@linkup-ai/abap-ai 0.1.0

package/dist/security-audit.js

@@ -0,0 +1,136 @@
+"use strict";
+/**
+ * Security Audit Log — registro de operações de segurança.
+ *
+ * Registra todas as operações WRITE, CREATE, DESTRUCTIVE e ADMIN,
+ * incluindo tentativas bloqueadas pela security policy.
+ * Separado do logger de chamadas ADT — este é focado em governança.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditLog = auditLog;
+exports.auditAllowed = auditAllowed;
+exports.auditBlocked = auditBlocked;
+exports.getSessionAudit = getSessionAudit;
+exports.getAuditSummary = getAuditSummary;
+exports.readTodayAudit = readTodayAudit;
+const fs_1 = require("fs");
+const path_1 = require("path");
+// ─── Config ───────────────────────────────────────────────────────
+const AUDIT_DIR = process.env.ABAP_AI_AUDIT_DIR || (0, path_1.join)(process.env.HOME || "~", ".abap-ai", "audit");
+const AUDIT_ENABLED = process.env.ABAP_AI_AUDIT !== "false";
+// ─── Estado da sessão ─────────────────────────────────────────────
+const sessionAuditEntries = [];
+// ─── Funções ──────────────────────────────────────────────────────
+function ensureAuditDir() {
+    if (!(0, fs_1.existsSync)(AUDIT_DIR)) {
+        (0, fs_1.mkdirSync)(AUDIT_DIR, { recursive: true });
+    }
+}
+function auditFileName() {
+    const date = new Date().toISOString().slice(0, 10);
+    return (0, path_1.join)(AUDIT_DIR, `security-${date}.jsonl`);
+}
+/**
+ * Extrai o hostname do SAP_URL para identificar o sistema no audit.
+ */
+function getSystemId() {
+    const url = process.env.SAP_URL || "unknown";
+    try {
+        return new URL(url).hostname;
+    }
+    catch {
+        return url;
+    }
+}
+/**
+ * Registra uma entrada no audit log de segurança.
+ */
+function auditLog(entry) {
+    const fullEntry = {
+        timestamp: new Date().toISOString(),
+        system: getSystemId(),
+        user: process.env.SAP_USER || "unknown",
+        ...entry,
+    };
+    sessionAuditEntries.push(fullEntry);
+    if (!AUDIT_ENABLED)
+        return;
+    try {
+        ensureAuditDir();
+        (0, fs_1.appendFileSync)(auditFileName(), JSON.stringify(fullEntry) + "\n", "utf-8");
+    }
+    catch {
+        // Audit silencioso — não deve quebrar operações
+    }
+}
+/**
+ * Atalho para registrar uma operação permitida.
+ */
+function auditAllowed(tool, riskLevel, environment, params) {
+    auditLog({
+        tool,
+        risk_level: riskLevel,
+        environment,
+        result: "ALLOWED",
+        params,
+    });
+}
+/**
+ * Atalho para registrar uma operação bloqueada.
+ */
+function auditBlocked(tool, riskLevel, environment, reason, params) {
+    auditLog({
+        tool,
+        risk_level: riskLevel,
+        environment,
+        result: "BLOCKED",
+        reason,
+        params,
+    });
+}
+/**
+ * Retorna as entradas de audit da sessão atual.
+ */
+function getSessionAudit() {
+    return [...sessionAuditEntries];
+}
+/**
+ * Retorna resumo do audit da sessão para exibição.
+ */
+function getAuditSummary() {
+    const allowed = sessionAuditEntries.filter((e) => e.result === "ALLOWED").length;
+    const blocked = sessionAuditEntries.filter((e) => e.result === "BLOCKED").length;
+    const byTool = {};
+    for (const entry of sessionAuditEntries) {
+        if (!byTool[entry.tool])
+            byTool[entry.tool] = { allowed: 0, blocked: 0 };
+        if (entry.result === "ALLOWED")
+            byTool[entry.tool].allowed++;
+        else
+            byTool[entry.tool].blocked++;
+    }
+    return {
+        total: sessionAuditEntries.length,
+        allowed,
+        blocked,
+        by_tool: byTool,
+    };
+}
+/**
+ * Lê o audit log do dia atual.
+ */
+function readTodayAudit() {
+    try {
+        const file = auditFileName();
+        if (!(0, fs_1.existsSync)(file))
+            return [];
+        const content = (0, fs_1.readFileSync)(file, "utf-8");
+        return content
+            .split("\n")
+            .filter((line) => line.trim())
+            .map((line) => JSON.parse(line));
+    }
+    catch {
+        return [];
+    }
+}

package/dist/security-policy.js

@@ -0,0 +1,322 @@
+"use strict";
+/**
+ * Security Policy — controle de acesso por camada de ambiente SAP.
+ *
+ * Implementa o princípio: "O LKPABAP.ai NUNCA sobrepõe as restrições de
+ * segurança do SAP. Em PRD, só leitura. Em QAS, leitura + debug.
+ * Em DEV, tudo liberado. abap_release_transport sempre bloqueado."
+ *
+ * A autorização de dados (S_TADIR, S_DEVELOP, etc.) é 100% delegada ao SAP.
+ * Esta camada controla quais CATEGORIAS de operação o MCP server aceita executar.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getToolRisk = getToolRisk;
+exports.loadPolicy = loadPolicy;
+exports.checkToolAccess = checkToolAccess;
+exports.getEffectiveMaxRows = getEffectiveMaxRows;
+exports.checkTransportRequired = checkTransportRequired;
+exports.getPolicy = getPolicy;
+exports.setPolicy = setPolicy;
+exports.getDefaultPolicy = getDefaultPolicy;
+exports.listEnvironmentRoles = listEnvironmentRoles;
+const fs_1 = require("fs");
+const path_1 = require("path");
+/**
+ * Mapa de cada tool para seu nível de risco.
+ * Tools não listadas aqui são consideradas READ (safe by default).
+ */
+const TOOL_RISK = {
+    // READ — sem guard extra (default para tools não listadas)
+    abap_read: "READ",
+    abap_search: "READ",
+    abap_where_used: "READ",
+    abap_check: "READ",
+    abap_object_structure: "READ",
+    abap_data_preview: "READ",
+    abap_sql_console: "READ",
+    abap_element_info: "READ",
+    abap_pretty_printer: "READ",
+    abap_unit_test: "READ",
+    abap_atc_check: "READ",
+    abap_package_contents: "READ",
+    abap_object_versions: "READ",
+    abap_function_group: "READ",
+    abap_message_class: "READ",
+    abap_doc: "READ",
+    abap_code_completion: "READ",
+    abap_navigate: "READ",
+    abap_call_hierarchy: "READ",
+    abap_code_coverage: "READ",
+    abap_transport_contents: "READ",
+    abap_cds_annotations: "READ",
+    abap_cds_dependencies: "READ",
+    abap_annotation_propagation: "READ",
+    abap_enhancement_spot: "READ",
+    abap_lock_object: "READ",
+    abap_auth_object: "READ",
+    abap_number_range: "READ",
+    abap_repository_tree: "READ",
+    abap_discovery: "READ",
+    abap_released_apis: "READ",
+    abap_object_documentation: "READ",
+    abap_system_info: "READ",
+    abap_list_transports: "READ",
+    abap_knowledge: "READ",
+    abap_traces: "READ",
+    abap_breakpoints: "READ",
+    abapgit_repos: "READ",
+    // WRITE — modifica objetos existentes
+    abap_write: "WRITE",
+    abap_activate: "WRITE",
+    abap_refactor_rename: "WRITE",
+    abap_extract_method: "WRITE",
+    abap_quick_fix: "WRITE",
+    abap_publish_binding: "WRITE",
+    abap_deploy_bsp: "WRITE",
+    abap_assign_transport: "WRITE",
+    abapgit_pull: "WRITE",
+    abapgit_stage: "WRITE",
+    // CREATE — cria objetos novos no SAP
+    abap_create: "CREATE",
+    abap_create_transport: "CREATE",
+    abap_create_dcl: "CREATE",
+    abap_create_amdp: "CREATE",
+    abap_scaffold_rap: "CREATE",
+    // WRITE — delete segue a mesma regra de escrita (permitido em DEV, bloqueado em QAS/PRD)
+    abap_delete: "WRITE",
+    // ADMIN — operações administrativas de alto impacto (sempre bloqueado)
+    abap_release_transport: "ADMIN",
+};
+/**
+ * Retorna o nível de risco de uma tool.
+ */
+function getToolRisk(toolName) {
+    return TOOL_RISK[toolName] ?? "READ";
+}
+// ─── Policies padrão por ambiente ─────────────────────────────────
+const POLICY_DEVELOPMENT = {
+    environment_role: "DEVELOPMENT",
+    allowed_levels: ["READ", "WRITE", "CREATE"],
+    always_blocked: ["abap_release_transport"],
+    require_transport: false,
+    max_preview_rows: 0,
+};
+const POLICY_QUALITY = {
+    environment_role: "QUALITY",
+    allowed_levels: ["READ"],
+    always_blocked: [
+        "abap_release_transport",
+        "abap_delete",
+        "abap_scaffold_rap",
+        "abap_create",
+        "abap_create_dcl",
+        "abap_create_amdp",
+        "abap_write",
+        "abap_activate",
+        "abap_refactor_rename",
+        "abap_extract_method",
+        "abap_quick_fix",
+        "abap_publish_binding",
+        "abap_deploy_bsp",
+        "abapgit_pull",
+    ],
+    require_transport: true,
+    max_preview_rows: 100,
+};
+const POLICY_PRODUCTION = {
+    environment_role: "PRODUCTION",
+    allowed_levels: ["READ"],
+    always_blocked: [
+        "abap_release_transport",
+        "abap_delete",
+        "abap_scaffold_rap",
+        "abap_create",
+        "abap_create_dcl",
+        "abap_create_amdp",
+        "abap_create_transport",
+        "abap_write",
+        "abap_activate",
+        "abap_refactor_rename",
+        "abap_extract_method",
+        "abap_quick_fix",
+        "abap_publish_binding",
+        "abap_deploy_bsp",
+        "abapgit_pull",
+        "abapgit_stage",
+        "abap_assign_transport",
+    ],
+    require_transport: true,
+    max_preview_rows: 50,
+};
+const DEFAULT_POLICIES = {
+    DEVELOPMENT: POLICY_DEVELOPMENT,
+    QUALITY: POLICY_QUALITY,
+    PRODUCTION: POLICY_PRODUCTION,
+};
+// ─── Carregamento da policy ───────────────────────────────────────
+/**
+ * Caminho do arquivo de policy central (planos Enterprise/Corporate).
+ * Gestores podem travar a policy criando este arquivo.
+ */
+const CENTRAL_POLICY_PATH = (0, path_1.join)(process.env.HOME || "~", ".abap-ai", "security-policy.json");
+/**
+ * Carrega a policy do ambiente a partir de:
+ *   1. Variável de ambiente ABAP_AI_SECURITY_POLICY (JSON inline)
+ *   2. Arquivo central ~/.abap-ai/security-policy.json (Enterprise/Corporate)
+ *   3. Variável ABAP_AI_ENV_ROLE (DEVELOPMENT | QUALITY | PRODUCTION)
+ *   4. Default: DEVELOPMENT
+ */
+function loadPolicy() {
+    // 1. JSON inline (env var)
+    const policyJson = process.env.ABAP_AI_SECURITY_POLICY;
+    if (policyJson) {
+        try {
+            const parsed = JSON.parse(policyJson);
+            return mergeWithDefault(parsed);
+        }
+        catch {
+            // fallthrough
+        }
+    }
+    // 2. Arquivo central (gestores Enterprise/Corporate)
+    if ((0, fs_1.existsSync)(CENTRAL_POLICY_PATH)) {
+        try {
+            const raw = (0, fs_1.readFileSync)(CENTRAL_POLICY_PATH, "utf-8");
+            const parsed = JSON.parse(raw);
+            return mergeWithDefault(parsed);
+        }
+        catch {
+            // fallthrough
+        }
+    }
+    // 3. Env role simples
+    const envRole = (process.env.ABAP_AI_ENV_ROLE || "").toUpperCase();
+    if (DEFAULT_POLICIES[envRole]) {
+        return deepClone(DEFAULT_POLICIES[envRole]);
+    }
+    // 4. Default: DEVELOPMENT
+    return deepClone(POLICY_DEVELOPMENT);
+}
+/**
+ * Verifica se uma tool pode ser executada sob a policy atual.
+ */
+function checkToolAccess(toolName, policy) {
+    // 1. abap_release_transport — SEMPRE bloqueado, independente de qualquer config
+    if (toolName === "abap_release_transport") {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: abap_release_transport é sempre bloqueado pelo LKPABAP.ai. `
+                + `Liberar transportes é uma operação irreversível que pode propagar mudanças para ambientes produtivos. `
+                + `Execute esta operação manualmente na transação SE09/SE10 do SAP GUI.`,
+        };
+    }
+    // 2. Tool na lista de always_blocked
+    if (policy.always_blocked.includes(toolName)) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: A tool "${toolName}" não é permitida no ambiente ${policy.environment_role}. `
+                + `Esta restrição é definida pela política de segurança do sistema. `
+                + describeEnvironmentRestriction(policy.environment_role),
+        };
+    }
+    // 3. Nível de risco da tool vs níveis permitidos
+    const riskLevel = getToolRisk(toolName);
+    if (!policy.allowed_levels.includes(riskLevel)) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: A tool "${toolName}" requer nível "${riskLevel}", `
+                + `mas o ambiente ${policy.environment_role} só permite: ${policy.allowed_levels.join(", ")}. `
+                + describeEnvironmentRestriction(policy.environment_role),
+        };
+    }
+    return { allowed: true };
+}
+/**
+ * Retorna o limite de rows para preview/sql considerando a policy.
+ * Se a policy define um limite, usa o menor entre o limite da policy e o solicitado.
+ */
+function getEffectiveMaxRows(requestedRows, policy) {
+    if (policy.max_preview_rows <= 0)
+        return requestedRows;
+    return Math.min(requestedRows, policy.max_preview_rows);
+}
+/**
+ * Verifica se transport request é obrigatório e não foi fornecido.
+ */
+function checkTransportRequired(toolName, transportRequest, policy) {
+    const riskLevel = getToolRisk(toolName);
+    if (policy.require_transport
+        && (riskLevel === "WRITE" || riskLevel === "CREATE")
+        && !transportRequest) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: O ambiente ${policy.environment_role} exige transport request para operações de ${riskLevel}. `
+                + `Informe o parâmetro transport_request (ex: "DEVK900123"). `
+                + `Use abap_list_transports ou abap_create_transport para obter um.`,
+        };
+    }
+    return { allowed: true };
+}
+// ─── Singleton ────────────────────────────────────────────────────
+let currentPolicy = null;
+/**
+ * Retorna a policy atual. Carrega do ambiente/arquivo na primeira chamada.
+ */
+function getPolicy() {
+    if (!currentPolicy) {
+        currentPolicy = loadPolicy();
+    }
+    return currentPolicy;
+}
+/**
+ * Força uma policy específica (usado em testes ou override programático).
+ */
+function setPolicy(policy) {
+    currentPolicy = policy;
+}
+/**
+ * Retorna a policy padrão para um environment role.
+ */
+function getDefaultPolicy(role) {
+    return deepClone(DEFAULT_POLICIES[role] || POLICY_DEVELOPMENT);
+}
+/**
+ * Lista os environment roles disponíveis.
+ */
+function listEnvironmentRoles() {
+    return ["DEVELOPMENT", "QUALITY", "PRODUCTION"];
+}
+// ─── Helpers ──────────────────────────────────────────────────────
+function describeEnvironmentRestriction(role) {
+    switch (role) {
+        case "PRODUCTION":
+            return "Em ambientes PRODUTIVOS, o LKPABAP.ai opera somente em modo leitura. "
+                + "Qualquer modificação deve ser feita via transporte a partir do ambiente de desenvolvimento.";
+        case "QUALITY":
+            return "Em ambientes de QUALIDADE (QAS), o LKPABAP.ai opera somente em modo leitura. "
+                + "Modificações devem ser transportadas a partir do ambiente de desenvolvimento.";
+        case "DEVELOPMENT":
+            return ""; // DEV não tem restrição descritiva
+        default:
+            return "";
+    }
+}
+function mergeWithDefault(partial) {
+    const role = partial.environment_role || "DEVELOPMENT";
+    const base = deepClone(DEFAULT_POLICIES[role] || POLICY_DEVELOPMENT);
+    return {
+        environment_role: partial.environment_role ?? base.environment_role,
+        allowed_levels: partial.allowed_levels ?? base.allowed_levels,
+        always_blocked: [
+            ...new Set([
+                ...base.always_blocked,
+                ...(partial.always_blocked ?? []),
+            ]),
+        ],
+        require_transport: partial.require_transport ?? base.require_transport,
+        max_preview_rows: partial.max_preview_rows ?? base.max_preview_rows,
+    };
+}
+function deepClone(obj) {
+    return JSON.parse(JSON.stringify(obj));
+}

package/dist/system-profile.js

@@ -0,0 +1,207 @@
+"use strict";
+/**
+ * System Profile — configuração contextual do sistema SAP alvo.
+ *
+ * Permite ao MCP adaptar comportamento (URLs, CDS syntax, ETag handling, etc.)
+ * com base no tipo e versão do sistema conectado.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getProfile = getProfile;
+exports.setProfile = setProfile;
+exports.getPreset = getPreset;
+exports.listPresets = listPresets;
+exports.resolveODataV4Url = resolveODataV4Url;
+exports.resolveBspUrl = resolveBspUrl;
+// ─── Presets ──────────────────────────────────────────────────────
+const ON_PREMISE_S4_DEFAULTS = {
+    system: {
+        type: "ON_PREMISE_S4",
+        release: "2023",
+        abapPlatform: "STANDARD",
+        sapBasisVersion: "758",
+        systemId: "",
+    },
+    capabilities: {
+        cdsViewEntity: true,
+        cdsProjection: true,
+        rapManaged: true,
+        rapDraftEnabled: true,
+        releasedApiOnly: false,
+        codeCompletion: true,
+        callHierarchy: true,
+        quickFix: true,
+        extractMethod: true,
+        codeCoverage: true,
+        sqlConsole: true,
+        releasedApiCatalog: true,
+        abapGitAvailable: false,
+    },
+    gateway: {
+        topology: "EMBEDDED",
+        odataV4UrlPattern: "/sap/opu/odata4/sap/{binding}/srvd/sap/{binding}/{version}/",
+        publishEndpoint: "/sap/bc/adt/businessservices/odatav4/publishjobs",
+        autoRegistration: false,
+    },
+    client: {
+        role: "DEVELOPMENT",
+        allowLocalPublish: true,
+    },
+    ui5: {
+        bootstrapPath: "/sap/public/bc/ui5_ui5/resources/",
+        bspUrlPattern: "/sap/bc/ui5_ui5/sap/{bsp}?sap-client={client}",
+    },
+    quirks: {
+        etagRequiresManualFix: true,
+        conversionExitFields: ["USTYP", "BSTYP", "PRCTR", "KOSTL"],
+        lockReturns406ForDDLS: true,
+    },
+};
+const BTP_ABAP_ENV_DEFAULTS = {
+    system: {
+        type: "BTP_ABAP_ENV",
+        release: "2023",
+        abapPlatform: "CLOUD",
+        sapBasisVersion: "758",
+        systemId: "",
+    },
+    capabilities: {
+        cdsViewEntity: true,
+        cdsProjection: true,
+        rapManaged: true,
+        rapDraftEnabled: true,
+        releasedApiOnly: true,
+        codeCompletion: true,
+        callHierarchy: true,
+        quickFix: true,
+        extractMethod: true,
+        codeCoverage: true,
+        sqlConsole: true,
+        releasedApiCatalog: true,
+        abapGitAvailable: false,
+    },
+    gateway: {
+        topology: "EMBEDDED",
+        odataV4UrlPattern: "/sap/opu/odata4/sap/{binding}/{version}/",
+        publishEndpoint: "",
+        autoRegistration: true,
+    },
+    client: {
+        role: "DEVELOPMENT",
+        allowLocalPublish: true,
+    },
+    ui5: {
+        bootstrapPath: "/resources/",
+        bspUrlPattern: "",
+    },
+    quirks: {
+        etagRequiresManualFix: false,
+        conversionExitFields: [],
+        lockReturns406ForDDLS: false,
+    },
+};
+const ON_PREMISE_ECC_DEFAULTS = {
+    system: {
+        type: "ON_PREMISE_ECC",
+        release: "750",
+        abapPlatform: "STANDARD",
+        sapBasisVersion: "750",
+        systemId: "",
+    },
+    capabilities: {
+        cdsViewEntity: false, // ECC não tem view entity
+        cdsProjection: false,
+        rapManaged: false,
+        rapDraftEnabled: false,
+        releasedApiOnly: false,
+        codeCompletion: true, // disponível desde BASIS 750
+        callHierarchy: false,
+        quickFix: false,
+        extractMethod: false,
+        codeCoverage: false,
+        sqlConsole: false,
+        releasedApiCatalog: false,
+        abapGitAvailable: false,
+    },
+    gateway: {
+        topology: "HUB",
+        odataV4UrlPattern: "", // ECC geralmente não tem OData V4
+        publishEndpoint: "",
+        autoRegistration: false,
+    },
+    client: {
+        role: "DEVELOPMENT",
+        allowLocalPublish: false,
+    },
+    ui5: {
+        bootstrapPath: "/sap/public/bc/ui5_ui5/resources/",
+        bspUrlPattern: "/sap/bc/ui5_ui5/sap/{bsp}?sap-client={client}",
+    },
+    quirks: {
+        etagRequiresManualFix: false,
+        conversionExitFields: [],
+        lockReturns406ForDDLS: false,
+    },
+};
+const PRESETS = {
+    ON_PREMISE_S4: ON_PREMISE_S4_DEFAULTS,
+    BTP_ABAP_ENV: BTP_ABAP_ENV_DEFAULTS,
+    ON_PREMISE_ECC: ON_PREMISE_ECC_DEFAULTS,
+};
+// ─── Profile singleton ───────────────────────────────────────────
+let currentProfile = null;
+/**
+ * Retorna o profile atual. Se não inicializado, usa o preset
+ * definido em SAP_SYSTEM_TYPE ou detecta automaticamente.
+ */
+function getProfile() {
+    if (!currentProfile) {
+        const preset = process.env.SAP_SYSTEM_TYPE || "ON_PREMISE_S4";
+        currentProfile = deepClone(PRESETS[preset] || ON_PREMISE_S4_DEFAULTS);
+    }
+    return currentProfile;
+}
+/**
+ * Define o profile (usado pelo abap_system_info após auto-detecção).
+ */
+function setProfile(profile) {
+    currentProfile = profile;
+}
+/**
+ * Retorna um preset base pelo nome.
+ */
+function getPreset(name) {
+    const p = PRESETS[name];
+    return p ? deepClone(p) : undefined;
+}
+/**
+ * Lista os presets disponíveis.
+ */
+function listPresets() {
+    return Object.keys(PRESETS);
+}
+/**
+ * Gera a URL real do serviço OData V4 com base no pattern do profile.
+ */
+function resolveODataV4Url(bindingName, version = "0000") {
+    const profile = getProfile();
+    const pattern = profile.gateway.odataV4UrlPattern;
+    if (!pattern)
+        return "";
+    return pattern
+        .replace(/\{binding\}/g, bindingName.toLowerCase())
+        .replace(/\{version\}/g, version);
+}
+/**
+ * Gera a URL da app BSP com base no pattern do profile.
+ */
+function resolveBspUrl(bspName) {
+    const profile = getProfile();
+    const client = process.env.SAP_CLIENT ?? "100";
+    return profile.ui5.bspUrlPattern
+        .replace("{bsp}", bspName.toLowerCase())
+        .replace("{client}", client);
+}
+// ─── Helpers ─────────────────────────────────────────────────────
+function deepClone(obj) {
+    return JSON.parse(JSON.stringify(obj));
+}