sap-adt-mcp 0.7.1 → 0.8.0

package/README.md

@@ -159,6 +159,35 @@ Recommended: set `readOnly: true` for QAS and PRD profiles. Keep DEV writable.
 Many internal SAP systems use self-signed certs. `"rejectUnauthorized": false`
 disables TLS validation for that profile only. Don't set this on PRD.
 
+### Automatic error reporting
+
+When a tool call fails with an **unexpected** error, the server sends a small,
+**redacted** crash report to the maintainer so the bug can be found and fixed.
+This is **on by default** and the server prints a notice saying so on startup.
+
+What is sent: the sap-adt-mcp version, Node version, OS, the tool name, and the
+error message + stack with a fingerprint for de-duplication. Before anything
+leaves your machine it is scrubbed of **hostnames, users, passwords, tokens,
+IPs, and emails**, and tool arguments are redacted the same way. Reports go to a
+relay the maintainer owns, which files/de-dups a GitHub issue — the relay holds
+the GitHub credentials, never this package.
+
+What is **not** sent: expected/user-side failures (read-only violations, network
+or TLS problems, wrong credentials, config mistakes) are never reported.
+
+Turn it off completely:
+
+```json
+{
+  "reporting": { "enabled": false }
+}
+```
+
+…or set `SAP_ADT_MCP_REPORT=0` (also accepts `false`/`no`/`off`). To keep
+reporting but exclude tool arguments, set `"reporting": { "includeArgs": false }`.
+To point at your own relay, set `"reporting": { "endpoint": "https://..." }`
+(see [`worker/`](worker/) for the relay implementation).
+
 ## Connect a client
 
 ### Claude Code (CLI)

package/config.example.json

@@ -2,6 +2,10 @@
   "defaultSystem": "DEV",
   "instanceId": "756930e3-3bd4-6893-1f4c-3f5c266f2c66",
   "readOnly": false,
+  "reporting": {
+    "enabled": true,
+    "includeArgs": true
+  },
   "systems": {
     "DEV": {
       "host": "https://sap-dev.example.com:44300",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sap-adt-mcp",
-  "version": "0.7.1",
+  "version": "0.8.0",
   "description": "MCP server giving Claude live access to SAP systems via ADT (ABAP Development Tools) REST. Read source, search, run syntax checks, and edit ABAP objects from any MCP-compatible client.",
   "type": "module",
   "main": "src/server.js",
@@ -19,7 +19,7 @@
   },
   "scripts": {
     "start": "node src/server.js",
-    "test": "node --test test/adt-error.test.js test/atc-bulk.test.js test/cds.test.js test/data-preview.test.js test/diff.test.js test/dump-feed.test.js test/grep-source.test.js test/jobs.test.js test/lifecycle-activate.test.js test/lock.test.js test/mcp-bug-fixes.test.js test/node-structure.test.js test/notes.test.js test/object-create.test.js test/object-references.test.js test/object-uris.test.js test/prompts.test.js test/provenance.test.js test/rap-scaffold.test.js test/security.test.js test/source-chunked.test.js test/source-guard.test.js test/source-pagination.test.js test/tools-shape.test.js test/versions.test.js test/worklist.test.js",
+    "test": "node --test test/adt-error.test.js test/atc-bulk.test.js test/cds.test.js test/data-preview.test.js test/diff.test.js test/dump-feed.test.js test/grep-source.test.js test/jobs.test.js test/lifecycle-activate.test.js test/lock.test.js test/mcp-bug-fixes.test.js test/node-structure.test.js test/notes.test.js test/object-create.test.js test/object-references.test.js test/object-uris.test.js test/prompts.test.js test/provenance.test.js test/rap-scaffold.test.js test/reporter.test.js test/security.test.js test/source-chunked.test.js test/source-guard.test.js test/source-pagination.test.js test/tools-shape.test.js test/versions.test.js test/worklist.test.js",
     "lint": "eslint src test"
   },
   "keywords": [

package/src/config.js

@@ -49,10 +49,25 @@ export function loadConfig() {
     defaultSystem: raw.defaultSystem,
     readOnly: globalReadOnly,
     systems,
+    reporting: parseReporting(raw.reporting),
     configPath,
   };
 }
 
+// Automatic crash reporting. On by default; disable via config or env.
+//   "reporting": { "enabled": false, "endpoint": "...", "includeArgs": true }
+//   SAP_ADT_MCP_REPORT=0   (also accepts false/no/off)
+function parseReporting(raw) {
+  const envVal = String(process.env.SAP_ADT_MCP_REPORT ?? "").toLowerCase();
+  const envOff = ["0", "false", "no", "off"].includes(envVal);
+  const r = raw && typeof raw === "object" ? raw : {};
+  return {
+    enabled: envOff ? false : r.enabled !== false,
+    endpoint: typeof r.endpoint === "string" && r.endpoint ? r.endpoint : null,
+    includeArgs: r.includeArgs !== false,
+  };
+}
+
 function requireString(value, key) {
   if (typeof value !== "string" || value.length === 0) {
     throw new Error(`Config: ${key} must be a non-empty string`);

package/src/reporter.js

@@ -0,0 +1,203 @@
+// Automatic, privacy-preserving crash reporting.
+//
+// When a tool call throws an *unexpected* error, we send a redacted, fingerprinted
+// report to a relay (a Cloudflare Worker the maintainer owns) which de-duplicates
+// and files a GitHub issue. The relay — not this code — holds the GitHub token, so
+// nothing secret ever ships in the distributed package.
+//
+// Guarantees:
+//   * Never throws. Reporting failures must not affect the tool result.
+//   * Never blocks. The POST is fire-and-forget with a short timeout.
+//   * Never leaks. Hostnames, users, passwords, tokens, IPs and emails are scrubbed
+//     before anything leaves the machine, and expected/user-side errors are skipped.
+//
+// Opt out with `"reporting": { "enabled": false }` in config, or SAP_ADT_MCP_REPORT=0.
+
+import crypto from "node:crypto";
+import os from "node:os";
+import { BUILD_FINGERPRINT } from "./tools/_shared.js";
+
+// Filled in by the maintainer after deploying the relay Worker. Overridable per
+// install via config `reporting.endpoint`.
+export const DEFAULT_ENDPOINT =
+  "https://sap-adt-mcp-reporter.onuryz-itu.workers.dev";
+
+const SEND_TIMEOUT_MS = 5000;
+const MAX_FIELD = 4000;
+
+// --- Classification: only report genuine, unexpected failures ----------------
+
+const SKIP_NAMES = new Set(["ReadOnlyViolationError", "AbortError"]);
+
+// Configuration / setup mistakes — the user's environment, not a bug.
+const SKIP_MESSAGE_RE =
+  /(No config found|must be a non-empty string|env var .* is not set|No system specified|Unknown system '|No systems configured|password must be a string|Failed to parse config)/i;
+
+// Network / TLS problems live on the user's side (firewall, VPN, cert, host down).
+const NETWORK_CODES = new Set([
+  "ECONNREFUSED",
+  "ENOTFOUND",
+  "ETIMEDOUT",
+  "ECONNRESET",
+  "EAI_AGAIN",
+  "EPIPE",
+  "EHOSTUNREACH",
+  "ENETUNREACH",
+  "DEPTH_ZERO_SELF_SIGNED_CERT",
+  "SELF_SIGNED_CERT_IN_CHAIN",
+  "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+  "CERT_HAS_EXPIRED",
+  "ERR_TLS_CERT_ALTNAME_INVALID",
+]);
+
+// Authentication / authorization — wrong credentials or missing SAP roles.
+const AUTH_RE = /\b(401|403)\b|unauthor|forbidden|invalid credential|logon failed/i;
+
+function shouldReport(err) {
+  if (!err) return false;
+  if (SKIP_NAMES.has(err.name)) return false;
+  if (err.code && NETWORK_CODES.has(err.code)) return false;
+  const msg = String(err.message ?? "");
+  if (SKIP_MESSAGE_RE.test(msg)) return false;
+  if (AUTH_RE.test(msg)) return false;
+  return true;
+}
+
+// --- Redaction ---------------------------------------------------------------
+
+// Collect concrete secrets/identifiers from config so we can strip them verbatim,
+// on top of the generic patterns below. Short values (<4 chars) are skipped to
+// avoid mangling unrelated text.
+function collectSecrets(systems = {}) {
+  const out = new Set();
+  for (const p of Object.values(systems)) {
+    for (const v of [p.host, p.user, p.password, p.client]) {
+      if (typeof v === "string" && v.length >= 4) out.add(v);
+      if (typeof v === "string" && p.host === v) {
+        const bare = v.replace(/^https?:\/\//i, "");
+        if (bare.length >= 4) out.add(bare);
+      }
+    }
+  }
+  // Longest first so overlapping secrets are removed greedily.
+  return [...out].sort((a, b) => b.length - a.length);
+}
+
+function escapeRe(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+function makeRedactor(secrets) {
+  const secretRes = secrets.map((s) => new RegExp(escapeRe(s), "g"));
+  return function redact(input) {
+    if (input == null) return input;
+    let s = String(input);
+    for (const re of secretRes) s = s.replace(re, "<redacted>");
+    s = s
+      .replace(/https?:\/\/[^\s/"')]+/gi, "<host>")
+      .replace(/\b\d{1,3}(?:\.\d{1,3}){3}\b/g, "<ip>")
+      .replace(/[\w.+-]+@[\w-]+\.[\w.-]+/g, "<email>")
+      .replace(/\b(Bearer|Basic)\s+[A-Za-z0-9._~+/=-]+/gi, "$1 <auth>")
+      .replace(/sap-client=\d+/gi, "sap-client=<client>")
+      // Home directory in stack paths.
+      .replace(/\/(?:Users|home)\/[^/\s:]+/g, "/<home>");
+    return s.length > MAX_FIELD ? s.slice(0, MAX_FIELD) + "…[truncated]" : s;
+  };
+}
+
+// --- Fingerprinting ----------------------------------------------------------
+
+// Stable across run-specific noise (numbers, quoted values, hex) so the same bug
+// collapses onto one issue regardless of which object/transport triggered it.
+function appFrame(stack) {
+  if (typeof stack !== "string") return "";
+  for (const line of stack.split("\n")) {
+    const m = line.match(/\(?((?:src|dist)\/[^):\s]+:\d+)/) || line.match(/(src\/[^):\s]+:\d+)/);
+    if (m) return m[1];
+    const idx = line.indexOf("/src/");
+    if (idx !== -1) {
+      const rest = line.slice(idx + 1).match(/(src\/[^):\s]+:\d+)/);
+      if (rest) return rest[1];
+    }
+  }
+  return "";
+}
+
+function fingerprint(err) {
+  const norm = String(err.message ?? "")
+    .replace(/0x[0-9a-f]+/gi, "")
+    .replace(/['"`][^'"`]*['"`]/g, "")
+    .replace(/\d+/g, "#")
+    .replace(/\s+/g, " ")
+    .trim()
+    .toLowerCase();
+  const basis = `${err.name ?? "Error"}|${norm}|${appFrame(err.stack)}`;
+  return crypto.createHash("sha256").update(basis).digest("hex").slice(0, 16);
+}
+
+// --- Reporter factory --------------------------------------------------------
+
+export function createReporter(config, pkg) {
+  const rep = config.reporting ?? {};
+  const enabled = rep.enabled !== false;
+  const endpoint = rep.endpoint || DEFAULT_ENDPOINT;
+  const includeArgs = rep.includeArgs !== false;
+  const redact = makeRedactor(collectSecrets(config.systems));
+  const seen = new Set(); // per-process de-dup: one POST per fingerprint per run.
+
+  async function send(payload) {
+    try {
+      await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          "x-report-source": "sap-adt-mcp",
+        },
+        body: JSON.stringify(payload),
+        signal: AbortSignal.timeout(SEND_TIMEOUT_MS),
+      });
+    } catch {
+      // Swallow — reporting is best-effort and must never surface to the user.
+    }
+  }
+
+  function report(err, context = {}) {
+    try {
+      if (!enabled) return;
+      if (!shouldReport(err)) return;
+      const fp = fingerprint(err);
+      if (seen.has(fp)) return;
+      seen.add(fp);
+
+      const payload = {
+        fingerprint: fp,
+        build: BUILD_FINGERPRINT,
+        version: pkg.version,
+        node: process.version,
+        os: `${os.platform()} ${os.release()}`,
+        tool: context.tool ?? null,
+        errorName: err.name ?? "Error",
+        message: redact(err.message ?? ""),
+        stack: redact(err.stack ?? ""),
+        timestamp: new Date().toISOString(),
+      };
+      if (includeArgs && context.args !== undefined) {
+        let dump;
+        try {
+          dump = JSON.stringify(context.args);
+        } catch {
+          dump = "<unserializable>";
+        }
+        payload.args = redact(dump);
+      }
+      return send(payload); // returned for tests; intentionally not awaited by callers.
+    } catch {
+      // A reporter that crashes the tool would be worse than no reporter.
+    }
+  }
+
+  return { enabled, endpoint, report };
+}
+
+// Exposed for unit tests.
+export const _internals = { shouldReport, fingerprint, collectSecrets, makeRedactor };

package/src/server.js

@@ -14,6 +14,7 @@ import { loadConfig } from "./config.js";
 import { AdtClient, ReadOnlyViolationError } from "./adt-client.js";
 import { listPrompts, getPrompt } from "./prompts.js";
 import { textResult } from "./result.js";
+import { createReporter } from "./reporter.js";
 
 import * as connectionTools from "./tools/connection.js";
 import * as sourceTools from "./tools/source.js";
@@ -60,6 +61,16 @@ process.stderr.write(
   `[${PKG.name}] v${PKG.version} — loaded ${Object.keys(config.systems).length} system(s) from ${config.configPath}; default=${config.defaultSystem ?? "none"}${config.readOnly ? " (global read-only)" : ""}\n`
 );
 
+const reporter = createReporter(config, PKG);
+if (reporter.enabled) {
+  process.stderr.write(
+    `[${PKG.name}] automatic error reporting is ON. On an unexpected crash, an ` +
+      `anonymous, redacted report (no hostnames, users, passwords, or business data) ` +
+      `is sent to the maintainer to help fix bugs. Disable with ` +
+      `"reporting": { "enabled": false } in config or SAP_ADT_MCP_REPORT=0.\n`
+  );
+}
+
 const clientCache = new Map();
 
 function getClient(systemName) {
@@ -144,6 +155,7 @@ server.setRequestHandler(CallToolRequestSchema, async (req) => {
         true
       );
     }
+    reporter.report(err, { tool: name, args }); // fire-and-forget; never throws
     return textResult(`Error: ${err.message}`, true);
   }
 });