From sc4sap
Guides installation and configuration of abap-mcp-adt-powerup MCP server for Claude Code connectivity to SAP systems via ADT REST APIs. Enables 150+ tools for ABAP object CRUD, runtime, transport, and data preview.
npx claudepluginhub babamba2/superclaude-for-sap --plugin sc4sapThis skill uses the workspace's default tool permissions.
Guides you through installing and configuring the `abap-mcp-adt-powerup` MCP server, which provides Claude Code with direct connectivity to your SAP system via ABAP Development Tools (ADT) REST APIs. The server exposes 150+ tools covering CRUD for ABAP objects (class, program, CDS, FM, table, etc.) plus runtime, transport, and data-preview operations.
Sets up SuperClaude SAP plugin: migrates legacy profiles to multi-profile, registers SAP connections under ~/.sc4sap/profiles/<alias>/, installs abap-mcp-adt-powerup MCP server, optional tier-gated ABAP handlers and hooks, extracts SPRO customizations.
Guides MCP server integration in Claude Code plugins via .mcp.json or plugin.json configs for stdio, SSE, HTTP types, enabling external services as tools.
Guides development of business apps on SAP BTP using CAP (Node.js/Java) or ABAP Cloud, for Cloud Foundry/Kyma deployments, HANA integration, Fiori UIs, CI/CD pipelines, and observability.
Share bugs, ideas, or general feedback.
Guides you through installing and configuring the abap-mcp-adt-powerup MCP server, which provides Claude Code with direct connectivity to your SAP system via ABAP Development Tools (ADT) REST APIs. The server exposes 150+ tools covering CRUD for ABAP objects (class, program, CDS, FM, table, etc.) plus runtime, transport, and data-preview operations.
<Response_Prefix>
Every response triggered by this skill MUST begin with [Model: <main-model> · Dispatched: <sub-summary>] per ../../common/model-routing-rule.md § Response Prefix Convention.
</Response_Prefix>
<Installation_Steps>
Automatic installation (recommended)
The MCP server is automatically installed into the plugin's vendor/abap-mcp-adt/ directory during setup:
/sc4sap:setup # full setup wizard (includes MCP install)
/sc4sap:setup mcp # MCP install only
Or via npm:
npm run build # runs tsc + installs abap-mcp-adt into vendor/
This clones the repo, runs npm install, and builds it. The plugin's .mcp.json is pre-configured to launch bridge/mcp-server.cjs, which delegates to the vendor-installed server.
Configure SAP connection
Create .sc4sap/sap.env in the plugin directory with your SAP credentials:
SAP_URL=https://your-sap-host:44300
SAP_CLIENT=100
SAP_AUTH_TYPE=basic
SAP_USERNAME=your-user
SAP_PASSWORD=your-password
SAP_LANGUAGE=EN
SAP_SYSTEM_TYPE=onprem
TLS_REJECT_UNAUTHORIZED=0
# --- Blocklist policy (optional) ---
# Controls the row-extraction guard in mcp-abap-adt. Defaults to `standard`.
# minimal — block only PII/credentials/banking
# standard — minimal + Protected Business Data (ACDOCA, BKPF, VBAK, EKKO, ...) [default]
# strict — standard + Audit/Security + Communication/Workflow
# off — disable the guard entirely (NOT recommended)
# MCP_BLOCKLIST_PROFILE=standard
# MCP_BLOCKLIST_EXTEND=ZHR_SALARY,ZCUSTOMER_PII
# MCP_ALLOW_TABLE=ACDOCA
SAP_URL: SAP system URL with HTTPS and ICM port (typically 44300 for HTTPS)SAP_CLIENT: SAP client number (3 digits, e.g., "100")SAP_AUTH_TYPE: basic for username/password, xsuaa for JWT (OAuth2)SAP_USERNAME / SAP_PASSWORD: SAP credentials with developer accessSAP_LANGUAGE: Logon language (EN, DE, etc.)SAP_SYSTEM_TYPE: onprem for on-premise S/4HANA, cloud for BTPTLS_REJECT_UNAUTHORIZED: Set to 0 for self-signed certificates (dev only)MCP_BLOCKLIST_PROFILE (optional): minimal | standard | strict | off — risk tier for row-extraction guard. Leave unset for the safe default (standard).MCP_BLOCKLIST_EXTEND (optional): comma-separated extra names/patterns (always denied). Use for site-specific Z-tables containing sensitive data.MCP_ALLOW_TABLE (optional): comma-separated whitelist for an audited one-off bypass. Logged to stderr. Remove when not actively needed.The bridge reads this file automatically on startup. Environment variables take precedence over file values.
Verify the connection
After restarting Claude Code (or reconnecting MCP via /mcp), run:
/sc4sap:sap-doctor
Or manually test by calling GetSession — it should return your SAP system ID, client, and username.
Update the MCP server To update to the latest version:
node scripts/build-mcp-server.mjs --update
</Installation_Steps>
- **401 Unauthorized**: Check `SAP_USERNAME` / `SAP_PASSWORD` in `.sc4sap/sap.env`; confirm the user is not locked (SU01). - **Connection refused**: Verify `SAP_URL` host and ICM HTTPS port; check VPN if required. - **ADT service not found**: Activate `/sap/bc/adt` in transaction SICF and ensure ICF is running. - **SSL certificate errors**: Add the SAP system certificate to Node.js trust store (recommended), or temporarily set `TLS_REJECT_UNAUTHORIZED=0` in `sap.env` (dev only — never in prod). - **No tools visible in Claude Code**: Reconnect the MCP server via `/mcp` after editing `sap.env`. `sap.env` changes are NOT hot-reloaded. Check MCP server stderr logs under `%LOCALAPPDATA%\claude-cli-nodejs\Cache\\mcp-logs-plugin-sc4sap-sap\`. - **Blocklist refusal on a legitimate table**: Run `/sc4sap:sap-option` to adjust `MCP_BLOCKLIST_PROFILE` or add the table to `MCP_ALLOW_TABLE` (audited bypass). - **`vendor/abap-mcp-adt` not built**: Re-run `node scripts/build-mcp-server.mjs` (or `--update` to refresh).<Security_Notes>
.sc4sap/sap.env (the dotenv file with SAP credentials) to version control. It is git-ignored by default.sap.env values in CI/CD, so secrets never touch disk.TLS_REJECT_UNAUTHORIZED=0 is dev-only — never set in production. Install the SAP system certificate into Node.js trust store instead.SAP_URL. No outbound calls to third parties.MCP_BLOCKLIST_PROFILE, MCP_BLOCKLIST_EXTEND, MCP_ALLOW_TABLE). See common/data-extraction-policy.md.
</Security_Notes><Health_Check>
When ARGUMENTS is check / verify / status (case-insensitive), run the vendor pin health check inline and report — do not print the full installation guide.
Execution:
CLAUDE_PLUGIN_ROOT env; fallback to cache path ~/.claude/plugins/cache/sc4sap/sc4sap/<version>/).node "<plugin>/scripts/build-mcp-server.mjs" --check| Exit | Meaning | User message (follow conversation language) |
|---|---|---|
0 + pinned to <SHA> ✓ on stdout | OK — vendor matches expected pin | ✅ abap-mcp-adt vendor verified · pinned to <SHA> (truncate to first 12 chars) |
0 + pin cannot be verified on stderr | WARN — launcher OK, .git stripped (packaged cache install) | ⚠️ Vendor launcher present, but pin cannot be verified (packaged cache lacks .git). Expected pin: <SHA>. To force a verifiable reinstall: node scripts/build-mcp-server.mjs --update. |
| 1 | FAIL — vendor missing | ❌ abap-mcp-adt not installed. Run: node scripts/build-mcp-server.mjs (or /sc4sap:setup mcp). |
| 2 | FAIL — pin drift | ❌ abap-mcp-adt vendor drift detected (current HEAD ≠ pinned SHA). Run: node scripts/build-mcp-server.mjs --update. |
Output format (single block):
MCP Vendor Health Check
=======================
Status: <OK|WARN|FAIL>
Pin: <expected SHA>
Current: <current HEAD or "unverified" or "not installed">
Action: <user message from table above>
STOP after printing — do not fall through to the full installation guide. </Health_Check>
Task: {{ARGUMENTS}}