A server that gives AI agents real-time knowledge of which SAP objects are released for ABAP Cloud / Clean Core — and what to use instead when they're not.
It plugs directly into the SAP Cloudification Repository (the official source of truth) and exposes the data two ways:
| Access mode | Protocol | Use case |
|---|---|---|
| MCP Server | Model Context Protocol on POST /mcp |
AI agents with native MCP support (Claude Desktop, Claude Code, Cline, Cursor...) |
| REST API | Simple GET endpoints on /api/* returning JSON |
LLM skills, custom integrations, scripts, CI pipelines — anything that can call an HTTP endpoint |
Both modes expose the exact same capabilities (search, details, successors, compliance check, statistics) and share the same business logic — no feature gap between MCP and REST.
When you use an AI agent to write ABAP Cloud code, the agent has no idea which objects are released, deprecated, or forbidden. It will happily generate code using MARA, CL_GUI_ALV_GRID, or BSEG — all of which are not released in ABAP Cloud.
This server solves this. Ask "Is MARA available?" and the agent instantly knows: no — use I_PRODUCT instead.
Add this to your MCP client config:
{
"mcpServers": {
"sap-released-objects": {
"type": "url",
"url": "https://sap-released-objects-server-production.up.railway.app/mcp"
}
}
}Nothing to install, nothing to maintain — you're ready to go.
Call the hosted REST API directly. All endpoints are GET, return JSON, and support CORS.
# Search for purchase order objects
curl "https://sap-released-objects-server-production.up.railway.app/api/search?query=purchase+order"
# Get details for table MARA
curl "https://sap-released-objects-server-production.up.railway.app/api/object?object_type=TABL&object_name=MARA"
# Check Clean Core compliance
curl "https://sap-released-objects-server-production.up.railway.app/api/compliance?object_names=MARA,BSEG,I_PRODUCT"To use as an LLM skill, see SKILL.md — it contains the full API reference formatted for LLM consumption (endpoints, parameters, response examples, interpretation instructions).
Download the executable for your platform:
| Platform | Download |
|---|---|
| Windows | sap-released-objects-win.exe |
| Linux | sap-released-objects-linux |
| macOS | sap-released-objects-macos |
Then add to your MCP client config:
{
"mcpServers": {
"sap-released-objects": {
"type": "stdio",
"command": "/path/to/sap-released-objects-win.exe"
}
}
}Build and run the server as a container with the HTTP transport enabled:
docker build -t sap-released-objects-server .
docker run --rm -p 3001:3001 sap-released-objects-serverTo use a custom port:
docker run --rm -e PORT=8080 -p 8080:8080 sap-released-objects-serverThe container exposes:
- MCP endpoint:
http://localhost:3001/mcp - REST API:
http://localhost:3001/api - Health check:
http://localhost:3001/health
The image runs as non-root user (
node) and includes aHEALTHCHECKinstruction for container orchestrators.
For enterprise deployments requiring authentication, set OIDC environment variables:
docker run --rm -p 3001:3001 \
-e OAUTH_ISSUER=https://login.company.com/oauth \
-e OAUTH_AUDIENCE=https://mcp.internal.company.com \
sap-released-objects-serverMCP clients with OAuth 2.1 support (Claude Desktop, Claude Code) handle the authorization flow automatically.
Same as Railway public, but with OIDC authentication. Set these in the Railway dashboard (Settings > Variables):
| Variable | Value |
|---|---|
TRANSPORT |
http |
OAUTH_ISSUER |
https://login.company.com/realms/prod |
OAUTH_AUDIENCE |
sap-released-objects |
Compatible with any OIDC provider (Keycloak, Entra ID, Auth0, Okta, Google). MCP clients with OAuth 2.1 support handle the authorization flow automatically.
Any Node.js hosting platform that can run npm run build + npm start works out of the box:
| Platform | Setup |
|---|---|
| Render | Connect repo → set TRANSPORT=http in env vars → auto-detects Node.js |
| Heroku | heroku create → heroku config:set TRANSPORT=http → git push heroku main |
| Fly.io | fly launch → set TRANSPORT=http in fly.toml → fly deploy |
| Any buildpack host | Set TRANSPORT=http and NODE_ENV=production → build & start commands from package.json |
The server reads PORT from the environment (most platforms inject it automatically). Add OAUTH_ISSUER + OAUTH_AUDIENCE to enable OAuth 2.1 on any of these platforms.
See Node.js Deployment Guide for platform-specific setup instructions, health checks, resource usage, and OAuth configuration.
Deploy to Cloud Foundry with XSUAA authentication using the MTA descriptor.
Prerequisites: Install the CF CLI, the MBT build tool, and log in:
cf login -a https://api.cf.<region>.hana.ondemand.comBuild and deploy:
mbt build
cf deploy mta_archives/sap-released-objects-server_1.12.5.mtarFor per-landscape overrides (custom host, DCR secret, etc.), copy mta-overrides.mtaext.example:
cp mta-overrides.mtaext.example mta-overrides-dev.mtaext
# Edit the file, then:
cf deploy mta_archives/*.mtar -e mta-overrides-dev.mtaextPost-deploy (recommended):
# Stable signing secret for OAuth dynamic client registration
cf set-env sap-released-objects-mcp DCR_SIGNING_SECRET "$(openssl rand -base64 48)"
cf restage sap-released-objects-mcpThe MTA creates an XSUAA service instance and binds it to the app. Authentication is auto-detected from VCAP_SERVICES — no manual configuration needed.
Authentication is config-driven and auto-detected. The same codebase supports all modes:
| Mode | Trigger | Use case |
|---|---|---|
| Public | No auth env vars set | Railway, local dev, Docker public, any host |
| OIDC / OAuth 2.1 | OAUTH_ISSUER + OAUTH_AUDIENCE set |
Railway, Docker, Render, Heroku, Fly.io... (Keycloak, Entra ID, Auth0) |
| XSUAA | VCAP_SERVICES contains xsuaa binding |
SAP BTP Cloud Foundry |
| API keys | API_KEYS set (alongside any mode) |
Simple key-based access |
When authentication is enabled:
/healthremains public (load balancers, orchestrators)/mcpand/apirequire a validAuthorization: Bearer <token>header- XSUAA mode: OAuth proxy routes (
/authorize,/oauth/callback,/.well-known/*) are mounted automatically - MCP clients with OAuth 2.1 support handle the authorization flow automatically
| Variable | Mode | Description |
|---|---|---|
OAUTH_ISSUER |
OIDC | Authorization Server issuer URL |
OAUTH_AUDIENCE |
OIDC | Resource identifier for token validation |
API_KEYS |
Any | API keys in key:profile format (comma-separated) |
DCR_SIGNING_SECRET |
XSUAA | Stable secret for OAuth DCR + state codec |
OAUTH_DCR_TTL_SECONDS |
XSUAA | DCR client lifetime (0 = never expire) |
CORS_ALLOWED_ORIGINS |
Any | Comma-separated allowed origins |
MCP_RATE_LIMIT |
Any | /mcp requests per minute (default: 600) |
API_RATE_LIMIT |
Any | /api requests per minute (default: 600) |
- Search SAP objects — classes, CDS views, tables, data elements, BDEFs, etc.
- Filter by Clean Core Level (A / B / C / D) — the new model replacing the 3-tier system since August 2025
- Find successors for deprecated or non-released objects
- Clean Core compliance check for a list of objects (with compliance rate)
- Statistics — counts by level, type, and application component
- Smart search — multi-token scoring with relevance ranking (e.g.
"purchase order"findsI_PURCHASEORDER) - Multi-system support — S/4HANA Cloud Public, BTP ABAP Environment, Private Cloud, On-Premise
- Dynamic versioning — PCE versions discovered automatically from the SAP repository
The server fetches JSON files from the official SAP Cloudification Repository at runtime and caches them in memory for 24 hours. No SAP system connection is required — all data comes from SAP's public GitHub repository.
Since August 2025, SAP replaced the 3-tier model with the Clean Core Level Concept:
| Level | Description | Data Source | Upgrade Safety |
|---|---|---|---|
| A | Released APIs (ABAP Cloud) | objectReleaseInfoLatest.json (S/4HANA Cloud Public), objectReleaseInfo_BTPLatest.json (BTP), objectReleaseInfo_PCE*.json (PCE) |
✅ Upgrade-safe |
| B | Classic APIs | objectClassifications_SAP.json |
|
| C | Internal / unclassified objects | Uncatalogued objects | 🟡 Manageable risk |
| D | noAPI (not recommended) | Objects marked noAPI |
🔴 High risk |
The following tools are exposed via the MCP protocol on POST /mcp:
Search for objects with advanced filters. Supports both exact SAP object names (MARA, I_PURCHASEORDER) and natural language queries (purchase order, warehouse task, send email). Results are ranked by relevance using a multi-token scoring algorithm.
| Parameter | Type | Default | Description |
|---|---|---|---|
query |
string | (required) | Search term — exact name or natural language (e.g. I_PRODUCT, purchase order) |
system_type |
enum | public_cloud |
public_cloud, btp, private_cloud, on_premise |
clean_core_level |
enum | A |
Maximum cumulative level: A, B, C, or D |
version |
string | latest |
PCE version (e.g. 2025, 2023_3). Ignored for public_cloud and btp |
object_type |
string | (all) | TADIR filter (e.g. CLAS, DDLS, TABL) |
app_component |
string | (all) | Application component (e.g. MM-PUR, FI-GL) |
state |
enum | (all) | Filter by specific state |
limit |
number | 25 |
Results per page (1–100) |
offset |
number | 0 |
Pagination offset |
Get full details of a specific object including its Clean Core assessment, release state, and successor information.
| Parameter | Type | Default | Description |
|---|---|---|---|
object_type |
string | (required) | TADIR type (e.g. TABL, CLAS, DDLS) |
object_name |
string | (required) | Object name (e.g. MARA, CL_GUI_ALV_GRID) |
system_type |
enum | public_cloud |
public_cloud, btp, private_cloud, on_premise |
Find the successor(s) of a deprecated or non-released object. Essential for ABAP Cloud migration.
| Parameter | Type | Default | Description |
|---|---|---|---|
object_type |
string | (required) | TADIR type of the deprecated object |
object_name |
string | (required) | Name of the deprecated object |
system_type |
enum | public_cloud |
Target system type |
Check Clean Core compliance for a list of objects. Returns individual assessments and an overall compliance rate.
| Parameter | Type | Default | Description |
|---|---|---|---|
object_names |
string | (required) | Comma-separated list of object names |
system_type |
enum | public_cloud |
Target system type |
target_level |
enum | A |
Target Clean Core level |
List all available S/4HANA PCE versions for Private Cloud and On-Premise systems. Versions are discovered dynamically from the SAP repository. No required parameters.
List all available TADIR object types with counts per Clean Core level. No required parameters.
Statistical overview of the repository — total counts, breakdown by level, by object type, and by application component. No required parameters.
The same capabilities are available as simple GET endpoints under /api. All endpoints return JSON and support CORS.
Base URL: https://sap-released-objects-server-production.up.railway.app
| Endpoint | MCP Equivalent | Required Parameters |
|---|---|---|
GET /api |
— | Auto-documentation: lists all endpoints |
GET /api/search |
sap_search_objects |
query |
GET /api/object |
sap_get_object_details |
object_type, object_name |
GET /api/successor |
sap_find_successor |
object_name |
GET /api/compliance |
sap_check_clean_core_compliance |
object_names |
GET /api/types |
sap_list_object_types |
— |
GET /api/statistics |
sap_get_statistics |
— |
GET /api/versions |
sap_list_versions |
— |
GET /health |
— | Health check |
All endpoints accept optional system_type, clean_core_level, and version query parameters (same defaults as MCP tools).
For the full REST API reference (parameters, response formats, examples, LLM instructions), see SKILL.md.
| System Type | Description | Data Source | Levels | Versioned |
|---|---|---|---|---|
public_cloud |
S/4HANA Cloud Public Edition | objectReleaseInfoLatest.json |
A only | No |
btp |
BTP ABAP Environment / Steampunk | objectReleaseInfo_BTPLatest.json |
A only | No |
private_cloud |
S/4HANA Cloud Private Edition | objectReleaseInfo_PCE*.json |
A–D | Yes |
on_premise |
S/4HANA On-Premise | objectReleaseInfo_PCE*.json |
A–D | Yes |
Note:
public_cloudandbtpuse different datasets — BTP ABAP Environment has a smaller, separate catalogue of released APIs. Usebtpwhen developing for SAP BTP ABAP Environment (Steampunk).
You: "Is table MARA available in ABAP Cloud?"
Agent: → calls sap_get_object_details(TABL, MARA, public_cloud)
→ "MARA is deprecated. Successor: I_PRODUCT (CDS view)"
You: "Find released objects related to purchase orders"
Agent: → calls sap_search_objects(query="purchase order")
→ Returns I_PURCHASEORDER, I_PURCHASEORDERITEM, etc. ranked by relevance
You: "Find all released CDS views for the MM-PUR module"
Agent: → calls sap_search_objects(query="I_", object_type="DDLS", app_component="MM-PUR")
→ Returns list of Level A CDS views
You: "My code uses BSEG, MARA, CL_GUI_ALV_GRID. Is it Clean Core?"
Agent: → calls sap_check_clean_core_compliance(object_names="BSEG,MARA,CL_GUI_ALV_GRID")
→ "Compliance rate: 0% — none of these objects are Level A"
You: "What's available for sending emails on BTP?"
Agent: → calls sap_search_objects(query="send email", system_type="btp")
→ Returns relevant BTP ABAP Environment APIs
Build details (esbuild + pkg pipeline)
The project uses esbuild for bundling and @yao-pkg/pkg for packaging into native executables.
Pipeline: TypeScript → tsc → ESM JS → esbuild → single CJS bundle → pkg → native executable
# Bundle first (required before pkg)
npm run bundle
# Build for a specific platform
npm run pkg:win # → bin/sap-released-objects-win.exe
npm run pkg:linux # → bin/sap-released-objects-linux
npm run pkg:macos # → bin/sap-released-objects-macos
# Or all 3 at once
npm run pkg:allThe resulting executable requires no Node.js on the target machine.
Executables are automatically built by GitHub Actions when a version tag is pushed:
npm version patch # or minor / major
git push origin main --tagsGitHub Actions will then build on 3 runners (Ubuntu, Windows, macOS)
See Option 8 — SAP BTP Cloud Foundry in Quick Start for deployment instructions.
The project uses an MTA descriptor (mta.yaml) that:
- Creates and binds an XSUAA service instance from
xs-security.json - Configures HTTP health check on
/health - Sets
TRANSPORT=httpandNODE_ENV=production - Allocates 256 MB memory / 512 MB disk
- Uses the Node.js buildpack with npm build
Authentication is auto-detected from the XSUAA service binding in VCAP_SERVICES. A manifest.yml is also provided for simple cf push deployments without XSUAA.