npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@babamba2/abap-mcp-adt-powerup

v4.8.4

Published

SAP ABAP ADT MCP server with full CRUD for on-prem and ABAP Cloud (BTP), plus JWT/XSUAA and service-key destination auth

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

psspss1122psspss1122s2hoon326s2hoon326

Keywords

abapsapadtmcpmodel-context-protocolmcp-serverabap-cloudsap-btpxsuaajwt-authservice-keycrud

Readme

MCP ABAP ADT ( For sc4sap application )

🌐 Language / 언어 / 言語: English · 한국어 · 日本語

npm version License: MIT Node.js MCP Claude Code Plugin

Acknowledgments

This project was originally inspired by mario-andreschak/mcp-abap-adt and fr0ster/mcp-abap-adt. We started with the core concept and evolved it into an independent project with our own architecture and features. Huge thanks to the original authors and all contributors whose work made this possible.

Model Context Protocol (MCP) server for SAP ABAP development — enables AI assistants and code editors to interact with SAP systems via ABAP Developer Toolkit (ADT) APIs.

Read, create, update, and delete ABAP objects directly from Claude Code, Cline, Cursor, Windsurf, or any MCP-compatible client. Supports ABAP Cloud (BTP), On-Premise, and Legacy SAP systems.

Table of Contents

Features

  • 287 MCP Tools for comprehensive SAP ABAP development
  • 30+ ABAP object types supported (Classes, Interfaces, CDS Views, Tables, RAP, and more)
  • Multiple transport protocols: stdio, HTTP (StreamableHTTP), SSE
  • Flexible authentication: JWT/XSUAA (OAuth2), Basic Auth, Service Key
  • Multi-environment: ABAP Cloud (BTP), On-Premise, Legacy (BASIS < 7.50)
  • Runtime diagnostics: Profiling, dump analysis, SQL queries
  • Handler groups: Read-Only, High-Level, Low-Level, Compact, System, Search
  • Embeddable: Use as a standalone server or embed handlers into existing MCP servers
  • Auto-configurator: @mcp-abap-adt/configurator for automated client setup
  • Health endpoint: GET /mcp/health for HTTP/SSE transports
  • Optional data-fetch prevention: opt-in server-side blocklist (SC4SAP_POLICY=on) that blocks row extraction from sensitive tables (PII, credentials, payroll, banking) regardless of caller — see Optional: Data Fetch Prevention

Supported SAP Environments

| Environment | Auth Methods | Notes | |------------|-------------|-------| | ABAP Cloud (BTP) | JWT/XSUAA, Service Key | Full RAP/CDS support | | On-Premise (S/4HANA) | Basic Auth, JWT | Full feature surface — Programs, Classes, CDS, Screens, GUI Statuses | | Legacy (ECC / BASIS < 7.50) | Basic Auth | Classic ABAP only — see matrix below |

Legacy detection (BASIS < 7.50 / pre-S/4HANA) applies when any of:

  • SAP_SYSTEM_TYPE=legacy (explicit opt-in, back-compat)
  • SAP_VERSION=ECC
  • ABAP_RELEASE numeric < 750 (e.g., 740, 731)

Under legacy mode the client routes through AdtClientLegacy, which restricts endpoint probes to those actually present on BASIS 7.4x. Modern DDIC CRUD and RAP/Service endpoints deliberately refuse with a clear "not supported on this SAP system" message instead of a cryptic 404.

Legacy (ECC / BASIS < 7.50) Compatibility Matrix

Verified on ECC 7.40 (SAP_VERSION=ECC, ABAP_RELEASE=740, SAP_SYSTEM_TYPE=onprem).

| Category | Tool | ECC 7.40 | Reason | |---|---|---|---| | Session / Discovery | GetSession, SearchObject, GetObjectInfo, GetObjectStructure | ✅ | Basic ADT present on all releases | | Inactive objects | GetInactiveObjects | ✅ | — | | Package read | GetPackageContents, GetPackageTree | ✅ | ADT repository informationsystem | | Package metadata | GetPackage | ❌ | /sap/bc/adt/packages not present on BASIS < 7.50 — use SE80/SE21 in SAP GUI | | DDIC read | GetTable, GetStructure, GetDataElement, GetDomain | ❌ | /sap/bc/adt/ddic/{tables,structures,dataelements,domains} added in BASIS 7.50 | | DDIC write | CreateTable, CreateStructure, CreateDataElement, CreateDomain (+ Update/Delete) | ❌ | Same endpoint gap — create from SAP GUI (SE11) instead | | CDS view (DDLS) | GetView, CreateView, UpdateView | ✅ | DDL endpoint (/sap/bc/adt/ddic/ddl/sources/) present and activates cleanly from BASIS 7.40 SP05+ | | Classic view (VIEW/DV) | GetView for classic DDIC views | ❌ | Classic view endpoint falls in the same DDIC gap as Tables/Structures — use SE11 in SAP GUI | | ABAP source read | GetProgram, GetClass, GetInterface, GetInclude, GetFunctionGroup, GetFunctionModule | ✅ | /sap/bc/adt/{programs,oo/classes,oo/interfaces,programs/includes,functions/groups} all present | | ABAP source write | Create* / Update* for Program, Class, Interface, Include, FunctionGroup, FunctionModule | ✅ | UpdateFunctionModule defaults transport_request to "local" when omitted (consistent with FunctionGroup/Class) | | AST / Semantic analysis | GetAbapSemanticAnalysis, GetAbapAST | ✅ | Client-side parse, no SAP call | | WhereUsed | GetWhereUsed | ⚠️ | Classic object types only — TABL reports "Unsupported object type for where-used"; class/program targets work | | Enhancements | GetEnhancements, GetEnhancementSpot, GetEnhancementImpl | ❌ | /sap/bc/adt/enhancements discovery endpoints return 404 on BASIS < 7.50 — use SE18/SE19 or CMOD/SMOD in SAP GUI | | Transport | ListTransports, GetTransport, CreateTransport | ✅ | CTS endpoints present | | Runtime | RuntimeListDumps, RuntimeAnalyzeDump, RuntimeGetDumpById | ✅ | /sap/bc/adt/runtime/dumps present | | Screen / GUI Status | GetScreen, GetGuiStatus, GetTextElement (+ Create/Update) | ℹ️ | RFC-dispatched via SAP_RFC_BACKEND (odata default / soap / native / gateway / zrfc); the chosen backend's prerequisites (backend classes, SICF node, SDK) must be in place | | RAP / Behavior | *BehaviorDefinition, *BehaviorImplementation | ❌ | S/4HANA only — RAP does not exist on ECC | | Service binding | *ServiceDefinition, *ServiceBinding | ❌ | S/4HANA / ABAP Cloud only | | Metadata extensions | *MetadataExtension | ❌ | S/4HANA / ABAP Cloud only | | Table contents | GetTableContents, GetSqlQuery | ℹ️ | Works server-side but gated by the per-profile data-extraction policy — see Optional: Data Fetch Prevention |

Legend: ✅ works fully · ⚠️ works with caveats · ❌ refuses with a clear "not supported on this SAP system" error (not a bug — SAP platform limit) · ℹ️ works, but depends on prior setup / policy.

Quick Start

1. Install

npm install -g @mcp-abap-adt/core

2. Configure environment

# Create .env file in your working directory
cat > .env << 'EOF'
SAP_URL=https://your-sap-system.com
SAP_CLIENT=100
SAP_AUTH_TYPE=basic
SAP_USERNAME=your_username
SAP_PASSWORD=your_password
EOF

3. Run

# stdio (for MCP clients like Claude Code, Cline, Cursor)
mcp-abap-adt

# HTTP server
mcp-abap-adt --transport=http --port 3000

# SSE server
mcp-abap-adt --transport=sse --port 3000

Installation

From npm (Recommended)

npm install -g @mcp-abap-adt/core

From source

git clone --recurse-submodules https://github.com/babamba2/abap-mcp-adt-powerup.git
cd abap-mcp-adt-powerup
npm install
npm run build
npm start

Platform-specific guides

Claude Code Plugin

This repository is also distributed as a Claude Code plugin via the marketplace.

Install via marketplace

# Add this marketplace (once)
/plugin marketplace add babamba2/abap-mcp-adt-powerup

# Install the plugin
/plugin install abap-mcp-adt-powerup

After install, configure the SAP connection through environment variables (see Configuration) or use the auto-configurator:

npx @mcp-abap-adt/configurator

Manual plugin directory

If you're editing this repo locally, it already resolves as a plugin from:

~/.claude/plugins/marketplaces/abap-mcp-adt-powerup

Reload Claude Code (/pluginReload) to pick up changes.

Configuration

Environment Variables (.env)

# SAP connection
SAP_URL=https://your-abap-system.com
SAP_CLIENT=100
SAP_LANGUAGE=en

# System type: cloud (default), onprem, or legacy
SAP_SYSTEM_TYPE=cloud

# TLS: set to 0 for self-signed certificates (dev only)
TLS_REJECT_UNAUTHORIZED=0

# Authentication
SAP_AUTH_TYPE=xsuaa          # 'xsuaa' for JWT, 'basic' for username/password
SAP_JWT_TOKEN=your_jwt_token # For JWT auth
# SAP_USERNAME=your_username # For basic auth
# SAP_PASSWORD=your_password # For basic auth

# On-premise context (required for create/update on on-prem)
# SAP_MASTER_SYSTEM=DEV
# SAP_RESPONSIBLE=your_username

# Timeouts (milliseconds)
SAP_TIMEOUT_DEFAULT=45000    # General operations (default: 45s)
SAP_TIMEOUT_CSRF=15000       # CSRF token requests (default: 15s)
SAP_TIMEOUT_LONG=60000       # Long-running operations (default: 60s)

CLI Options

mcp-abap-adt [options]

Options:
  --transport=<type>    Transport protocol: stdio (default), http, sse
  --port <number>       Server port for http/sse (default: 3000)
  --host <address>      Bind address for http/sse (default: localhost)
  --env <destination>   Destination name for multi-system setups
  --env-path <path>     Path to .env file

YAML Configuration

Alternative to CLI arguments. See YAML Config Guide.

Authentication

Basic Auth (On-Premise)

SAP_AUTH_TYPE=basic
SAP_USERNAME=developer
SAP_PASSWORD=secret123

JWT / XSUAA (Cloud / On-Premise)

SAP_AUTH_TYPE=xsuaa
SAP_JWT_TOKEN=eyJhbGciOiJSUzI1NiIs...

Service Key (BTP)

Place your service key JSON file and configure via the configurator (@mcp-abap-adt/configurator).

Header-based Auth (HTTP/SSE transports)

For multi-tenant or proxy setups, pass SAP connection details via HTTP headers (x-sap-*). See Authentication Guide.

Available Tools

The server provides 287 tools organized into handler groups:

Tool Categories

| Category | Count | Description | |----------|-------|-------------| | Read-Only | 52 | Query and retrieve objects without modification | | High-Level | 113 | User-friendly CRUD operations | | Low-Level | 122 | Direct ADT API operations with granular control | | Compact | 22 | Streamlined access to common operations | | System | - | Runtime analysis, profiling, dumps, SQL queries | | Search | - | Object discovery, where-used analysis |

Supported ABAP Object Types

| Object Type | Read | Create | Update | Delete | |------------|:----:|:------:|:------:|:------:| | Classes (CLAS) | O | O | O | O | | Interfaces (INTF) | O | O | O | O | | Programs (PROG) | O | O | O | O | | Includes | O | O | O | O | | Tables (TABL) | O | O | O | O | | Structures | O | O | O | O | | CDS Views (DDLS) | O | O | O | O | | Domains | O | O | O | O | | Data Elements (DTEL) | O | O | O | O | | Function Groups (FUGR) | O | O | O | O | | Function Modules (FUNC) | O | O | O | O | | Packages (DEVC) | O | O | O | O | | Transports | O | O | - | - | | Service Definitions (SRVD) | O | O | O | O | | Service Bindings (SRVB) | O | O | O | O | | Behavior Definitions (BDEF) | O | O | O | O | | Behavior Implementations (BIMP) | O | O | O | O | | Metadata Extensions (DDLX) | O | O | O | O | | Screens (DYNP) | O | O | O | O | | GUI Statuses | O | O | O | O | | Text Elements | O | O | O | O | | Unit Tests | O | O | O | O | | CDS Unit Tests | O | O | O | O | | Enhancements | O | - | - | - |

Runtime & System Tools

  • Runtime Profiling - Profile class and program execution with trace analysis
  • Dump Analysis - List and analyze ABAP runtime dumps
  • SQL Queries - Execute SQL queries via ADT (GetSqlQuery)
  • Table Contents - Read table data (GetTableContents)
  • Object Search - Find objects by name, type, package (SearchObject)
  • Where-Used - Cross-reference analysis (GetWhereUsed)
  • Type Info - Retrieve type information (GetTypeInfo)
  • Inactive Objects - List objects pending activation (GetInactiveObjects)
  • AST / Semantic Analysis - Parse ABAP syntax tree and semantic info

For the complete tool reference, see AVAILABLE_TOOLS.md.

Transport Protocols

stdio (Default)

Standard input/output transport for MCP clients. Used by Claude Code, Cline, Cursor, and other MCP-compatible tools.

mcp-abap-adt
# or explicitly:
mcp-abap-adt --transport=stdio

HTTP (StreamableHTTP)

REST API with JSON streaming responses. Ideal for web clients and multi-user deployments.

mcp-abap-adt --transport=http --port 3000 --host 0.0.0.0

Health check: GET /mcp/health

SSE (Server-Sent Events)

Long-polling transport with session management.

mcp-abap-adt --transport=sse --port 3000

Client Configuration

Claude Code

{
  "mcpServers": {
    "mcp-abap-adt": {
      "command": "npx",
      "args": ["-y", "@mcp-abap-adt/core"],
      "env": {
        "SAP_URL": "https://your-sap-system.com",
        "SAP_CLIENT": "100",
        "SAP_AUTH_TYPE": "basic",
        "SAP_USERNAME": "developer",
        "SAP_PASSWORD": "secret"
      }
    }
  }
}

Cline / Cursor / VS Code

{
  "mcpServers": {
    "mcp-abap-adt": {
      "command": "npx",
      "args": ["-y", "@mcp-abap-adt/core"],
      "env": {
        "SAP_URL": "https://your-sap-system.com",
        "SAP_CLIENT": "100",
        "SAP_AUTH_TYPE": "xsuaa",
        "SAP_JWT_TOKEN": "eyJhbGciOiJSUzI1NiIs..."
      }
    }
  }
}

Auto-Configuration

Use the configurator for automated setup:

npx @mcp-abap-adt/configurator

See Client Configuration Guide for more examples.

Handler Architecture

The server organizes tools into composable handler groups:

handlers/
├── behavior_definition/    # BDEF CRUD
├── behavior_implementation/# BIMP CRUD
├── class/                  # CLAS CRUD
├── compact/                # Shorthand tools
├── common/                 # Shared handlers
├── data_element/           # DTEL CRUD
├── ddlx/                   # Metadata Extension CRUD
├── domain/                 # Domain CRUD
├── enhancement/            # Enhancement read-only
├── function/               # Function-related
├── function_group/         # FUGR CRUD
├── function_module/        # FUNC CRUD
├── gui_status/             # GUI Status CRUD
├── include/                # Include CRUD
├── interface/              # INTF CRUD
├── metadata_extension/     # DDLX CRUD
├── package/                # DEVC CRUD
├── program/                # PROG CRUD
├── screen/                 # Screen/Dynpro CRUD
├── search/                 # Object search & where-used
├── service_binding/        # SRVB CRUD
├── service_definition/     # SRVD CRUD
├── structure/              # Structure CRUD
├── system/                 # Runtime diagnostics
├── table/                  # TABL CRUD
├── text_element/           # Text Element CRUD
├── transport/              # Transport management
├── unit_test/              # Unit test CRUD & run
└── view/                   # CDS View CRUD

Each handler category contains subdirectories:

  • high/ - High-level, user-friendly operations
  • low/ - Low-level, direct ADT API operations
  • readonly/ - Safe read-only queries

Embedding Handlers

For integrating into existing MCP servers (e.g., CAP/CDS applications):

import { HandlerExporter } from '@mcp-abap-adt/core/handlers';

const exporter = new HandlerExporter({
  includeReadOnly: true,
  includeHighLevel: true,
  includeLowLevel: false,
  includeSystem: true,
  includeSearch: true,
});

exporter.registerOnServer(mcpServer, () => connection);

Docker Deployment

Using Docker Compose

# Build and run
npm run docker:build
npm run docker:up

# Or with pre-built package
npm run docker:build:package
npm run docker:up:package

Manual Docker Build

cd docker
docker-compose build
docker-compose up -d

See Docker Deployment Guide for full details.

Development

Prerequisites

  • Node.js >= 20.0.0
  • npm >= 9.0.0
  • TypeScript 5.9+

Setup

git clone --recurse-submodules https://github.com/babamba2/abap-mcp-adt-powerup.git
cd abap-mcp-adt-powerup
npm install
npm run build

Scripts

| Command | Description | |---------|-------------| | npm run build | Lint + compile TypeScript | | npm run build:fast | Compile only (skip lint) | | npm run dev | Build + launch MCP Inspector (stdio) | | npm run dev:http | Build + launch HTTP dev server | | npm run dev:sse | Build + launch SSE dev server | | npm run lint | Run Biome linter with auto-fix | | npm run format | Format code with Biome | | npm start | Run MCP server (stdio) | | npm run start:http | Run MCP server (HTTP) | | npm run start:sse | Run MCP server (SSE) | | npm run docs:tools | Regenerate tool documentation |

Project Structure

mcp-abap-adt/
├── bin/                    # CLI entry points
│   ├── mcp-abap-adt.js    # Main CLI
│   └── mcp-abap-adt-v2.js # V2 server variant
├── src/
│   ├── handlers/           # 30 handler categories (287 tools)
│   ├── lib/
│   │   ├── auth/           # Auth broker, JWT/XSUAA
│   │   ├── config/         # Configuration management
│   │   ├── handlers/       # Handler registry & utilities
│   │   ├── stores/         # Session/token storage
│   │   ├── types/          # TypeScript interfaces
│   │   └── utils.ts        # Core utilities
│   ├── server/
│   │   ├── BaseMcpServer.ts         # MCP server extension
│   │   ├── StdioServer.ts           # stdio transport
│   │   ├── SseServer.ts             # SSE transport
│   │   ├── StreamableHttpServer.ts  # HTTP transport
│   │   └── launcher.ts              # Server startup
│   └── utils/              # Utility modules
├── docker/                 # Docker deployment
├── docs/                   # Documentation
├── tests/                  # Test configuration
├── tools/                  # Dev tools & scripts
└── package.json

Key Dependencies

| Package | Purpose | |---------|---------| | @mcp-abap-adt/adt-clients | ADT REST API clients | | @mcp-abap-adt/connection | SAP connection management | | @mcp-abap-adt/auth-broker | Authentication token management | | @mcp-abap-adt/auth-providers | Auth strategy implementations | | @modelcontextprotocol/sdk | MCP protocol SDK | | fast-xml-parser | XML parsing for ADT responses |

Testing

Integration Tests

Integration tests run against a real SAP system in two modes:

  • Soft mode (default): Calls handlers directly, no MCP subprocess
  • Hard mode: Spawns full MCP server via stdio, calls tools through MCP protocol

Setup

# Create test config from template
npm run test:init

# Edit only the lines marked "# <- CHANGE"
# - environment.env (session .env file)
# - environment.system_type (onprem/cloud/legacy)
# - environment.default_package
# - environment.default_transport

Running Tests

# Unit tests
npm test

# All integration tests (soft mode)
npm run test:integration

# High-level handler tests only
npm run test:high

# Low-level handler tests only
npm run test:low

# Type check test files
npm run test:check

See Testing Guide for full details.

Troubleshooting

self-signed certificate in certificate chain

Your SAP system uses a self-signed TLS certificate. For development only:

TLS_REJECT_UNAUTHORIZED=0

For production, install the SAP CA certificate into the Node.js trust store.

401 Unauthorized / 403 Forbidden

  • Basic Auth: confirm SAP_USERNAME / SAP_PASSWORD and that the user has ADT authorization (S_DEVELOP, S_RFC, S_TCODE).
  • JWT/XSUAA: the token may be expired — refresh via the configurator or service key.
  • Client mismatch: verify SAP_CLIENT matches the logon client.

CSRF token validation failed on Update/Create

The session lost its CSRF token. Most handlers refresh automatically; if it persists:

  • Increase SAP_TIMEOUT_CSRF (default 15s).
  • Confirm cookies are not being stripped by a proxy.

transport required on On-Premise

Create or update on on-prem systems requires a transport request. Set:

SAP_MASTER_SYSTEM=DEV
SAP_RESPONSIBLE=your_username

…and pass transport=<TRKORR> to the handler, or use a local package ($TMP).

Claude Code doesn't see the MCP server

  1. Restart Claude Code after editing config.
  2. Check logs: ~/.claude/logs/ (stderr from the MCP process).
  3. Run mcp-abap-adt directly in a shell — it must start without errors before Claude can connect.

Programs not available on Cloud

Programs (PROG) are on-premise / legacy only. Use Classes or CDS on ABAP Cloud.

FAQ

Q. Does this work with S/4HANA Cloud, public edition? Yes — via ABAP Cloud (BTP) with JWT/XSUAA or a service key. RAP/CDS objects are fully supported; classic objects (Programs, Screens, GUI Statuses) are not available on cloud.

Q. Can I use this without Claude Code? Yes. Any MCP-compatible client works: Cline, Cursor, Windsurf, VS Code MCP extension, or a custom client built with @modelcontextprotocol/sdk.

Q. How do I limit which tools are exposed? Use the HandlerExporter to select handler groups when embedding, or set environment flags to disable groups. See Handler Management.

Q. Is it safe to use against a productive SAP system? The server respects SAP authorization — whatever your user cannot do in SE80/ADT, it cannot do here either. Still, we recommend a dedicated development user and running against non-prod first.

Q. How do I run against multiple SAP systems? Use --env <destination> with per-destination .env files, or the YAML config. For HTTP/SSE deployments, pass x-sap-* headers per request.

Q. Does it support RFC? Yes, for legacy systems where ADT HTTP APIs are unavailable. Set connection_type: rfc in the test config (or equivalent env) — requires the SAP NW RFC SDK installed locally.

Documentation

| Guide | Description | |-------|-------------| | Installation | Platform-specific installation | | Client Configuration | MCP client setup | | Authentication | Auth methods & destinations | | Available Tools | Complete tool reference (287 tools) | | CLI Options | Command-line reference | | YAML Config | YAML configuration guide | | Architecture | System architecture overview | | Stateful Sessions | Lock/update/unlock flow | | Handler Architecture | Tool & handler structure | | Docker Deployment | Container deployment | | Testing Guide | Test setup & execution | | Handler Management | Enable/disable handler groups |

Optional: Data Fetch Prevention

Row-returning tools (GetTableContents, GetSqlQuery) can expose sensitive business data — PII, credentials, payroll, banking, transactional finance. This server ships with an opt-in server-side blocklist that stops such calls before they ever reach SAP, regardless of the caller (Claude, other LLMs, direct JSON-RPC, external scripts).

The feature is disabled by default — nothing is blocked unless you explicitly turn it on.

Enable

export SC4SAP_POLICY=on                    # or: strict | standard | minimal | custom
export SC4SAP_POLICY_PROFILE=strict        # optional, default when SC4SAP_POLICY=on
export SC4SAP_BLOCKLIST_PATH=/path/to/table_exception.md   # optional extra list
export SC4SAP_ALLOW_TABLE=TAB1,TAB2        # session-scoped emergency exemption (logged)

Profiles

| Profile | Blocks | |---------|--------| | strict (default when SC4SAP_POLICY=on) | PII + credentials + HR + transactional finance + audit logs + workflow | | standard | PII + credentials + HR + transactional finance | | minimal | PII + credentials + HR + Tax (business tables allowed) | | custom | User-supplied list only (blocklist-custom.txt) |

Behavior

When a blocked table is accessed, the server responds with isError: true and a categorized reason — no SAP round-trip occurs. Schema/DDIC metadata calls (GetTable, GetStructure, GetView, GetDataElement, GetDomain), existence checks (SearchObject), and aggregate-only GetSqlQuery remain allowed.

Built-in blocklist covers 100+ tables / patterns across Banking (BNKA, KNBK, LFBK, REGUH), Customer/Vendor PII (KNA1, LFA1, BUT000, BUT0ID), Addresses (ADRC, ADR6, ADRP), Authentication (USR02, RFCDES, AGR_1251), HR/Payroll (PA* / HRP* / PCL*), Tax IDs, Protected Business Data (VBAK/BKPF/ACDOCA), Audit logs, and customer Z* PII patterns.

This feature is designed for but not coupled to the sc4sap plugin — any MCP client can benefit from it.

Contributing

We welcome contributions! Please see the development documentation for setup instructions.

Contributors

License

MIT — Copyright (c) 2026 백승현 (Paek Seunghyun) & Oleksii Kyslytsia