams({
+    script, scriptType: 'groovy', commit: commit ? 'true' : 'false',
+  }).toString();
+
+  const res = await httpRequest(opts(session, ctx + '/console/scripting/execute', 'POST', {
+    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+    'Content-Length': Buffer.byteLength(body),
+    'X-CSRF-TOKEN': csrf,
+    'X-Requested-With': 'XMLHttpRequest',
+    Accept: 'application/json',
+    Referer: `https://${host}${ctx}/console/scripting`,
+  }), body);
+
+  assertNotLoginPage(res);
+  const result = JSON.parse(res.body);
+
+  if (result.stacktraceText) {
+    log('error', `Groovy execution failed: ${result.stacktraceText.split('\n')[0]}`, envName);
+  } else {
+    log('ok', `Groovy executed. Result: ${String(result.executionResult).slice(0, 80)}`, envName);
+  }
+  return result;
+}
+
+export async function readProperties(session) {
+  const { ctx, envName } = session;
+
+  log('info', `Fetching configuration properties page`, envName);
+  const page = await httpRequest(opts(session, ctx + '/platform/config', 'GET'));
+  assertNotLoginPage(page);
+
+  // Parse <tr id="key"> ... <input ... name="key" value="val"/> ... </tr>
+  const properties = {};
+  const rowRegex = /<tr\s+id="([^"]+)"[\s\S]*?<input[^>]+class="configValue"[^>]+name="[^"]*"[^>]+value="([^"]*)"[^>]*\/>/g;
+  let m;
+  while ((m = rowRegex.exec(page.body)) !== null) {
+    properties[m[1]] = htmlDecode(m[2]);
+  }
+
+  log('ok', `Parsed ${Object.keys(properties).length} properties`, envName);
+  return properties;
+}
+
+export async function pkAnalyze(session, pk) {
+  const { ctx, host, envName } = session;
+  log('info', `Fetching PK analyzer page for CSRF token`, envName);
+  const page = await httpRequest(opts(session, ctx + '/platform/pkanalyzer', 'GET'));
+  assertNotLoginPage(page);
+  const csrf = extractCsrf(page.body);
+  if (!csrf) throw new Error('Could not extract CSRF token from pkanalyzer page');
+  log('info', `Analyzing PK: ${pk}`, envName);
+  const body = new URLSearchParams({ pkString: String(pk) }).toString();
+  const res = await httpRequest(opts(session, ctx + '/platform/pkanalyzer/analyze', 'POST', {
+    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+    'Content-Length': Buffer.byteLength(body),
+    'X-CSRF-TOKEN': csrf,
+    'X-Requested-With': 'XMLHttpRequest',
+    Accept: 'application/json',
+    Referer: `https://${host}${ctx}/platform/pkanalyzer`,
+  }), body);
+  assertNotLoginPage(res);
+  return JSON.parse(res.body);
+}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "hac-mcp",
+  "version": "1.0.0",
+  "description": "MCP server for SAP Commerce Cloud HAC — FlexibleSearch, ImpEx, Groovy, CronJobs and more from any MCP client",
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "sap",
+    "sap-commerce",
+    "hybris",
+    "hac",
+    "flexiblesearch",
+    "groovy",
+    "impex",
+    "cronjob",
+    "claude"
+  ],
+  "author": "Yunus Emre Gül <yunemregul@gmail.com>",
+  "license": "MIT-Commons-Clause",
+  "homepage": "https://github.com/yunusemregul/hac-mcp",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/yunusemregul/hac-mcp.git"
+  },
+  "bugs": {
+    "url": "https://github.com/yunusemregul/hac-mcp/issues"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "type": "module",
+  "main": "server.js",
+  "bin": {
+    "hac-mcp": "bin/hac-mcp.js"
+  },
+  "files": [
+    "bin",
+    "tools",
+    "static",
+    "server.js",
+    "hac.js",
+    "storage.js",
+    "type-index.js"
+  ],
+  "scripts": {
+    "start": "node server.js"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "express": "^5.2.1",
+    "zod": "^4.3.6"
+  }
+}