<img src="logo.png" alt="mcp-abap-adt logo" width="36" align="absmiddle" /> mcp-abap-adt: Your Gateway to ABAP Development Tools (ADT)


mcp-abap-adt is an MCP server for ABAP ADT in SAP ECC/S/4HANA (on-premise) and SAP BTP ABAP Cloud systems. It gives agents controlled access to real ABAP repositories through ADT, so analysis and changes are grounded in system data instead of assumptions. It is built for AI-assisted pair programming (AIPNV: AI Pairing, Not Vibing), not autopilot vibe coding.

Primary workflows:

• Deep ABAP analysis: where-used, object metadata, repository navigation, object structure, semantic analysis, dependency and impact exploration.
• High-level ABAP development: rapid CRUD and iterative updates for RAP and classic ABAP artifacts (classes, interfaces, function groups/modules, programs, DDIC, CDS/view/service artifacts), validated through ADT flows.

Why teams use it:

• Full CRUD (not read-only): create, read, update, and delete ABAP artifacts
• Works with On-Premise (ECC/S/4HANA), ABAP Cloud (BTP), and Legacy systems (BASIS < 7.50)
• JWT/XSUAA, service key (destination-based), and RFC authorization
• Multiple transports: stdio, HTTP, SSE
• Rich tool surface for ABAP objects, metadata, transports, and search

Authorization & Destinations (Important): A destination is the filename of a service key stored locally. You place service keys in the service-keys directory, and use --mcp=<destination> to select which one to use. This is the primary auth model for on‑prem and BTP systems. See Authentication & Destinations.

You can configure MCP clients either manually (JSON/TOML) or via the configurator CLI (@mcp-abap-adt/configurator, repo: mcp-abap-adt-conf).

Table of Contents

1. Getting Started
2. Architecture
3. Quick Start
4. Use Cases
5. Target Users
6. Capabilities (High-Level Focus)
7. Terminology
8. Authorization & Destinations
9. Registries
10. Features
11. Documentation
12. Dependencies
13. Running the Server

Getting Started

Install the server and configure your client using the configurator:

npm install -g @mcp-abap-adt/core
npm install -g @mcp-abap-adt/configurator

# stdio (destination)
mcp-conf --client cline --name abap --mcp TRIAL

# HTTP (streamable HTTP)
mcp-conf --client copilot --name abap --transport http --url http://localhost:3000/mcp/stream/http --mcp trial

Full configurator usage (separate repo): CLIENT_INSTALLERS.md.

Terminology

Destination: a local service key filename. You store service keys in the standard service-keys directory, and pass the filename (without extension) via --mcp=<destination> to select which system to use.

See docs/user-guide/TERMINOLOGY.md for the full list.

Authorization & Destinations

Destination-based auth is the default. Drop service keys into the standard platform folder and use the filename as your destination:

mcp-abap-adt --transport=stdio --mcp=TRIAL

Standard service key paths:

• Unix (Linux/macOS): ~/.config/mcp-abap-adt/service-keys/<destination>.json
• Windows: %USERPROFILE%\\Documents\\mcp-abap-adt\\service-keys\\<destination>.json

For full details (paths, .env, direct headers), see Authentication & Destinations.

Architecture

The project provides two main usage patterns:

1. Standalone MCP Server (Default)

Run as a standalone MCP server with stdio, HTTP, or SSE transport: ``bash mcp-abap-adt # stdio (default) mcp-abap-adt --transport=http # HTTP mode mcp-abap-adt --transport=sse # SSE mode ``

2. Embeddable Server (For Integration)

Embed MCP server into existing applications (e.g., SAP CAP/CDS, Express): ```typescript import { EmbeddableMcpServer, NoDedupStrategy, // optional: expose both Read<X> and Get<X> } from '@mcp-abap-adt/core/server';

const server = new EmbeddableMcpServer({ connection, // Your AbapConnection instance logger, // Optional logger exposition: ['readonly', 'high'], // Handler groups to expose // Default hides Read<X> when Get<X> is exposed (ReadVsGetDedupStrategy). // Pass NoDedupStrategy to expose both variants instead. // readOnlyDedupStrategy: new NoDedupStrategy(), }); await server.connect(transport); ```

See Handlers Management → EmbeddableMcpServer dedup strategies for how readonly tools are deduped against high/low/compact, how to opt out with NoDedupStrategy, and how to plug a custom IReadOnlyDedupStrategy for role-based rules.

Quick Start

1. Install server: See Installation Guide
2. Configure client (auto): Use mcp-conf from @mcp-abap-adt/configurator (repo: mcp-abap-adt-conf, docs: CLIENT_INSTALLERS.md)
3. Configure client (manual): See Client Configuration
4. Use:

• Read-Only Tools
• High-Level Tools
• Low-Level Tools
• Legacy System Tools

Use Cases

• Impact analysis / where-used before changes: map object usage and probable blast radius.
• Dependency audit: inspect links across classes, interfaces, DDIC, CDS/views, and RAP artifacts.
• Migration and cleanup prep: extract repository facts to plan refactoring or cloud-readiness work.
• RAP and ABAP iterative development: create/update artifacts quickly with ADT-backed operations.
• Automated documentation and RAG ingestion: pull structured facts from ABAP systems for downstream tooling.

Target Users

• ABAP developers and ABAP architects
• RAP developers
• Team leads and tech leads who need fast repository visibility
• Teams building RAG/agent workflows for SAP landscapes

Capabilities (High-Level Focus)

Key examples of high-value workflows and tools:

• Repository and impact analysis: GetWhereUsed, DescribeByList, GetObjectStructure, GetObjectInfo, SearchObject, GetPackageTree, GetPackageContents
• Code and semantic introspection: GetAbapAST, GetAbapSemanticAnalysis, GetIncludesList
• RAP development: CreateBehaviorDefinition, UpdateBehaviorDefinition, CreateBehaviorImplementation, UpdateBehaviorImplementation, CreateServiceDefinition, UpdateServiceDefinition, CreateMetadataExtension, UpdateMetadataExtension
• CDS/View development: CreateView, UpdateView, GetView, DeleteView
• ABAP OO CRUD: CreateClass, UpdateClass, GetClass, DeleteClass, CreateInterface, UpdateInterface, GetInterface, DeleteInterface
• Function module/group CRUD: CreateFunctionGroup, UpdateFunctionGroup, GetFunctionGroup, DeleteFunctionGroup, CreateFunctionModule, UpdateFunctionModule, GetFunctionModule, DeleteFunctionModule
• Transport and activation support: CreateTransport, GetTransport, ActivateObject

Registries

Published in the official MCP Registry and listed on Glama.ai.

• MCP Registry: docs/deployment/MCP_REGISTRY.md
• Glama.ai:

<a href="https://glama.ai/mcp/servers/@fr0ster/mcp-abap-adt"> <img width="380" height="200" src="https://glama.ai/mcp/servers/@fr0ster/mcp-abap-adt/badge" /> </a>

Features

• 🏗️ Domain Management: GetDomain, CreateDomain, UpdateDomain - Create, retrieve, and update ABAP domains
• 📊 Data Element Management: GetDataElement, CreateDataElement, UpdateDataElement - Create, retrieve, and update ABAP data elements
• 📦 Table Management: GetTable, CreateTable, GetTableContents - Create and retrieve ABAP database tables with data preview
• 🏛️ Structure Management: GetStructure, CreateStructure - Create and retrieve ABAP structures
• 👁️ View Management: GetView, CreateView, UpdateView - Create and manage CDS Views and Classic Views
• 🎓 Class Management: GetClass, CreateClass, UpdateClass - Create, retrieve, and update ABAP classes
• 📝 Program Management: GetProgram, CreateProgram, UpdateProgram - Create, retrieve, and update ABAP programs
• 🔧 Behavior Definition (BDEF) Management: GetBehaviorDefinition, CreateBehaviorDefinition, UpdateBehaviorDefinition - Create and manage ABAP Behavior Definitions with support for Managed, Unmanaged, Abstract, and Projection types
• 📋 Metadata Extension (DDLX) Management: CreateMetadataExtension, UpdateMetadataExtension - Create and manage ABAP Metadata Extensions
• ⚡ Activation: ActivateObject - Universal activation for any ABAP object
• 🚚 Transport Management: CreateTransport, GetTransport - Create and retrieve transport requests
• 🔍 Enhancement Analysis: GetEnhancements, GetEnhancementImpl, GetEnhancementSpot - Enhancement discovery and analysis
• 📋 Include Management: GetIncludesList - Recursive include discovery
• 🔍 System Tools: GetInactiveObjects - Monitor inactive objects waiting for activation
• 🧪 Runtime Diagnostics: RuntimeCreateProfilerTraceParameters, RuntimeListProfilerTraceFiles, RuntimeGetProfilerTraceData, RuntimeGetDumpById - Profiling and dump analysis with JSON payloads
• 📡 Runtime Feeds: RuntimeListFeeds, RuntimeListSystemMessages, RuntimeGetGatewayErrorLog - Feed reader (dumps, system messages, gateway errors), SM02 system messages, Gateway error log
• 🚀 SAP BTP Support: JWT/XSUAA authentication with browser-based token helper
• 🔑 Destination-Based Authentication: Service key-based authentication with automatic token management (see Client Configuration)
• 💾 Freestyle SQL: GetSqlQuery - Execute custom SQL queries via ADT Data Preview API

ℹ️ ABAP Cloud limitation: Direct ADT data preview of database tables is blocked by SAP BTP backend policies. The server returns a descriptive error when attempting such operations. On-premise systems continue to support data preview.

Documentation

For Users

• Docs Index - Full documentation index
• Installation Guide - Installation overview and platform guides
• User Guide - End-user docs (auth, config, tools)
• Authentication & Destinations - Destination-based auth and service keys
• Handlers Management - Enable/disable handler groups
• Configurator: @mcp-abap-adt/configurator (repo: mcp-abap-adt-conf) provides the mcp-conf CLI to auto-configure clients
• Tools by level
• Read-Only Tools
• High-Level Tools
• Low-Level Tools
• Legacy System Tools

For Administrators

• Deployment Docs - MCP Registry, Docker, release notes
• Server Configuration - YAML config reference

For Developers

• Architecture Documentation - System architecture and design decisions
• Development Documentation - Testing guides and development resources
• CHANGELOG.md - Version history and changes

Dependencies

This project uses two npm packages:

• @mcp-abap-adt/connection – connection/auth/session layer
• @mcp-abap-adt/adt-clients – Builder-first ADT clients

These packages are automatically installed via npm install and are published to npm.

---

Running the Server

Global Installation (Recommended)

After installing globally with npm install -g, you can run from any directory:

# Show help
mcp-abap-adt --help

# Default stdio mode (for MCP clients; requires .env file or --mcp parameter)
mcp-abap-adt

# stdio mode (explicit; default when --transport is omitted)
mcp-abap-adt --transport=stdio

# HTTP mode on custom port (HTTP requires --transport=http)
mcp-abap-adt --transport=http --port=8080

# Use stdio mode with auth-broker (--mcp parameter)
mcp-abap-adt --transport=stdio --mcp=TRIAL

# Use env destination from platform sessions store
mcp-abap-adt --env=trial

# Use explicit .env file path
mcp-abap-adt --env-path=/path/to/my.env

# SSE mode (requires .env file or --mcp parameter)
mcp-abap-adt --transport=sse --port=3001

# SSE mode with auth-broker (--mcp parameter)
mcp-abap-adt --transport=sse --mcp=TRIAL

Development Mode

# Build and run locally
npm run build
npm start

# HTTP mode
npm run start:http

# SSE mode
npm run start:sse

Environment Configuration

Env resolution:

1. --env-path=<path|file> (or MCP_ENV_PATH) for explicit .env file.

• Absolute path: used as-is.
• Relative path or file name only (e.g. my.env): resolved from current working directory.

1. --env=<destination> for destination file in standard sessions store:

• Unix: ~/.config/mcp-abap-adt/sessions/<destination>.env
• Windows: %USERPROFILE%\\Documents\\mcp-abap-adt\\sessions\\<destination>.env

1. Fallback to .env in current working directory.

Example .env file: ``bash SAP_URL=https://your-sap-system.com SAP_CLIENT=100 SAP_AUTH_TYPE=basic SAP_USERNAME=your-username SAP_PASSWORD=your-password ``

For JWT authentication (SAP BTP): ``bash SAP_URL=https://your-btp-system.com SAP_CLIENT=100 SAP_AUTH_TYPE=jwt SAP_JWT_TOKEN=your-jwt-token ``

For RFC connection: ``bash SAP_URL=https://your-legacy-system.com SAP_CLIENT=100 SAP_AUTH_TYPE=basic SAP_USERNAME=your-username SAP_PASSWORD=your-password SAP_CONNECTION_TYPE=rfc ``

See RFC Setup Guide for prerequisites (SAP NW RFC SDK).

For client certificate (mTLS) authentication — on-prem HTTP only: ```bash SAP_URL=https://your-sap-system.com SAP_AUTH_TYPE=certificate

PEM format (provide both files):

SAP_CERT_PATH=/path/to/client.crt SAP_CERT_KEY_PATH=/path/to/client.key

Or PKCS#12 format (alternative to PEM):

SAP_CERT_PFX_PATH=/path/to/client.pfx

SAP_CERT_PASSPHRASE=your-passphrase

For Kerberos (SPNEGO) authentication — on-prem HTTP only:

SAP_URL=https://your-sap-system.com SAP_AUTH_TYPE=kerberos

Optional: explicit SPN (default: HTTP@<host>)

SAP_KERBEROS_SPN=HTTP@mysaphost.corp.example

Optional: service class used to derive the SPN when SAP_KERBEROS_SPN is unset (default: HTTP)

SAP_KERBEROS_SERVICE=HTTP

**Certificate auth notes:**
- Identifies the client via mTLS — no `SAP_USERNAME` / `SAP_PASSWORD` required.
- Provide either PEM files (`SAP_CERT_PATH` + `SAP_CERT_KEY_PATH`) or a PKCS#12 file (`SAP_CERT_PFX_PATH`), not both.
- On-prem HTTP connections only (`SAP_CONNECTION_TYPE=rfc` is not supported).

**Kerberos auth notes:**
- Requires a valid Kerberos ticket on the host before starting the server. Obtain one with `kinit` or a keytab.
- The optional [`kerberos`](https://www.npmjs.com/package/kerberos) npm package must be installed (needs GSSAPI dev libs on Linux / build tools on Windows): `npm i kerberos`.
- No `SAP_USERNAME` / `SAP_PASSWORD` required — identity comes from the TGT.
- Both auth types bypass the auth-broker; use `.env` directly.
- **NTLM is hard-rejected:** if the SAP system offers NTLM instead of Kerberos/SPNEGO, the connection fails with a clear error rather than silently downgrading. Ensure the system accepts Kerberos (SPNEGO) for your user.

> **⚠️ Help wanted — not yet validated on a live system.** Certificate and Kerberos auth pass full unit coverage but have not been tested against a real SAP system. If you have on-prem **client-certificate** or **Kerberos/SPNEGO** SSO, please try it and [open an issue](https://github.com/fr0ster/mcp-abap-adt/issues) with results — especially whether Kerberos succeeds with a single-leg Negotiate token or your system needs mutual-auth continuation.

**Generate .env from Service Key (JWT):**

Install the connection package globally (one-time setup)

npm install -g @mcp-abap-adt/connection

Generate .env file from service key JSON

mcp-auth auth -k path/to/service-key.json ```

This will automatically create/update .env file with JWT tokens and connection details.

.env comments rule: only full-line comments are supported (lines that start with #). Inline comments are not parsed, so keep comments on separate lines.

Claude recommendation: place the service key in the service-keys directory and use --mcp=<destination> (avoid manual JWT tokens).

Command-Line Options

Authentication:

• --auth-broker - Force use of auth-broker (service keys), ignore .env file
• --auth-broker-path=<path> - Custom path for auth-broker service keys and sessions
• --browser-auth-port=<port> - Override OAuth browser callback port (default: 5000 for HTTP, 4000 for SSE, 4001 for stdio)
• --connection-type=<http|rfc> - SAP connection transport: http (default) or rfc
• --unsafe - Enable file-based session storage (persists tokens to disk). By default, sessions are stored in-memory (secure, lost on restart)

When --mcp=<destination> is specified, automatic fallback loading of ./.env is skipped.

Examples: ```bash

Use auth-broker with file-based session storage (persists tokens)

mcp-abap-adt --auth-broker --unsafe

Use auth-broker with in-memory session storage (default, secure)

mcp-abap-adt --auth-broker

Custom path for service keys and sessions

mcp-abap-adt --auth-broker --auth-broker-path=~/prj/tmp/ --unsafe ```

See Client Configuration for complete configuration options.

Handler logging switches

• AUTH_LOG_LEVEL=error|warn|info|debug — sets base log level for handler logger; DEBUG_AUTH_LOG=true also enables debug.
• HANDLER_LOG_SILENT=true — fully disables handler logging.
• DEBUG_CONNECTORS=true — verbose connection logging in high-level handlers.
• DEBUG_HANDLERS=true — enables verbose logs for selected read-only/system handlers.

Development

Testing

npm test

Test logging switches

• TEST_LOG_LEVEL=error|warn|info|debug — controls test logger verbosity (DEBUG_TESTS/DEBUG_ADT_TESTS/DEBUG_CONNECTORS force debug).
• TEST_LOG_FILE=/tmp/adt-tests.log — writes test logs to a file (best-effort).
• TEST_LOG_SILENT=true — disables test logging pipeline (console output muted).
• TEST_LOG_COLOR=true — adds colored/prefixed tags to test log lines.
• All console.* in tests are routed through the test logger with a [test] prefix.

Building

npm run build

Developer Tools

# Generate tool documentation
npm run docs:tools

# See tools/README.md for more developer utilities

Contributors

Thank you to all contributors! See CONTRIBUTORS.md for the complete list.

---

Acknowledgment: This project was originally inspired by mario-andreschak/mcp-abap-adt. We started with the core concept and then evolved it into an independent project with our own architecture and features.