arc-1

ARC-1 — SAP ADT MCP Server

ARC-1 (pronounced arc one [ɑːrk wʌn]) — Enterprise-ready MCP server for SAP ABAP systems. Secure by default, deployable to BTP or on-premise, and hardened with large unit/integration/E2E test coverage.

ARC-1 connects AI assistants (Claude, GitHub Copilot, Copilot Studio, and any MCP client) to SAP systems via the ADT REST API. It ships as an npm package and Docker image.

Full Documentation | Quickstart | Tool Reference

Why ARC-1?

Built for organizations that need AI-assisted SAP development with guardrails. Inspired by the pioneering work of abap-adt-api, mcp-abap-adt, and vibing-steampunk — ARC-1 adds what's needed to run in production:

Security & Admin Controls

• Safe by default — read-only, no free SQL, no table preview, no transport writes, no Git writes. Enable each capability with explicit SAP_ALLOW_* flags
• Action deny list — block specific tool actions with SAP_DENY_ACTIONS (for example SAPWrite.delete), without exposing low-level operation codes to admins
• Package restrictions — limit AI write operations (create, update, delete) to specific packages with wildcards (--allowed-packages "Z*,$TMP"). Read operations are not restricted by package — use SAP's native authorization for read-level access control
• Data access control — enable table data preview (--allow-data-preview=true) or free-form SQL (--allow-free-sql=true) only when needed
• Transport safety — transport reads are available for review, while transport mutations require both --allow-writes and --allow-transport-writes. Update/delete operations auto-use the lock correction number when no explicit transport is provided
• Git workflow safety — Git operations are disabled by default. Enable explicitly with --allow-git-writes / SAP_ALLOW_GIT_WRITES=true
• API-key profiles — multi-key HTTP deployments can assign viewer, viewer-data, viewer-sql, developer, developer-data, developer-sql, or admin per key
• Writes restricted to $TMP when enabled — only local/throwaway objects; writing to transportable packages requires explicit --allowed-packages

Authentication

• API key — simple Bearer token for internal deployments
• OIDC / JWT — Entra ID, Keycloak, or any OpenID Connect provider
• OAuth 2.0 — browser-based login for BTP ABAP Environment
• XSUAA — SAP BTP native auth with automatic token proxy for MCP clients
• Principal Propagation — per-user identity forwarded through Cloud Connector (every SAP action runs as the actual user, not a technical account)

BTP Cloud Foundry Deployment

Deploy ARC-1 as a Cloud Foundry app on SAP BTP with full platform integration:

• Destination Service — connect to SAP systems via managed destinations
• Cloud Connector — reach on-premise systems through the connectivity proxy
• Principal Propagation — user identity forwarded end-to-end via X.509 certificates
• XSUAA OAuth proxy — MCP clients authenticate via standard OAuth, ARC-1 handles the BTP token exchange
• Audit logging — structured events to stderr, file, or BTP Audit Log Service

Token Efficiency

• 12 intent-based tools (~5K schema tokens) instead of 200+ individual tools — keeps the LLM's context window small
• Method-level read/edit — read or update a single class method, not the whole source (up to 20x fewer tokens)
• Context compression — SAPContext returns public API contracts of all dependencies in one call (7-30x compression)

Built-in Object Caching

• Automatic source caching — every SAP object read is cached in memory (stdio) or SQLite (http-streamable). Repeated reads return instantly without calling SAP.
• Dependency graph caching — SAPContext dep resolution keyed by source hash; unchanged objects skip all ADT calls on subsequent runs.
• Pre-warmer — start with ARC1_CACHE_WARMUP=true to pre-index all custom objects at startup, enabling reverse dependency lookup (SAPContext(action="usages")) and fast CDS impact workflows (SAPContext(action="impact", type="DDLS")).
• Write invalidation — when SAPWrite modifies an object, its cache entry is automatically dropped; next read fetches fresh source.

See docs/caching.md for full documentation.

Testing