https://github.com/fr0ster/mcp-abap-adt

MCP server for SAP BTP ABAP Cloud and On-Premise ECC/S/4HANA ABAP ADT with full CRUD, JWT/XSUAA, and service-key auth.
https://github.com/fr0ster/mcp-abap-adt

abap abap-cloud adt btp crud jwt mcp mcp-server sap sap-btp service-key xsuaa

Last synced: 10 days ago
JSON representation

MCP server for SAP BTP ABAP Cloud and On-Premise ECC/S/4HANA ABAP ADT with full CRUD, JWT/XSUAA, and service-key auth.

• Host: GitHub
• URL: https://github.com/fr0ster/mcp-abap-adt
• Owner: fr0ster
• License: mit
• Created: 2025-10-30T20:31:13.000Z (7 months ago)
• Default Branch: main
• Last Pushed: 2026-05-15T20:02:10.000Z (19 days ago)
• Last Synced: 2026-05-21T11:54:01.666Z (13 days ago)
• Topics: abap, abap-cloud, adt, btp, crud, jwt, mcp, mcp-server, sap, sap-btp, service-key, xsuaa
• Language: TypeScript
• Size: 13.7 MB
• Stars: 52
• Watchers: 0
• Forks: 15
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE
  • Roadmap: docs/roadmaps/LEGACY_SUPPORT.md

Awesome Lists containing this project

README

          
#  mcp-abap-adt: Your Gateway to ABAP Development Tools (ADT)

[![Stand With Ukraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://stand-with-ukraine.pp.ua)

`mcp-abap-adt` is an MCP server for ABAP ADT in SAP ECC/S/4HANA (on-premise) and SAP BTP ABAP Cloud systems. It gives agents controlled access to real ABAP repositories through ADT, so analysis and changes are grounded in system data instead of assumptions. It is built for AI-assisted pair programming (AIPNV: AI Pairing, Not Vibing), not autopilot vibe coding.

**Primary workflows:**

- **Deep ABAP analysis**: where-used, object metadata, repository navigation, object structure, semantic analysis, dependency and impact exploration.

- **High-level ABAP development**: rapid CRUD and iterative updates for RAP and classic ABAP artifacts (classes, interfaces, function groups/modules, programs, DDIC, CDS/view/service artifacts), validated through ADT flows.

**Why teams use it:**

- **Full CRUD** (not read-only): create, read, update, and delete ABAP artifacts

- Works with **On-Premise (ECC/S/4HANA)**, **ABAP Cloud (BTP)**, and **Legacy** systems (BASIS < 7.50)

- **JWT/XSUAA**, **service key** (destination-based), and **RFC** authorization

- Multiple transports: **stdio**, **HTTP**, **SSE**

- Rich tool surface for ABAP objects, metadata, transports, and search

**Authorization & Destinations (Important):** A *destination* is the filename of a service key stored locally. You place service keys in the service-keys directory, and use `--mcp=` to select which one to use. This is the primary auth model for on‑prem and BTP systems. See [Authentication & Destinations](docs/user-guide/AUTHENTICATION.md).

You can configure MCP clients either manually (JSON/TOML) or via the configurator CLI (`@mcp-abap-adt/configurator`, repo: [`mcp-abap-adt-conf`](https://github.com/fr0ster/mcp-abap-adt-conf)).

## Table of Contents

1. [Getting Started](#getting-started)

2. [Architecture](#architecture)

3. [Quick Start](#quick-start)

4. [Use Cases](#use-cases)

5. [Target Users](#target-users)

6. [Capabilities (High-Level Focus)](#capabilities-high-level-focus)

7. [Terminology](#terminology)

8. [Authorization & Destinations](#authorization--destinations)

9. [Registries](#registries)

10. [Features](#features)

11. [Documentation](#documentation)

12. [Dependencies](#dependencies)

13. [Running the Server](#running-the-server)

## Getting Started

Install the server and configure your client using the configurator:

```bash

npm install -g @mcp-abap-adt/core

npm install -g @mcp-abap-adt/configurator

# stdio (destination)

mcp-conf --client cline --name abap --mcp TRIAL

# HTTP (streamable HTTP)

mcp-conf --client copilot --name abap --transport http --url http://localhost:3000/mcp/stream/http --mcp trial

```

Full configurator usage (separate repo): [CLIENT_INSTALLERS.md](https://github.com/fr0ster/mcp-abap-adt-conf/tree/main/docs/CLIENT_INSTALLERS.md).

## Terminology

**Destination**: a local service key filename. You store service keys in the standard `service-keys` directory, and pass the filename (without extension) via `--mcp=` to select which system to use.

See [docs/user-guide/TERMINOLOGY.md](docs/user-guide/TERMINOLOGY.md) for the full list.

## Authorization & Destinations

Destination-based auth is the default. Drop service keys into the standard platform folder and use the filename as your destination:

```bash

mcp-abap-adt --transport=stdio --mcp=TRIAL

```

Standard service key paths:

- Unix (Linux/macOS): `~/.config/mcp-abap-adt/service-keys/.json`

- Windows: `%USERPROFILE%\\Documents\\mcp-abap-adt\\service-keys\\.json`

For full details (paths, `.env`, direct headers), see [Authentication & Destinations](docs/user-guide/AUTHENTICATION.md).

## Architecture

The project provides two main usage patterns:

### 1. Standalone MCP Server (Default)

Run as a standalone MCP server with stdio, HTTP, or SSE transport:

```bash

mcp-abap-adt                           # stdio (default)

mcp-abap-adt --transport=http          # HTTP mode

mcp-abap-adt --transport=sse           # SSE mode

```

### 2. Embeddable Server (For Integration)

Embed MCP server into existing applications (e.g., SAP CAP/CDS, Express):

```typescript

import {

  EmbeddableMcpServer,

  ReadVsGetDedupStrategy, // optional: hide Read when Get also exposed

} from '@mcp-abap-adt/core/server';

const server = new EmbeddableMcpServer({

  connection,              // Your AbapConnection instance

  logger,                  // Optional logger

  exposition: ['readonly', 'high'],  // Handler groups to expose

  // Optional; default: no dedup — existing consumers see no change.

  readOnlyDedupStrategy: new ReadVsGetDedupStrategy(),

});

await server.connect(transport);

```

See [Handlers Management → EmbeddableMcpServer dedup strategies](docs/user-guide/HANDLERS_MANAGEMENT.md#embeddablemcpserver-dedup-strategies) for opt-in dedup of readonly tools against high/low/compact, including how to plug a custom `IReadOnlyDedupStrategy` for role-based rules.

## Quick Start

1. **Install server**: See [Installation Guide](docs/installation/INSTALLATION.md)

2. **Configure client (auto)**: Use `mcp-conf` from `@mcp-abap-adt/configurator` (repo: [`mcp-abap-adt-conf`](https://github.com/fr0ster/mcp-abap-adt-conf), docs: [CLIENT_INSTALLERS.md](https://github.com/fr0ster/mcp-abap-adt-conf/tree/main/docs/CLIENT_INSTALLERS.md))

3. **Configure client (manual)**: See [Client Configuration](docs/user-guide/CLIENT_CONFIGURATION.md)

4. **Use**:

   - [Read-Only Tools](docs/user-guide/AVAILABLE_TOOLS_READONLY.md)

   - [High-Level Tools](docs/user-guide/AVAILABLE_TOOLS_HIGH.md)

   - [Low-Level Tools](docs/user-guide/AVAILABLE_TOOLS_LOW.md)

   - [Legacy System Tools](docs/user-guide/AVAILABLE_TOOLS_LEGACY.md)

## Use Cases

- **Impact analysis / where-used before changes**: map object usage and probable blast radius.

- **Dependency audit**: inspect links across classes, interfaces, DDIC, CDS/views, and RAP artifacts.

- **Migration and cleanup prep**: extract repository facts to plan refactoring or cloud-readiness work.

- **RAP and ABAP iterative development**: create/update artifacts quickly with ADT-backed operations.

- **Automated documentation and RAG ingestion**: pull structured facts from ABAP systems for downstream tooling.

## Target Users

- ABAP developers and ABAP architects

- RAP developers

- Team leads and tech leads who need fast repository visibility

- Teams building RAG/agent workflows for SAP landscapes

## Capabilities (High-Level Focus)

Key examples of high-value workflows and tools:

- **Repository and impact analysis**: `GetWhereUsed`, `DescribeByList`, `GetObjectStructure`, `GetObjectInfo`, `SearchObject`, `GetPackageTree`, `GetPackageContents`

- **Code and semantic introspection**: `GetAbapAST`, `GetAbapSemanticAnalysis`, `GetIncludesList`, `GetProgFullCode`

- **RAP development**: `CreateBehaviorDefinition`, `UpdateBehaviorDefinition`, `CreateBehaviorImplementation`, `UpdateBehaviorImplementation`, `CreateServiceDefinition`, `UpdateServiceDefinition`, `CreateMetadataExtension`, `UpdateMetadataExtension`

- **CDS/View development**: `CreateView`, `UpdateView`, `GetView`, `DeleteView`

- **ABAP OO CRUD**: `CreateClass`, `UpdateClass`, `GetClass`, `DeleteClass`, `CreateInterface`, `UpdateInterface`, `GetInterface`, `DeleteInterface`

- **Function module/group CRUD**: `CreateFunctionGroup`, `UpdateFunctionGroup`, `GetFunctionGroup`, `DeleteFunctionGroup`, `CreateFunctionModule`, `UpdateFunctionModule`, `GetFunctionModule`, `DeleteFunctionModule`

- **Transport and activation support**: `CreateTransport`, `GetTransport`, `ActivateObject`

## Registries

Published in the official MCP Registry and listed on Glama.ai.

- MCP Registry: [docs/deployment/MCP_REGISTRY.md](docs/deployment/MCP_REGISTRY.md)

- Glama.ai:

  

    

  

## Features

- **🏗️ Domain Management**: `GetDomain`, `CreateDomain`, `UpdateDomain` - Create, retrieve, and update ABAP domains

- **📊 Data Element Management**: `GetDataElement`, `CreateDataElement`, `UpdateDataElement` - Create, retrieve, and update ABAP data elements

- **📦 Table Management**: `GetTable`, `CreateTable`, `GetTableContents` - Create and retrieve ABAP database tables with data preview

- **🏛️ Structure Management**: `GetStructure`, `CreateStructure` - Create and retrieve ABAP structures

- **👁️ View Management**: `GetView`, `CreateView`, `UpdateView` - Create and manage CDS Views and Classic Views

- **🎓 Class Management**: `GetClass`, `CreateClass`, `UpdateClass` - Create, retrieve, and update ABAP classes

- **📝 Program Management**: `GetProgram`, `CreateProgram`, `UpdateProgram` - Create, retrieve, and update ABAP programs

- **🔧 Behavior Definition (BDEF) Management**: `GetBehaviorDefinition`, `CreateBehaviorDefinition`, `UpdateBehaviorDefinition` - Create and manage ABAP Behavior Definitions with support for Managed, Unmanaged, Abstract, and Projection types

- **📋 Metadata Extension (DDLX) Management**: `CreateMetadataExtension`, `UpdateMetadataExtension` - Create and manage ABAP Metadata Extensions

- **⚡ Activation**: `ActivateObject` - Universal activation for any ABAP object

- **🚚 Transport Management**: `CreateTransport`, `GetTransport` - Create and retrieve transport requests

- **🔍 Enhancement Analysis**: `GetEnhancements`, `GetEnhancementImpl`, `GetEnhancementSpot` - Enhancement discovery and analysis

- **📋 Include Management**: `GetIncludesList` - Recursive include discovery

- **🔍 System Tools**: `GetInactiveObjects` - Monitor inactive objects waiting for activation

- **🧪 Runtime Diagnostics**: `RuntimeCreateProfilerTraceParameters`, `RuntimeListProfilerTraceFiles`, `RuntimeGetProfilerTraceData`, `RuntimeGetDumpById` - Profiling and dump analysis with JSON payloads

- **📡 Runtime Feeds**: `RuntimeListFeeds`, `RuntimeListSystemMessages`, `RuntimeGetGatewayErrorLog` - Feed reader (dumps, system messages, gateway errors), SM02 system messages, Gateway error log

- **🚀 SAP BTP Support**: JWT/XSUAA authentication with browser-based token helper

- **🔑 Destination-Based Authentication**: Service key-based authentication with automatic token management (see [Client Configuration](docs/user-guide/CLIENT_CONFIGURATION.md#destination-based-authentication))

- **💾 Freestyle SQL**: `GetSqlQuery` - Execute custom SQL queries via ADT Data Preview API

> ℹ️ **ABAP Cloud limitation**: Direct ADT data preview of database tables is blocked by SAP BTP backend policies. The server returns a descriptive error when attempting such operations. On-premise systems continue to support data preview.

## Documentation

### For Users

- **[Docs Index](docs/README.md)** - Full documentation index

- **[Installation Guide](docs/installation/README.md)** - Installation overview and platform guides

- **[User Guide](docs/user-guide/README.md)** - End-user docs (auth, config, tools)

- **[Authentication & Destinations](docs/user-guide/AUTHENTICATION.md)** - Destination-based auth and service keys

- **[Handlers Management](docs/user-guide/HANDLERS_MANAGEMENT.md)** - Enable/disable handler groups

- **Configurator**: `@mcp-abap-adt/configurator` (repo: [`mcp-abap-adt-conf`](https://github.com/fr0ster/mcp-abap-adt-conf)) provides the `mcp-conf` CLI to auto-configure clients

- **Tools by level**

  - [Read-Only Tools](docs/user-guide/AVAILABLE_TOOLS_READONLY.md)

  - [High-Level Tools](docs/user-guide/AVAILABLE_TOOLS_HIGH.md)

  - [Low-Level Tools](docs/user-guide/AVAILABLE_TOOLS_LOW.md)

  - [Legacy System Tools](docs/user-guide/AVAILABLE_TOOLS_LEGACY.md)

### For Administrators

- **[Deployment Docs](docs/deployment/README.md)** - MCP Registry, Docker, release notes

- **[Server Configuration](docs/configuration/YAML_CONFIG.md)** - YAML config reference

### For Developers

- **[Architecture Documentation](docs/architecture/README.md)** - System architecture and design decisions

- **[Development Documentation](docs/development/README.md)** - Testing guides and development resources

- **[CHANGELOG.md](CHANGELOG.md)** - Version history and changes

## Dependencies

This project uses two npm packages:

- **[@mcp-abap-adt/connection](https://www.npmjs.com/package/@mcp-abap-adt/connection)** – connection/auth/session layer

- **[@mcp-abap-adt/adt-clients](https://www.npmjs.com/package/@mcp-abap-adt/adt-clients)** – Builder-first ADT clients

These packages are automatically installed via `npm install` and are published to npm.

---

## Running the Server

### Global Installation (Recommended)

After installing globally with `npm install -g`, you can run from any directory:

```bash

# Show help

mcp-abap-adt --help

# Default HTTP mode (works without .env file)

mcp-abap-adt

# HTTP mode on custom port

mcp-abap-adt --http-port=8080

# Use stdio mode (for MCP clients, requires .env file or --mcp parameter)

mcp-abap-adt --transport=stdio

# Use stdio mode with auth-broker (--mcp parameter)

mcp-abap-adt --transport=stdio --mcp=TRIAL

# Use env destination from platform sessions store

mcp-abap-adt --env=trial

# Use explicit .env file path

mcp-abap-adt --env-path=/path/to/my.env

# SSE mode (requires .env file or --mcp parameter)

mcp-abap-adt --transport=sse --sse-port=3001

# SSE mode with auth-broker (--mcp parameter)

mcp-abap-adt --transport=sse --mcp=TRIAL

```

### Development Mode

```bash

# Build and run locally

npm run build

npm start

# HTTP mode

npm run start:http

# SSE mode

npm run start:sse

# Legacy v1 server (for backward compatibility)

npm run start:legacy

```

### Environment Configuration

Env resolution:

1. `--env-path=` (or `MCP_ENV_PATH`) for explicit `.env` file.

   - Absolute path: used as-is.

   - Relative path or file name only (e.g. `my.env`): resolved from current working directory.

2. `--env=` for destination file in standard sessions store:

   - Unix: `~/.config/mcp-abap-adt/sessions/.env`

   - Windows: `%USERPROFILE%\\Documents\\mcp-abap-adt\\sessions\\.env`

3. Fallback to `.env` in current working directory.

**Example .env file:**

```bash

SAP_URL=https://your-sap-system.com

SAP_CLIENT=100

SAP_AUTH_TYPE=basic

SAP_USERNAME=your-username

SAP_PASSWORD=your-password

```

For JWT authentication (SAP BTP):

```bash

SAP_URL=https://your-btp-system.com

SAP_CLIENT=100

SAP_AUTH_TYPE=jwt

SAP_JWT_TOKEN=your-jwt-token

```

For RFC connection:

```bash

SAP_URL=https://your-legacy-system.com

SAP_CLIENT=100

SAP_AUTH_TYPE=basic

SAP_USERNAME=your-username

SAP_PASSWORD=your-password

SAP_CONNECTION_TYPE=rfc

```

See [RFC Setup Guide](docs/installation/RFC_SETUP.md) for prerequisites (SAP NW RFC SDK).

For client certificate (mTLS) authentication — on-prem HTTP only:

```bash

SAP_URL=https://your-sap-system.com

SAP_AUTH_TYPE=certificate

# PEM format (provide both files):

SAP_CERT_PATH=/path/to/client.crt

SAP_CERT_KEY_PATH=/path/to/client.key

# Or PKCS#12 format (alternative to PEM):

# SAP_CERT_PFX_PATH=/path/to/client.pfx

# SAP_CERT_PASSPHRASE=your-passphrase

```

For Kerberos (SPNEGO) authentication — on-prem HTTP only:

```bash

SAP_URL=https://your-sap-system.com

SAP_AUTH_TYPE=kerberos

# Optional: explicit SPN (default: HTTP@)

# SAP_KERBEROS_SPN=HTTP@mysaphost.corp.example

# Optional: service class used to derive the SPN when SAP_KERBEROS_SPN is unset (default: HTTP)

# SAP_KERBEROS_SERVICE=HTTP

```

**Certificate auth notes:**

- Identifies the client via mTLS — no `SAP_USERNAME` / `SAP_PASSWORD` required.

- Provide either PEM files (`SAP_CERT_PATH` + `SAP_CERT_KEY_PATH`) or a PKCS#12 file (`SAP_CERT_PFX_PATH`), not both.

- On-prem HTTP connections only (`SAP_CONNECTION_TYPE=rfc` is not supported).

**Kerberos auth notes:**

- Requires a valid Kerberos ticket on the host before starting the server. Obtain one with `kinit` or a keytab.

- The optional [`kerberos`](https://www.npmjs.com/package/kerberos) npm package must be installed (needs GSSAPI dev libs on Linux / build tools on Windows): `npm i kerberos`.

- No `SAP_USERNAME` / `SAP_PASSWORD` required — identity comes from the TGT.

- Both auth types bypass the auth-broker; use `.env` directly.

- **NTLM is hard-rejected:** if the SAP system offers NTLM instead of Kerberos/SPNEGO, the connection fails with a clear error rather than silently downgrading. Ensure the system accepts Kerberos (SPNEGO) for your user.

> **⚠️ Help wanted — not yet validated on a live system.** Certificate and Kerberos auth pass full unit coverage but have not been tested against a real SAP system. If you have on-prem **client-certificate** or **Kerberos/SPNEGO** SSO, please try it and [open an issue](https://github.com/fr0ster/mcp-abap-adt/issues) with results — especially whether Kerberos succeeds with a single-leg Negotiate token or your system needs mutual-auth continuation.

**Generate .env from Service Key (JWT):**

```bash

# Install the connection package globally (one-time setup)

npm install -g @mcp-abap-adt/connection

# Generate .env file from service key JSON

mcp-auth auth -k path/to/service-key.json

```

This will automatically create/update `.env` file with JWT tokens and connection details.

**.env comments rule:** only full-line comments are supported (lines that start with `#`).  

Inline comments are not parsed, so keep comments on separate lines.

**Claude recommendation:** place the service key in the service-keys directory and use `--mcp=` (avoid manual JWT tokens).

### Command-Line Options

**Authentication:**

- `--auth-broker` - Force use of auth-broker (service keys), ignore .env file

- `--auth-broker-path=` - Custom path for auth-broker service keys and sessions

- `--browser-auth-port=` - Override OAuth browser callback port (default: 5000 for HTTP, 4000 for SSE, 4001 for stdio)

- `--connection-type=` - SAP connection transport: `http` (default) or `rfc`

- `--unsafe` - Enable file-based session storage (persists tokens to disk). By default, sessions are stored in-memory (secure, lost on restart)

When `--mcp=` is specified, automatic fallback loading of `./.env` is skipped.

**Examples:**

```bash

# Use auth-broker with file-based session storage (persists tokens)

mcp-abap-adt --auth-broker --unsafe

# Use auth-broker with in-memory session storage (default, secure)

mcp-abap-adt --auth-broker

# Custom path for service keys and sessions

mcp-abap-adt --auth-broker --auth-broker-path=~/prj/tmp/ --unsafe

```

See [Client Configuration](docs/user-guide/CLIENT_CONFIGURATION.md) for complete configuration options.

### Handler logging switches

- `AUTH_LOG_LEVEL=error|warn|info|debug` — sets base log level for handler logger; `DEBUG_AUTH_LOG=true` also enables `debug`.

- `HANDLER_LOG_SILENT=true` — fully disables handler logging.

- `DEBUG_CONNECTORS=true` — verbose connection logging in high-level handlers.

- `DEBUG_HANDLERS=true` — enables verbose logs for selected read-only/system handlers.

## Development

### Testing

```bash

npm test

```

#### Test logging switches

- `TEST_LOG_LEVEL=error|warn|info|debug` — controls test logger verbosity (DEBUG_TESTS/DEBUG_ADT_TESTS/DEBUG_CONNECTORS force `debug`).

- `TEST_LOG_FILE=/tmp/adt-tests.log` — writes test logs to a file (best-effort).

- `TEST_LOG_SILENT=true` — disables test logging pipeline (console output muted).

- `TEST_LOG_COLOR=true` — adds colored/prefixed tags to test log lines.

- All `console.*` in tests are routed through the test logger with a `[test]` prefix.

### Building

```bash

npm run build

```

### Developer Tools

```bash

# Generate tool documentation

npm run docs:tools

# See tools/README.md for more developer utilities

```

## Contributors

Thank you to all contributors! See [CONTRIBUTORS.md](CONTRIBUTORS.md) for the complete list.

---

**Acknowledgment**: This project was originally inspired by [mario-andreschak/mcp-abap-adt](https://github.com/mario-andreschak/mcp-abap-adt). We started with the core concept and then evolved it into an independent project with our own architecture and features.