@linkup-ai/abap-ai 0.1.1 → 0.2.0

package/dist/cli/install-agent.js

@@ -0,0 +1,290 @@
+"use strict";
+/**
+ * Instalação do ABAP Security Agent no sistema SAP.
+ *
+ * Cria os objetos ABAP (tabelas, classes) via ADT REST API.
+ * Executado após o init, quando o sistema é Enterprise/Corporate.
+ *
+ * Fluxo:
+ * 1. Verifica se os objetos já existem (SELECT COUNT(*) em ZLKP_AI_CONFIG)
+ * 2. Se não existem, oferece instalar
+ * 3. Cria tabelas, exception, guard class
+ * 4. Carrega policy padrão para o environment role
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkAgentInstalled = checkAgentInstalled;
+exports.installAgent = installAgent;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const https = __importStar(require("https"));
+const http = __importStar(require("http"));
+/**
+ * Verifica se o Security Agent já está instalado.
+ * Tenta ler a tabela ZLKP_AI_CONFIG via SQL Console.
+ */
+async function checkAgentInstalled(opts) {
+    try {
+        const result = await adtRequest(opts, "POST", "/datapreview/freestyle", "SELECT COUNT(*) AS CNT FROM ZLKP_AI_CONFIG", { rowNumber: "1" }, "application/vnd.sap.adt.datapreview.table.v1+xml");
+        return result.status >= 200 && result.status < 300;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Instala o Security Agent criando os objetos ABAP via ADT.
+ *
+ * Ordem:
+ * 1. ZCX_LKP_AI_DENIED (exception class — sem dependências)
+ * 2. ZLKP_AI_CONFIG (tabela config)
+ * 3. ZLKP_AI_AUDIT (tabela audit)
+ * 4. ZCL_LKP_AI_GUARD (classe — depende das tabelas + exception)
+ *
+ * Os fontes ABAP estão em src/abap/security-agent/*.
+ */
+async function installAgent(opts) {
+    const created = [];
+    const errors = [];
+    // Obter CSRF token
+    const csrf = await fetchCsrf(opts);
+    if (!csrf) {
+        return { success: false, message: "Falha ao obter CSRF token do SAP.", objects: [] };
+    }
+    // 1. Criar exception class ZCX_LKP_AI_DENIED
+    const exSource = readAbapSource("zcx_lkp_ai_denied.clas.abap");
+    const exResult = await createObject(opts, csrf, "CLAS/OC", "ZCX_LKP_AI_DENIED", "LKPABAP.ia: Exception - tool denied", opts.transportRequest);
+    if (exResult.ok) {
+        await writeSource(opts, csrf, "/oo/classes/ZCX_LKP_AI_DENIED/source/main", exSource);
+        await activateObject(opts, csrf, "CLAS/OC", "ZCX_LKP_AI_DENIED");
+        created.push("ZCX_LKP_AI_DENIED");
+    }
+    else if (exResult.exists) {
+        created.push("ZCX_LKP_AI_DENIED (já existe)");
+    }
+    else {
+        errors.push(`ZCX_LKP_AI_DENIED: ${exResult.error}`);
+    }
+    // 2. Criar tabela ZLKP_AI_CONFIG
+    // Nota: tabelas transparentes precisam ser criadas via DDIC, não via ADT create+write.
+    // O ADT create para TABL/DT cria a estrutura, e o write define os campos.
+    const cfgResult = await createObject(opts, csrf, "TABL/DT", "ZLKP_AI_CONFIG", "LKPABAP.ia: Configuração por ambiente", opts.transportRequest);
+    if (cfgResult.ok) {
+        const cfgSource = readAbapSource("zlkp_ai_config.tabl.asdic");
+        await writeSource(opts, csrf, "/ddic/tables/ZLKP_AI_CONFIG/source/main", cfgSource);
+        await activateObject(opts, csrf, "TABL/DT", "ZLKP_AI_CONFIG");
+        created.push("ZLKP_AI_CONFIG");
+    }
+    else if (cfgResult.exists) {
+        created.push("ZLKP_AI_CONFIG (já existe)");
+    }
+    else {
+        errors.push(`ZLKP_AI_CONFIG: ${cfgResult.error}`);
+    }
+    // 3. Criar tabela ZLKP_AI_AUDIT
+    const audResult = await createObject(opts, csrf, "TABL/DT", "ZLKP_AI_AUDIT", "LKPABAP.ia: Audit Log de Operações", opts.transportRequest);
+    if (audResult.ok) {
+        const audSource = readAbapSource("zlkp_ai_audit.tabl.asdic");
+        await writeSource(opts, csrf, "/ddic/tables/ZLKP_AI_AUDIT/source/main", audSource);
+        await activateObject(opts, csrf, "TABL/DT", "ZLKP_AI_AUDIT");
+        created.push("ZLKP_AI_AUDIT");
+    }
+    else if (audResult.exists) {
+        created.push("ZLKP_AI_AUDIT (já existe)");
+    }
+    else {
+        errors.push(`ZLKP_AI_AUDIT: ${audResult.error}`);
+    }
+    // 4. Criar guard class ZCL_LKP_AI_GUARD
+    const guardSource = readAbapSource("zcl_lkp_ai_guard.clas.abap");
+    const guardResult = await createObject(opts, csrf, "CLAS/OC", "ZCL_LKP_AI_GUARD", "LKPABAP.ia: Security Guard", opts.transportRequest);
+    if (guardResult.ok) {
+        await writeSource(opts, csrf, "/oo/classes/ZCL_LKP_AI_GUARD/source/main", guardSource);
+        await activateObject(opts, csrf, "CLAS/OC", "ZCL_LKP_AI_GUARD");
+        created.push("ZCL_LKP_AI_GUARD");
+    }
+    else if (guardResult.exists) {
+        created.push("ZCL_LKP_AI_GUARD (já existe)");
+    }
+    else {
+        errors.push(`ZCL_LKP_AI_GUARD: ${guardResult.error}`);
+    }
+    if (errors.length > 0) {
+        return {
+            success: false,
+            message: `Instalação parcial. Erros:\n${errors.map((e) => `  - ${e}`).join("\n")}`,
+            objects: created,
+        };
+    }
+    return {
+        success: true,
+        message: `Security Agent instalado com sucesso. ${created.length} objetos criados/verificados.`,
+        objects: created,
+    };
+}
+// ─── ADT helpers (standalone, sem depender de adt-client.ts) ─────
+function readAbapSource(filename) {
+    // Fontes estão em src/abap/security-agent/ (dev) ou dist/abap/security-agent/ (runtime)
+    const candidates = [
+        path.resolve(__dirname, "..", "abap", "security-agent", filename), // dist/cli/../abap/ = dist/abap/
+        path.resolve(__dirname, "abap", "security-agent", filename), // fallback
+        path.resolve(__dirname, "..", "..", "src", "abap", "security-agent", filename), // dev mode
+    ];
+    for (const p of candidates) {
+        try {
+            return fs.readFileSync(p, "utf-8");
+        }
+        catch { /* try next */ }
+    }
+    throw new Error(`Fonte ABAP não encontrado: ${filename}`);
+}
+function getAuth(opts) {
+    return "Basic " + Buffer.from(`${opts.user}:${opts.pass}`).toString("base64");
+}
+/** Session cookies capturados no fetchCsrf — necessários em todas as chamadas subsequentes */
+let sessionCookies = "";
+async function fetchCsrf(opts) {
+    try {
+        const result = await adtRequest(opts, "GET", "/discovery", "", {}, "application/atomsvc+xml", { "X-CSRF-Token": "Fetch" });
+        // Capturar cookies da sessão (sap-contextid, SAP_SESSIONID)
+        const raw = result.headers["set-cookie"];
+        if (raw) {
+            const cookies = Array.isArray(raw) ? raw : [raw];
+            sessionCookies = cookies.map((c) => c.split(";")[0]).join("; ");
+        }
+        return result.headers["x-csrf-token"] || null;
+    }
+    catch {
+        return null;
+    }
+}
+async function createObject(opts, csrf, objType, objName, description, transport) {
+    const TYPE_TO_PATH = {
+        "CLAS/OC": "oo/classes",
+        "TABL/DT": "ddic/tables",
+    };
+    const adtPath = TYPE_TO_PATH[objType];
+    if (!adtPath)
+        return { ok: false, exists: false, error: `Tipo ${objType} não suportado` };
+    const CONTENT_TYPES = {
+        "CLAS/OC": "application/vnd.sap.adt.oo.classes.v2+xml",
+        "TABL/DT": "application/vnd.sap.adt.tables.v2+xml",
+    };
+    const NS = {
+        "CLAS/OC": `<class:abapClass xmlns:class="http://www.sap.com/adt/oo/classes" xmlns:adtcore="http://www.sap.com/adt/core" adtcore:description="${description}" adtcore:language="${opts.language}" adtcore:name="${objName}" adtcore:responsible="${opts.user}"><adtcore:packageRef adtcore:name="$TMP"/></class:abapClass>`,
+        "TABL/DT": `<blue:blueSource xmlns:blue="http://www.sap.com/wbobj/blue" xmlns:adtcore="http://www.sap.com/adt/core" adtcore:description="${description}" adtcore:language="${opts.language}" adtcore:name="${objName}" adtcore:responsible="${opts.user}"><adtcore:packageRef adtcore:name="$TMP"/></blue:blueSource>`,
+    };
+    const payload = `<?xml version="1.0" encoding="UTF-8"?>\n${NS[objType]}`;
+    const params = {};
+    if (transport)
+        params.corrNr = transport;
+    try {
+        const result = await adtRequest(opts, "POST", `/${adtPath}`, payload, params, CONTENT_TYPES[objType], { "X-CSRF-Token": csrf, "Content-Type": CONTENT_TYPES[objType] });
+        if (result.status === 200 || result.status === 201) {
+            return { ok: true, exists: false };
+        }
+        if (result.status === 409 || result.body.includes("already exists") || result.body.includes("já existe")) {
+            return { ok: false, exists: true };
+        }
+        return { ok: false, exists: false, error: `HTTP ${result.status}: ${result.body.substring(0, 200)}` };
+    }
+    catch (e) {
+        return { ok: false, exists: false, error: e.message };
+    }
+}
+async function writeSource(opts, csrf, adtPath, source) {
+    // GET etag primeiro
+    const getResult = await adtRequest(opts, "GET", adtPath, "", {}, "text/plain");
+    const etag = getResult.headers["etag"] || "";
+    await adtRequest(opts, "PUT", adtPath, source, {}, "text/plain", {
+        "X-CSRF-Token": csrf,
+        "Content-Type": "text/plain",
+        "If-Match": etag,
+    });
+}
+async function activateObject(opts, csrf, objType, objName) {
+    const TYPE_TO_PATH = { "CLAS/OC": "oo/classes", "TABL/DT": "ddic/tables" };
+    const adtPath = TYPE_TO_PATH[objType];
+    const adtUri = `/sap/bc/adt/${adtPath}/${objName}`;
+    const payload = `<?xml version="1.0" encoding="UTF-8"?><adtcore:objectReferences xmlns:adtcore="http://www.sap.com/adt/core"><adtcore:objectReference adtcore:uri="${adtUri}" adtcore:name="${objName}"/></adtcore:objectReferences>`;
+    await adtRequest(opts, "POST", "/activation", payload, {}, "application/xml", {
+        "X-CSRF-Token": csrf,
+        "Content-Type": "application/xml",
+    });
+}
+function adtRequest(opts, method, adtPath, body, params, accept, extraHeaders) {
+    const baseUrl = new URL(`${opts.url}/sap/bc/adt${adtPath}`);
+    baseUrl.searchParams.set("sap-client", opts.client);
+    baseUrl.searchParams.set("sap-language", opts.language);
+    for (const [k, v] of Object.entries(params)) {
+        baseUrl.searchParams.set(k, v);
+    }
+    const headers = {
+        Authorization: getAuth(opts),
+        Accept: accept,
+        ...(sessionCookies ? { Cookie: sessionCookies } : {}),
+        ...extraHeaders,
+    };
+    const transport = baseUrl.protocol === "https:" ? https : http;
+    const requestOpts = {
+        hostname: baseUrl.hostname,
+        port: baseUrl.port || (baseUrl.protocol === "https:" ? 443 : 80),
+        path: baseUrl.pathname + baseUrl.search,
+        method,
+        headers,
+        timeout: 30000,
+    };
+    if (opts.selfSignedSsl) {
+        requestOpts.rejectUnauthorized = false;
+    }
+    return new Promise((resolve, reject) => {
+        const req = transport.request(requestOpts, (res) => {
+            let data = "";
+            res.on("data", (chunk) => (data += chunk));
+            res.on("end", () => {
+                resolve({
+                    status: res.statusCode || 0,
+                    body: data,
+                    headers: res.headers,
+                });
+            });
+        });
+        req.on("error", reject);
+        req.on("timeout", () => { req.destroy(); reject(new Error("Timeout")); });
+        if (body)
+            req.write(body);
+        req.end();
+    });
+}

package/dist/cli.js

@@ -17,6 +17,8 @@ const HELP = `
 
   Comandos:
     init [--local]               Configura conexão com sistema SAP (wizard interativo)
+    init --name dev --url https://host:8443 --user USER --pass PASS [opts]
+                                 Modo non-interactive (para automação/CI)
     link                         Vincula sistemas globais a este workspace (VS Code)
     activate <LICENSE_KEY>       Ativa licença do produto
     status                       Mostra licença, sistemas e métricas de uso
@@ -50,9 +52,25 @@ async function main() {
     }
     const local = args.includes("--local");
     switch (command) {
-        case "init":
-            await (0, init_js_1.init)({ local });
+        case "init": {
+            const getFlag = (flag) => {
+                const idx = args.indexOf(flag);
+                return idx >= 0 && idx + 1 < args.length ? args[idx + 1] : undefined;
+            };
+            await (0, init_js_1.init)({
+                local,
+                name: getFlag("--name"),
+                url: getFlag("--url"),
+                client: getFlag("--client"),
+                user: getFlag("--user"),
+                pass: getFlag("--pass"),
+                language: getFlag("--language"),
+                selfSignedSsl: args.includes("--no-ssl-verify") ? true : undefined,
+                envRole: getFlag("--env-role"),
+                skipTest: args.includes("--skip-test"),
+            });
             break;
+        }
         case "activate": {
             const key = args[1];
             if (!key) {

package/dist/index.js

@@ -29,7 +29,7 @@ const function_group_js_1 = require("./tools/function-group.js");
 const message_class_js_1 = require("./tools/message-class.js");
 const abap_doc_js_1 = require("./tools/abap-doc.js");
 const release_transport_js_1 = require("./tools/release-transport.js");
-const delete_js_1 = require("./tools/delete.js");
+// abapDeleteObject removido — delete bloqueado permanentemente (decisão de produto)
 const refactor_rename_js_1 = require("./tools/refactor-rename.js");
 const code_completion_js_1 = require("./tools/code-completion.js");
 const navigate_js_1 = require("./tools/navigate.js");
@@ -56,8 +56,10 @@ const breakpoints_js_1 = require("./tools/breakpoints.js");
 const knowledge_js_1 = require("./tools/knowledge.js");
 const create_dcl_js_1 = require("./tools/create-dcl.js");
 const create_amdp_js_1 = require("./tools/create-amdp.js");
+const execute_js_1 = require("./tools/execute.js");
 const system_profile_js_1 = require("./system-profile.js");
 const security_policy_js_1 = require("./security-policy.js");
+const sap_policy_loader_js_1 = require("./sap-policy-loader.js");
 const security_audit_js_1 = require("./security-audit.js");
 const license_guard_js_1 = require("./license-guard.js");
 const server = new mcp_js_1.McpServer({
@@ -817,35 +819,22 @@ server.tool("abap_release_transport", "Libera uma ordem de transporte no SAP. AT
         };
     }
 });
-// Tool: abap_delete
-server.tool("abap_delete", "Exclui um objeto ABAP do sistema SAP. ATENÇÃO: operação irreversível. Requer transporte para objetos em pacotes não-locais.", {
-    object_type: zod_1.z
-        .enum(["PROG/P", "CLAS/OC", "FUGR/FF", "DOMA/D", "DTEL/D", "TABL/DT", "TABL/DS", "TTYP/TT", "INTF/OI", "DDLS/DF", "DDLX/MX", "SRVD/SRV", "BDEF/BDO", "SRVB/SVB"])
-        .describe("Tipo do objeto SAP a excluir."),
-    object_name: zod_1.z
-        .string()
-        .describe("Nome do objeto ABAP a excluir."),
-    transport_request: zod_1.z
-        .string()
-        .optional()
-        .describe("Ordem de transporte (obrigatória para objetos em pacotes não-locais)."),
-}, async ({ object_type, object_name, transport_request }) => {
-    const blocked = securityGuard("abap_delete", transport_request);
-    if (blocked)
-        return blocked;
-    try {
-        const result = await (0, delete_js_1.abapDeleteObject)({ object_type, object_name, transport_request });
-        return {
-            content: [{ type: "text", text: result }],
-        };
-    }
-    catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        return {
-            content: [{ type: "text", text: `Erro ao excluir objeto: ${message}` }],
-            isError: true,
-        };
-    }
+// Tool: abap_delete — BLOQUEADA permanentemente (decisão de produto)
+server.tool("abap_delete", "Exclusão de objetos ABAP não é suportada pelo LKPABAP.ia. Use a transação SE80 no SAP GUI ou o Eclipse ADT para excluir objetos.", {
+    object_type: zod_1.z.string().describe("Tipo do objeto SAP."),
+    object_name: zod_1.z.string().describe("Nome do objeto ABAP."),
+}, async () => {
+    return {
+        content: [{
+                type: "text",
+                text: "BLOQUEADO: O LKPABAP.ia não executa exclusão de objetos ABAP.\n\n"
+                    + "Exclusão é uma operação irreversível que deve ser feita manualmente pelo desenvolvedor:\n"
+                    + "  • SAP GUI: transação SE80 → selecionar objeto → Excluir\n"
+                    + "  • Eclipse ADT: botão direito → Delete\n\n"
+                    + "Esta restrição é permanente e não pode ser sobreposta por configuração.",
+            }],
+        isError: true,
+    };
 });
 // Tool: abap_refactor_rename
 server.tool("abap_refactor_rename", "Renomeia um símbolo (variável, método, atributo) em um objeto ABAP usando o refactoring ADT. Aplica a renomeação em todas as referências.", {
@@ -1415,6 +1404,31 @@ server.resource("system-profile", "abap://system-profile", { description: "Perfi
             }],
     };
 });
+// Tool: abap_execute — executa programas ABAP via ICF handler
+server.tool("abap_execute", "Executa um programa ABAP (Z* ou Y*) no sistema SAP e retorna o output. Requer ICF handler /sap/z/lkpai/guard ativado no SICF. Útil para programas de setup, migração, testes ou utilities.", {
+    program_name: zod_1.z
+        .string()
+        .describe("Nome do programa ABAP a executar (ex: ZLKP_AI_SETUP). Apenas Z* e Y*."),
+    variant: zod_1.z
+        .string()
+        .optional()
+        .describe("Variante de seleção (opcional). Se não informada, executa com valores default dos parâmetros."),
+}, async ({ program_name, variant }) => {
+    const blocked = securityGuard("abap_execute");
+    if (blocked)
+        return blocked;
+    try {
+        const result = await (0, execute_js_1.abapExecute)({ program_name, variant });
+        return { content: [{ type: "text", text: result }] };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+            content: [{ type: "text", text: `Erro ao executar programa: ${message}` }],
+            isError: true,
+        };
+    }
+});
 // Resource: security-policy
 server.resource("security-policy", "abap://security-policy", { description: "Política de segurança ativa — environment role, níveis permitidos, tools bloqueadas, limites. Configurável via env ABAP_AI_ENV_ROLE ou arquivo ~/.abap-ai/security-policy.json." }, async () => {
     const policy = (0, security_policy_js_1.getPolicy)();
@@ -1440,10 +1454,24 @@ async function main() {
     (0, security_policy_js_1.validateToolRiskMap)(_registeredToolNames);
     const transport = new stdio_js_1.StdioServerTransport();
     await server.connect(transport);
+    // Tentar carregar policy do SAP (ABAP Security Agent)
+    // Se o agente está instalado (ZLKP_AI_CONFIG existe), a policy SAP tem prioridade
+    const sapUser = process.env.SAP_USER || "";
+    let policySource = "local";
+    try {
+        const sapPolicy = await (0, sap_policy_loader_js_1.loadPolicyFromSap)(sapUser);
+        if (sapPolicy) {
+            (0, security_policy_js_1.setPolicy)(sapPolicy);
+            policySource = "SAP (ZLKP_AI_CONFIG)";
+        }
+    }
+    catch {
+        // Fallback silencioso para policy local
+    }
     const profile = (0, system_profile_js_1.getProfile)();
     const policy = (0, security_policy_js_1.getPolicy)();
     const licLabel = (0, license_guard_js_1.licenseStatusLabel)();
-    process.stderr.write(`abap-mcp-server v${VERSION} iniciado | License: ${licLabel} | System: ${profile.system.type} | ABAP: ${profile.system.abapPlatform} | Security: ${policy.environment_role} (${policy.allowed_levels.join("+")})\n`);
+    process.stderr.write(`abap-mcp-server v${VERSION} iniciado | License: ${licLabel} | System: ${profile.system.type} | ABAP: ${profile.system.abapPlatform} | Security: ${policy.environment_role} (${policy.allowed_levels.join("+")}) [${policySource}]\n`);
 }
 main().catch((err) => {
     process.stderr.write(`Falha ao iniciar servidor: ${err}\n`);

package/dist/license-guard.js

@@ -1,6 +1,6 @@
 "use strict";
 /**
- * License Guard — valida licença antes de executar qualquer tool.
+ * License Guard — valida licença e rate limiting antes de executar qualquer tool.
  *
  * Singleton: lê ~/.abap-ai/license.json uma vez e cacheia.
  * licenseGuard() retorna null se OK, ou MCP error response se bloqueado.
@@ -11,6 +11,7 @@ exports.reloadLicense = reloadLicense;
 exports.licenseGuard = licenseGuard;
 exports.licenseStatusLabel = licenseStatusLabel;
 const activate_js_1 = require("./cli/activate.js");
+const security_audit_js_1 = require("./security-audit.js");
 // ─── Singleton ───────────────────────────────────────────────────
 let cachedLicense = undefined;
 /**
@@ -65,8 +66,49 @@ function licenseGuard() {
             isError: true,
         };
     }
+    // Rate limiting (Starter: 200 calls/dia)
+    const limit = license.limits.calls_per_day;
+    if (limit > 0) {
+        const used = getDailyCallCount();
+        if (used >= limit) {
+            return {
+                content: [{
+                        type: "text",
+                        text: `LKPABAP.ia — Limite diário atingido (${used}/${limit} chamadas).\n\n` +
+                            `Seu plano ${license.plan} permite ${limit} chamadas por dia.\n` +
+                            `O contador reseta à meia-noite.\n\n` +
+                            `Para uso ilimitado, faça upgrade para o plano Pro:\n` +
+                            `  https://lkpabap.ai/pricing`,
+                    }],
+                isError: true,
+            };
+        }
+    }
     return null;
 }
+// ─── Rate Limiting ──────────────────────────────────────────────
+/** Cache do count diário para não reler o arquivo a cada chamada */
+let dailyCountCache = null;
+/**
+ * Conta chamadas ALLOWED do dia (audit log do dia + sessão atual).
+ * Cache é invalidado quando o dia muda.
+ */
+function getDailyCallCount() {
+    const today = new Date().toISOString().slice(0, 10);
+    // Invalidar cache se mudou o dia
+    if (dailyCountCache && dailyCountCache.date !== today) {
+        dailyCountCache = null;
+    }
+    // Ler do arquivo apenas 1x por sessão (chamadas anteriores de hoje)
+    if (!dailyCountCache) {
+        const todayEntries = (0, security_audit_js_1.readTodayAudit)();
+        const previousAllowed = todayEntries.filter((e) => e.result === "ALLOWED").length;
+        dailyCountCache = { date: today, count: previousAllowed };
+    }
+    // Incrementar com a chamada atual (este guard roda ANTES do audit, então +1)
+    dailyCountCache.count++;
+    return dailyCountCache.count;
+}
 /**
  * Retorna string de status para log no startup.
  */