npm - @linkup-ai/abap-ai - Versions diffs - 2.0.0 → 2.1.0 - Mend

@linkup-ai/abap-ai 2.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -4,7 +4,7 @@ MCP (Model Context Protocol) Server that connects [Claude Code](https://claude.a
 Once configured, Claude can read, write, create, activate, search, refactor, test and deploy ABAP objects — including RAP/Fiori stacks — directly from your editor without any manual SAP GUI interaction.
-**55 tools** covering the full ABAP development lifecycle, powered by a **curated knowledge base** with 49 reference guides on ABAP, CDS, RAP, Fiori and CAP.
+**55 tools** covering the full ABAP development lifecycle, powered by a **curated knowledge base** with 50 reference guides on ABAP, CDS, RAP, Fiori and CAP.
 ---
@@ -132,11 +132,11 @@ Once configured, Claude can read, write, create, activate, search, refactor, tes
 The knowledge base is the core differentiator of this MCP server. It provides Claude with **curated, LLM-optimized reference material** (70% code examples, 30% rules and anti-patterns) so that generated code follows best practices out of the box.
-**49 guides** organized in 4 domains:
+**50 guides** organized in 4 domains:
 | Domain | Topics | Examples |
 |--------|--------|----------|
-| **ABAP Core** | 25 | Internal tables, ABAP SQL, RAP (EML, draft, feature control, numbering, unmanaged), OO, clean code, performance, unit testing, cloud development |
+| **ABAP Core** | 26 | Internal tables, ABAP SQL, RAP (EML, draft, feature control, numbering, unmanaged), OO, enhancements/BAdIs, clean code, performance, unit testing, cloud development |
 | **ABAP CDS** | 6 | Annotations, associations, access control, expressions, functions, metadata extensions |
 | **Fiori / UI5** | 11 | Fiori Elements, annotations, value lists, side effects, XML views, controllers, routing, data binding, fragments, manifest, deployment |
 | **CAP (Node.js)** | 7 | CDL syntax, CQL queries, service definitions, event handlers, authentication, Fiori integration, deployment |
@@ -242,7 +242,7 @@ See [docs/CLI_GUIDE.md](docs/CLI_GUIDE.md) for the full step-by-step guide.
 | Command | Description |
 |---------|-------------|
 | `abap-ai init` | Interactive wizard to configure SAP system connections |
-| `abap-ai activate <KEY>` | Activate product license (BYOK or All-in-One) |
+| `abap-ai activate <KEY>` | Activate product license |
 | `abap-ai status` | Show license, systems (with connection test), usage metrics and knowledge base |
 | `abap-ai systems` | List configured SAP systems |
 | `abap-ai remove <name>` | Remove a SAP system from mcp.json |

package/dist/cli/activate.js CHANGED Viewed

@@ -35,12 +35,36 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.readLicense = readLicense;
 exports.activate = activate;
+const crypto = __importStar(require("crypto"));
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const LICENSE_DIR = path.join(process.env.HOME || "~", ".abap-ai");
 const LICENSE_PATH = path.join(LICENSE_DIR, "license.json");
-// TODO: Substituir pela URL real quando o license server existir
-const LICENSE_API_URL = "https://api.lkpabap.ai/v1/license/validate";
+// ── Beta key validation (offline, HMAC-based) ───────────────────────
+// Em produção será substituído por fetch ao license server (api.lkpabap.ai)
+const BETA_SECRET = "lkp-beta-2026-xK9mQ3vR";
+const PLAN_MAP = { ST: "starter", PR: "pro", EN: "enterprise" };
+function validateBetaKey(key) {
+    const upper = key.toUpperCase();
+    const match = upper.match(/^LK-([A-Z]{2})([A-Z]{2})-([A-Z0-9]{4})-([A-Z0-9]{4})$/);
+    if (!match)
+        return null;
+    const [, planCode, modeCode, rand, checksum] = match;
+    const plan = PLAN_MAP[planCode];
+    if (!plan || modeCode !== "BK")
+        return null;
+    // Recalcula HMAC e compara com o checksum da chave
+    const payload = `${planCode}${modeCode}-${rand}`;
+    const expected = crypto
+        .createHmac("sha256", BETA_SECRET)
+        .update(payload)
+        .digest("hex")
+        .toUpperCase()
+        .slice(0, 4);
+    if (checksum !== expected)
+        return null;
+    return { plan };
+}
 function saveLicense(license) {
     if (!fs.existsSync(LICENSE_DIR)) {
         fs.mkdirSync(LICENSE_DIR, { recursive: true });
@@ -58,10 +82,6 @@ function readLicense() {
 }
 async function activate(key) {
     console.log("\n  ⏳ Validando licença...");
-    // -----------------------------------------------------------------
-    // STUB: Enquanto o license server não existe, simula validação local
-    // Aceita qualquer chave no formato LK-XXXX-XXXX-XXXX
-    // -----------------------------------------------------------------
     const keyPattern = /^LK-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/i;
     if (!keyPattern.test(key)) {
         console.log(`  ✗ Formato de chave inválido.`);
@@ -69,25 +89,27 @@ async function activate(key) {
         console.log(`    Adquira em: https://lkpabap.ai\n`);
         process.exit(1);
     }
-    // Simular chamada ao license server
-    // TODO: Substituir por fetch real ao LICENSE_API_URL
-    const isAllInOne = key.toUpperCase().startsWith("LK-A");
-    const plan = key.toUpperCase().includes("ENT") ? "enterprise" : key.toUpperCase().includes("STA") ? "starter" : "pro";
+    // ── Tenta validação offline (beta keys com HMAC) ──────────────────
+    // TODO: Quando o license server existir, tentar fetch a api.lkpabap.ai primeiro
+    const beta = validateBetaKey(key);
+    if (!beta) {
+        console.log(`  ✗ Chave inválida ou expirada.`);
+        console.log(`    Verifique a chave recebida ou solicite uma nova.\n`);
+        process.exit(1);
+    }
+    const { plan } = beta;
     const license = {
         key: key.toUpperCase(),
         plan,
-        mode: isAllInOne ? "allinone" : "byok",
         limits: {
             systems: plan === "starter" ? 1 : plan === "pro" ? 3 : -1,
             calls_per_day: plan === "starter" ? 200 : -1,
-            tokens_per_month: isAllInOne ? (plan === "starter" ? 500000 : plan === "pro" ? 5000000 : 20000000) : undefined,
         },
-        expires: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000).toISOString().split("T")[0],
+        expires: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000).toISOString().split("T")[0],
         validated_at: new Date().toISOString(),
-        proxy_url: isAllInOne ? "https://proxy.lkpabap.ai/v1" : null,
     };
     saveLicense(license);
-    const planLabel = `${plan.charAt(0).toUpperCase() + plan.slice(1)} (${license.mode === "byok" ? "BYOK" : "All-in-One"})`;
+    const planLabel = `${plan.charAt(0).toUpperCase() + plan.slice(1)} (BYOK)`;
     const systemsLabel = license.limits.systems === -1 ? "Ilimitado" : `até ${license.limits.systems}`;
     const callsLabel = license.limits.calls_per_day === -1 ? "Ilimitado" : `${license.limits.calls_per_day}/dia`;
     console.log(`  ✓ Licença válida!`);
@@ -96,18 +118,9 @@ async function activate(key) {
   │  Plano:        ${planLabel.padEnd(25)}│
   │  Válido até:   ${license.expires.padEnd(25)}│
   │  Sistemas:     ${systemsLabel.padEnd(25)}│
-  │  Chamadas/dia: ${callsLabel.padEnd(25)}│`);
-    if (license.mode === "allinone") {
-        const tokensLabel = license.limits.tokens_per_month
-            ? `${(license.limits.tokens_per_month / 1000000).toFixed(0)}M`
-            : "N/A";
-        console.log(`  │  Tokens/mês:   ${tokensLabel.padEnd(25)}│`);
-        console.log(`  │${" ".repeat(42)}│`);
-        console.log(`  │  ✓ Claude proxy configurado${" ".repeat(13)}│`);
-        console.log(`  │    URL: ${(license.proxy_url || "").padEnd(32)}│`);
-    }
-    console.log(`  │${" ".repeat(42)}│`);
-    console.log(`  │  Licença salva em ~/.abap-ai/license${" ".repeat(4)}│`);
-    console.log(`  ╰──────────────────────────────────────────╯`);
+  │  Chamadas/dia: ${callsLabel.padEnd(25)}│
+  │${" ".repeat(42)}│
+  │  Licença salva em ~/.abap-ai/license${" ".repeat(4)}│
+  ╰──────────────────────────────────────────╯`);
     console.log(`\n  Próximo passo: abap-ai init\n`);
 }

package/dist/cli/init.js CHANGED Viewed

@@ -149,6 +149,7 @@ function addSystemToConfig(config, system) {
         SAP_USER: system.user,
         SAP_PASS: system.pass,
         SAP_LANGUAGE: system.language,
+        ABAP_AI_ENV_ROLE: system.environmentRole,
     };
     if (system.selfSignedSsl) {
         env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
@@ -214,6 +215,17 @@ async function promptSystem() {
             message: "Certificado SSL self-signed?",
             initial: true,
         },
+        {
+            type: "select",
+            name: "environmentRole",
+            message: "Papel do ambiente (controla quais operações o LKPABAP.ia pode executar)",
+            choices: [
+                { title: "DEVELOPMENT — leitura + escrita + criação (padrão para DEV)", value: "DEVELOPMENT" },
+                { title: "QUALITY    — somente leitura (padrão para QAS/QA)", value: "QUALITY" },
+                { title: "PRODUCTION — somente leitura, mais restritivo (padrão para PRD)", value: "PRODUCTION" },
+            ],
+            initial: 0,
+        },
     ], {
         onCancel: () => {
             console.log("\n  Cancelado.");
@@ -231,6 +243,7 @@ async function promptSystem() {
         pass: response.pass,
         language: (response.language?.trim() || "PT").toUpperCase(),
         selfSignedSsl: response.selfSignedSsl ?? true,
+        environmentRole: response.environmentRole || "DEVELOPMENT",
     };
 }
 // ---------------------------------------------------------------------------
@@ -318,7 +331,9 @@ async function init() {
             const sn = `abap-${name}`;
             const env = config.mcpServers[sn]?.env || {};
             const client = env.SAP_CLIENT || "?";
-            const line = `  │    • ${name}  (client ${client})`;
+            const role = env.ABAP_AI_ENV_ROLE || "DEV";
+            const roleTag = role === "PRODUCTION" ? "PRD" : role === "QUALITY" ? "QAS" : "DEV";
+            const line = `  │    • ${name}  (client ${client}, ${roleTag})`;
             console.log(`${line}${" ".repeat(Math.max(1, 48 - line.length))}│`);
         }
         console.log(`  │${" ".repeat(46)}│

package/dist/cli/status.js CHANGED Viewed

@@ -158,7 +158,7 @@ async function status() {
         const expires = new Date(license.expires);
         const daysLeft = Math.ceil((expires.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
         const expired = daysLeft <= 0;
-        const planLabel = `${license.plan.charAt(0).toUpperCase() + license.plan.slice(1)} (${license.mode === "byok" ? "BYOK" : "All-in-One"})`;
+        const planLabel = `${license.plan.charAt(0).toUpperCase() + license.plan.slice(1)} (BYOK)`;
         console.log(`  Plano:        ${planLabel}`);
         console.log(`  Válido até:   ${license.expires} (${expired ? "EXPIRADA" : `${daysLeft} dias restantes`})`);
         console.log(`  Status:       ${expired ? "✗ Expirada — renove em https://lkpabap.ai" : "✓ Ativa"}`);

package/dist/index.js CHANGED Viewed

@@ -55,10 +55,42 @@ const knowledge_js_1 = require("./tools/knowledge.js");
 const create_dcl_js_1 = require("./tools/create-dcl.js");
 const create_amdp_js_1 = require("./tools/create-amdp.js");
 const system_profile_js_1 = require("./system-profile.js");
+const security_policy_js_1 = require("./security-policy.js");
+const security_audit_js_1 = require("./security-audit.js");
 const server = new mcp_js_1.McpServer({
     name: "abap-adt",
     version: "2.0.0",
 });
+// ─── Security Guard ───────────────────────────────────────────────
+/**
+ * Verifica se uma tool pode ser executada sob a security policy atual.
+ * Retorna null se permitido, ou uma resposta de erro MCP se bloqueado.
+ */
+function securityGuard(toolName, transportRequest) {
+    const policy = (0, security_policy_js_1.getPolicy)();
+    const riskLevel = (0, security_policy_js_1.getToolRisk)(toolName);
+    // 1. Verificar acesso pela policy
+    const accessCheck = (0, security_policy_js_1.checkToolAccess)(toolName, policy);
+    if (!accessCheck.allowed) {
+        (0, security_audit_js_1.auditBlocked)(toolName, riskLevel, policy.environment_role, accessCheck.reason || "policy");
+        return {
+            content: [{ type: "text", text: accessCheck.reason || `Tool ${toolName} bloqueada.` }],
+            isError: true,
+        };
+    }
+    // 2. Verificar transport request obrigatório
+    const transportCheck = (0, security_policy_js_1.checkTransportRequired)(toolName, transportRequest, policy);
+    if (!transportCheck.allowed) {
+        (0, security_audit_js_1.auditBlocked)(toolName, riskLevel, policy.environment_role, transportCheck.reason || "transport required");
+        return {
+            content: [{ type: "text", text: transportCheck.reason || `Transport request obrigatório.` }],
+            isError: true,
+        };
+    }
+    // 3. Permitido — registrar no audit
+    (0, security_audit_js_1.auditAllowed)(toolName, riskLevel, policy.environment_role);
+    return null;
+}
 // Tool: abap_read
 server.tool("abap_read", "Lê o código-fonte de um objeto ABAP no sistema SAP via ADT API. Para tabelas (TABL/DT), estruturas (TABL/DS) e table types (TTYP/TT), retorna a lista de campos com tipo e descrição.", {
     object_type: zod_1.z
@@ -106,6 +138,9 @@ server.tool("abap_write", "Grava código-fonte em um objeto ABAP existente no si
         .optional()
         .describe("Ordem de transporte (ex: ECDK900123). Obrigatória para objetos em pacotes não-locais."),
 }, async ({ object_type, object_name, source, class_include, transport_request }) => {
+    const blocked = securityGuard("abap_write", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, write_js_1.abapWrite)({ object_type, object_name, source, class_include, transport_request });
         return {
@@ -129,6 +164,9 @@ server.tool("abap_activate", "Ativa um objeto ABAP no sistema SAP via ADT API. R
         .string()
         .describe("Nome do objeto ABAP (ex: ZTESTEDENIS)."),
 }, async ({ object_type, object_name }) => {
+    const blocked = securityGuard("abap_activate");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, activate_js_1.abapActivate)({ object_type, object_name });
         return {
@@ -173,6 +211,9 @@ server.tool("abap_create", "Cria um novo objeto ABAP no sistema SAP via ADT API.
         .optional()
         .describe("Ordem de transporte (ex: ECDK900123). Se omitida, o SAP usa $TMP ou atribui automaticamente."),
 }, async ({ object_type, object_name, description, package: pkg, srvd_name, binding_type, transport_request }) => {
+    const blocked = securityGuard("abap_create", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_js_1.abapCreate)({ object_type, object_name, description, package: pkg, srvd_name, binding_type, transport_request });
         return {
@@ -302,6 +343,9 @@ server.tool("abap_assign_transport", "Vincula um objeto ABAP existente a uma ord
         .string()
         .describe("Nome do objeto ABAP a vincular."),
 }, async ({ transport_request, object_type, object_name }) => {
+    const blocked = securityGuard("abap_assign_transport", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, transports_js_1.abapAssignTransport)({ transport_request, object_type, object_name });
         return {
@@ -358,6 +402,9 @@ server.tool("abap_scaffold_rap", "Cria um stack RAP completo no SAP com 4 scenar
         .optional()
         .describe("Ordem de transporte para todos os objetos criados."),
 }, async ({ base_name, description, scenario, child_entities, with_feature_control, with_business_events, package: pkg, binding_type, transport_request }) => {
+    const blocked = securityGuard("abap_scaffold_rap", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, scaffold_rap_js_1.abapScaffoldRap)({ base_name, description, scenario, child_entities, with_feature_control, with_business_events, package: pkg, binding_type, transport_request });
         return {
@@ -382,6 +429,9 @@ server.tool("abap_publish_binding", "Publica uma Service Binding (SRVB/SVB) no S
         .optional()
         .describe("Versão do serviço no Gateway (padrão: '0001')."),
 }, async ({ binding_name, service_version }) => {
+    const blocked = securityGuard("abap_publish_binding");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, publish_binding_js_1.abapPublishBinding)({ binding_name, service_version });
         return {
@@ -417,6 +467,9 @@ server.tool("abap_deploy_bsp", "Faz deploy de uma aplicação Fiori/UI5 para o A
         .optional()
         .describe("Ordem de transporte (ex: ECDK900123). Obrigatória se o pacote não for $TMP."),
 }, async ({ bsp_name, folder_path, package: pkg, description, transport_request }) => {
+    const blocked = securityGuard("abap_deploy_bsp", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, deploy_bsp_js_1.abapDeployBsp)({ bsp_name, folder_path, package: pkg, description, transport_request });
         return {
@@ -492,8 +545,9 @@ server.tool("abap_data_preview", "Visualiza dados de uma tabela transparente ou
         .optional()
         .describe("Colunas a retornar, separadas por vírgula (ex: MATNR,MTART,MBRSH)."),
 }, async ({ object_name, max_rows, where_clause, order_by, columns }) => {
+    const effectiveRows = (0, security_policy_js_1.getEffectiveMaxRows)(max_rows ?? 100, (0, security_policy_js_1.getPolicy)());
     try {
-        const result = await (0, data_preview_js_1.abapDataPreview)({ object_name, max_rows, where_clause, order_by, columns });
+        const result = await (0, data_preview_js_1.abapDataPreview)({ object_name, max_rows: effectiveRows, where_clause, order_by, columns });
         return {
             content: [{ type: "text", text: result }],
         };
@@ -721,6 +775,9 @@ server.tool("abap_release_transport", "Libera uma ordem de transporte no SAP. AT
         .string()
         .describe("Número da ordem de transporte a liberar (ex: ECDK900123)."),
 }, async ({ transport_request }) => {
+    const blocked = securityGuard("abap_release_transport", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, release_transport_js_1.abapReleaseTransport)({ transport_request });
         return {
@@ -748,6 +805,9 @@ server.tool("abap_delete", "Exclui um objeto ABAP do sistema SAP. ATENÇÃO: ope
         .optional()
         .describe("Ordem de transporte (obrigatória para objetos em pacotes não-locais)."),
 }, async ({ object_type, object_name, transport_request }) => {
+    const blocked = securityGuard("abap_delete", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, delete_js_1.abapDeleteObject)({ object_type, object_name, transport_request });
         return {
@@ -787,6 +847,9 @@ server.tool("abap_refactor_rename", "Renomeia um símbolo (variável, método, a
         .optional()
         .describe("Include da classe. Apenas para CLAS/OC. Padrão: main."),
 }, async ({ object_type, object_name, old_name, new_name, line, column, class_include }) => {
+    const blocked = securityGuard("abap_refactor_rename");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, refactor_rename_js_1.abapRefactorRename)({ object_type, object_name, old_name, new_name, line, column, class_include });
         return {
@@ -879,6 +942,9 @@ server.tool("abap_quick_fix", "Obtém e aplica correções rápidas (quick fixes
         .describe("Include da classe. Apenas para CLAS/OC."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte para aplicar o fix."),
 }, async ({ object_type, object_name, line, column, fix_index, class_include, transport_request }) => {
+    const blocked = securityGuard("abap_quick_fix", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, quick_fix_js_1.abapQuickFix)({ object_type, object_name, line, column, fix_index, class_include, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -903,6 +969,9 @@ server.tool("abap_extract_method", "Extrai um trecho de código ABAP selecionado
         .describe("Include da classe. Apenas para CLAS/OC."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte (se necessário)."),
 }, async ({ object_type, object_name, start_line, end_line, new_method_name, class_include, transport_request }) => {
+    const blocked = securityGuard("abap_extract_method", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, extract_method_js_1.abapExtractMethod)({ object_type, object_name, start_line, end_line, new_method_name, class_include, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -933,8 +1002,9 @@ server.tool("abap_sql_console", "Executa uma consulta ABAP SQL (Open SQL) no sis
     sql: zod_1.z.string().describe("Consulta ABAP SQL. Ex: SELECT * FROM mara WHERE matnr LIKE 'Z%' ORDER BY matnr UP TO 100 ROWS"),
     max_rows: zod_1.z.number().optional().describe("Número máximo de linhas retornadas (padrão: 100)."),
 }, async ({ sql, max_rows }) => {
+    const effectiveRows = (0, security_policy_js_1.getEffectiveMaxRows)(max_rows ?? 100, (0, security_policy_js_1.getPolicy)());
     try {
-        const result = await (0, sql_console_js_1.abapSqlConsole)({ sql, max_rows });
+        const result = await (0, sql_console_js_1.abapSqlConsole)({ sql, max_rows: effectiveRows });
         return { content: [{ type: "text", text: result }] };
     }
     catch (error) {
@@ -961,6 +1031,9 @@ server.tool("abap_create_transport", "Cria uma nova ordem de transporte (workben
     type: zod_1.z.enum(["W", "K"]).optional().describe("Tipo: W=Workbench (padrão), K=Customizing."),
     target: zod_1.z.string().optional().describe("Sistema de destino (ex: QAS). Opcional."),
 }, async ({ description, type, target }) => {
+    const blocked = securityGuard("abap_create_transport");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_transport_js_1.abapCreateTransport)({ description, type, target });
         return { content: [{ type: "text", text: result }] };
@@ -1144,6 +1217,9 @@ server.tool("abap_git_pull", "Executa pull de um repositório abapGit no sistema
     branch: zod_1.z.string().optional().describe("Nome do branch (padrão: main)."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte para os objetos importados."),
 }, async ({ repo_id, branch, transport_request }) => {
+    const blocked = securityGuard("abapgit_pull", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, abapgit_js_1.abapGitPull)({ repo_id, branch, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1163,6 +1239,9 @@ server.tool("abap_git_stage", "Mostra status de staging e executa push para um r
     message: zod_1.z.string().optional().describe("Mensagem de commit (obrigatória para push)."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte."),
 }, async ({ repo_id, action, message: commitMsg, transport_request }) => {
+    const blocked = securityGuard("abapgit_stage", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, abapgit_js_1.abapGitStage)({ repo_id, action, message: commitMsg, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1233,6 +1312,9 @@ server.tool("abap_create_dcl", "Cria um objeto DCL (Data Control Language) para
     package: zod_1.z.string().optional().describe("Pacote SAP. Padrão: '$TMP'."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte."),
 }, async ({ dcl_name, cds_entity, auth_type, auth_mappings, literal_conditions, with_user_aspect, package: pkg, transport_request }) => {
+    const blocked = securityGuard("abap_create_dcl", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_dcl_js_1.abapCreateDcl)({ dcl_name, cds_entity, auth_type, auth_mappings, literal_conditions, with_user_aspect, package: pkg, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1262,6 +1344,9 @@ server.tool("abap_create_amdp", "Cria uma classe AMDP (ABAP Managed Database Pro
     package: zod_1.z.string().optional().describe("Pacote SAP. Padrão: '$TMP'."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte."),
 }, async ({ class_name, method_name, method_type, importing: imp, exporting_table, cds_entity, description, package: pkg, transport_request }) => {
+    const blocked = securityGuard("abap_create_amdp", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_amdp_js_1.abapCreateAmdp)({ class_name, method_name, method_type, importing: imp, exporting_table, cds_entity, description, package: pkg, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1305,12 +1390,31 @@ server.resource("system-profile", "abap://system-profile", { description: "Perfi
             }],
     };
 });
+// Resource: security-policy
+server.resource("security-policy", "abap://security-policy", { description: "Política de segurança ativa — environment role, níveis permitidos, tools bloqueadas, limites. Configurável via env ABAP_AI_ENV_ROLE ou arquivo ~/.abap-ai/security-policy.json." }, async () => {
+    const policy = (0, security_policy_js_1.getPolicy)();
+    const toolRiskMap = {
+        blocked_tools: policy.always_blocked,
+        environment: policy.environment_role,
+        allowed_operations: policy.allowed_levels,
+        require_transport: policy.require_transport,
+        max_preview_rows: policy.max_preview_rows,
+    };
+    return {
+        contents: [{
+                uri: "abap://security-policy",
+                mimeType: "application/json",
+                text: JSON.stringify(toolRiskMap, null, 2),
+            }],
+    };
+});
 // Inicializa o servidor via stdio (modo Claude Code MCP)
 async function main() {
     const transport = new stdio_js_1.StdioServerTransport();
     await server.connect(transport);
     const profile = (0, system_profile_js_1.getProfile)();
-    process.stderr.write(`abap-mcp-server v2.0.0 iniciado | System: ${profile.system.type} | ABAP: ${profile.system.abapPlatform}\n`);
+    const policy = (0, security_policy_js_1.getPolicy)();
+    process.stderr.write(`abap-mcp-server v2.1.0 iniciado | System: ${profile.system.type} | ABAP: ${profile.system.abapPlatform} | Security: ${policy.environment_role} (${policy.allowed_levels.join("+")})\n`);
 }
 main().catch((err) => {
     process.stderr.write(`Falha ao iniciar servidor: ${err}\n`);

package/dist/security-audit.js ADDED Viewed

@@ -0,0 +1,136 @@
+"use strict";
+/**
+ * Security Audit Log — registro de operações de segurança.
+ *
+ * Registra todas as operações WRITE, CREATE, DESTRUCTIVE e ADMIN,
+ * incluindo tentativas bloqueadas pela security policy.
+ * Separado do logger de chamadas ADT — este é focado em governança.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditLog = auditLog;
+exports.auditAllowed = auditAllowed;
+exports.auditBlocked = auditBlocked;
+exports.getSessionAudit = getSessionAudit;
+exports.getAuditSummary = getAuditSummary;
+exports.readTodayAudit = readTodayAudit;
+const fs_1 = require("fs");
+const path_1 = require("path");
+// ─── Config ───────────────────────────────────────────────────────
+const AUDIT_DIR = process.env.ABAP_AI_AUDIT_DIR || (0, path_1.join)(process.env.HOME || "~", ".abap-ai", "audit");
+const AUDIT_ENABLED = process.env.ABAP_AI_AUDIT !== "false";
+// ─── Estado da sessão ─────────────────────────────────────────────
+const sessionAuditEntries = [];
+// ─── Funções ──────────────────────────────────────────────────────
+function ensureAuditDir() {
+    if (!(0, fs_1.existsSync)(AUDIT_DIR)) {
+        (0, fs_1.mkdirSync)(AUDIT_DIR, { recursive: true });
+    }
+}
+function auditFileName() {
+    const date = new Date().toISOString().slice(0, 10);
+    return (0, path_1.join)(AUDIT_DIR, `security-${date}.jsonl`);
+}
+/**
+ * Extrai o hostname do SAP_URL para identificar o sistema no audit.
+ */
+function getSystemId() {
+    const url = process.env.SAP_URL || "unknown";
+    try {
+        return new URL(url).hostname;
+    }
+    catch {
+        return url;
+    }
+}
+/**
+ * Registra uma entrada no audit log de segurança.
+ */
+function auditLog(entry) {
+    const fullEntry = {
+        timestamp: new Date().toISOString(),
+        system: getSystemId(),
+        user: process.env.SAP_USER || "unknown",
+        ...entry,
+    };
+    sessionAuditEntries.push(fullEntry);
+    if (!AUDIT_ENABLED)
+        return;
+    try {
+        ensureAuditDir();
+        (0, fs_1.appendFileSync)(auditFileName(), JSON.stringify(fullEntry) + "\n", "utf-8");
+    }
+    catch {
+        // Audit silencioso — não deve quebrar operações
+    }
+}
+/**
+ * Atalho para registrar uma operação permitida.
+ */
+function auditAllowed(tool, riskLevel, environment, params) {
+    auditLog({
+        tool,
+        risk_level: riskLevel,
+        environment,
+        result: "ALLOWED",
+        params,
+    });
+}
+/**
+ * Atalho para registrar uma operação bloqueada.
+ */
+function auditBlocked(tool, riskLevel, environment, reason, params) {
+    auditLog({
+        tool,
+        risk_level: riskLevel,
+        environment,
+        result: "BLOCKED",
+        reason,
+        params,
+    });
+}
+/**
+ * Retorna as entradas de audit da sessão atual.
+ */
+function getSessionAudit() {
+    return [...sessionAuditEntries];
+}
+/**
+ * Retorna resumo do audit da sessão para exibição.
+ */
+function getAuditSummary() {
+    const allowed = sessionAuditEntries.filter((e) => e.result === "ALLOWED").length;
+    const blocked = sessionAuditEntries.filter((e) => e.result === "BLOCKED").length;
+    const byTool = {};
+    for (const entry of sessionAuditEntries) {
+        if (!byTool[entry.tool])
+            byTool[entry.tool] = { allowed: 0, blocked: 0 };
+        if (entry.result === "ALLOWED")
+            byTool[entry.tool].allowed++;
+        else
+            byTool[entry.tool].blocked++;
+    }
+    return {
+        total: sessionAuditEntries.length,
+        allowed,
+        blocked,
+        by_tool: byTool,
+    };
+}
+/**
+ * Lê o audit log do dia atual.
+ */
+function readTodayAudit() {
+    try {
+        const file = auditFileName();
+        if (!(0, fs_1.existsSync)(file))
+            return [];
+        const content = (0, fs_1.readFileSync)(file, "utf-8");
+        return content
+            .split("\n")
+            .filter((line) => line.trim())
+            .map((line) => JSON.parse(line));
+    }
+    catch {
+        return [];
+    }
+}

package/dist/security-policy.js ADDED Viewed

@@ -0,0 +1,322 @@
+"use strict";
+/**
+ * Security Policy — controle de acesso por camada de ambiente SAP.
+ *
+ * Implementa o princípio: "O LKPABAP.ia NUNCA sobrepõe as restrições de
+ * segurança do SAP. Em PRD, só leitura. Em QAS, leitura + debug.
+ * Em DEV, tudo liberado. abap_release_transport sempre bloqueado."
+ *
+ * A autorização de dados (S_TADIR, S_DEVELOP, etc.) é 100% delegada ao SAP.
+ * Esta camada controla quais CATEGORIAS de operação o MCP server aceita executar.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getToolRisk = getToolRisk;
+exports.loadPolicy = loadPolicy;
+exports.checkToolAccess = checkToolAccess;
+exports.getEffectiveMaxRows = getEffectiveMaxRows;
+exports.checkTransportRequired = checkTransportRequired;
+exports.getPolicy = getPolicy;
+exports.setPolicy = setPolicy;
+exports.getDefaultPolicy = getDefaultPolicy;
+exports.listEnvironmentRoles = listEnvironmentRoles;
+const fs_1 = require("fs");
+const path_1 = require("path");
+/**
+ * Mapa de cada tool para seu nível de risco.
+ * Tools não listadas aqui são consideradas READ (safe by default).
+ */
+const TOOL_RISK = {
+    // READ — sem guard extra (default para tools não listadas)
+    abap_read: "READ",
+    abap_search: "READ",
+    abap_where_used: "READ",
+    abap_check: "READ",
+    abap_object_structure: "READ",
+    abap_data_preview: "READ",
+    abap_sql_console: "READ",
+    abap_element_info: "READ",
+    abap_pretty_printer: "READ",
+    abap_unit_test: "READ",
+    abap_atc_check: "READ",
+    abap_package_contents: "READ",
+    abap_object_versions: "READ",
+    abap_function_group: "READ",
+    abap_message_class: "READ",
+    abap_doc: "READ",
+    abap_code_completion: "READ",
+    abap_navigate: "READ",
+    abap_call_hierarchy: "READ",
+    abap_code_coverage: "READ",
+    abap_transport_contents: "READ",
+    abap_cds_annotations: "READ",
+    abap_cds_dependencies: "READ",
+    abap_annotation_propagation: "READ",
+    abap_enhancement_spot: "READ",
+    abap_lock_object: "READ",
+    abap_auth_object: "READ",
+    abap_number_range: "READ",
+    abap_repository_tree: "READ",
+    abap_discovery: "READ",
+    abap_released_apis: "READ",
+    abap_object_documentation: "READ",
+    abap_system_info: "READ",
+    abap_list_transports: "READ",
+    abap_knowledge: "READ",
+    abap_traces: "READ",
+    abap_breakpoints: "READ",
+    abapgit_repos: "READ",
+    // WRITE — modifica objetos existentes
+    abap_write: "WRITE",
+    abap_activate: "WRITE",
+    abap_refactor_rename: "WRITE",
+    abap_extract_method: "WRITE",
+    abap_quick_fix: "WRITE",
+    abap_publish_binding: "WRITE",
+    abap_deploy_bsp: "WRITE",
+    abap_assign_transport: "WRITE",
+    abapgit_pull: "WRITE",
+    abapgit_stage: "WRITE",
+    // CREATE — cria objetos novos no SAP
+    abap_create: "CREATE",
+    abap_create_transport: "CREATE",
+    abap_create_dcl: "CREATE",
+    abap_create_amdp: "CREATE",
+    abap_scaffold_rap: "CREATE",
+    // WRITE — delete segue a mesma regra de escrita (permitido em DEV, bloqueado em QAS/PRD)
+    abap_delete: "WRITE",
+    // ADMIN — operações administrativas de alto impacto (sempre bloqueado)
+    abap_release_transport: "ADMIN",
+};
+/**
+ * Retorna o nível de risco de uma tool.
+ */
+function getToolRisk(toolName) {
+    return TOOL_RISK[toolName] ?? "READ";
+}
+// ─── Policies padrão por ambiente ─────────────────────────────────
+const POLICY_DEVELOPMENT = {
+    environment_role: "DEVELOPMENT",
+    allowed_levels: ["READ", "WRITE", "CREATE"],
+    always_blocked: ["abap_release_transport"],
+    require_transport: false,
+    max_preview_rows: 0,
+};
+const POLICY_QUALITY = {
+    environment_role: "QUALITY",
+    allowed_levels: ["READ"],
+    always_blocked: [
+        "abap_release_transport",
+        "abap_delete",
+        "abap_scaffold_rap",
+        "abap_create",
+        "abap_create_dcl",
+        "abap_create_amdp",
+        "abap_write",
+        "abap_activate",
+        "abap_refactor_rename",
+        "abap_extract_method",
+        "abap_quick_fix",
+        "abap_publish_binding",
+        "abap_deploy_bsp",
+        "abapgit_pull",
+    ],
+    require_transport: true,
+    max_preview_rows: 100,
+};
+const POLICY_PRODUCTION = {
+    environment_role: "PRODUCTION",
+    allowed_levels: ["READ"],
+    always_blocked: [
+        "abap_release_transport",
+        "abap_delete",
+        "abap_scaffold_rap",
+        "abap_create",
+        "abap_create_dcl",
+        "abap_create_amdp",
+        "abap_create_transport",
+        "abap_write",
+        "abap_activate",
+        "abap_refactor_rename",
+        "abap_extract_method",
+        "abap_quick_fix",
+        "abap_publish_binding",
+        "abap_deploy_bsp",
+        "abapgit_pull",
+        "abapgit_stage",
+        "abap_assign_transport",
+    ],
+    require_transport: true,
+    max_preview_rows: 50,
+};
+const DEFAULT_POLICIES = {
+    DEVELOPMENT: POLICY_DEVELOPMENT,
+    QUALITY: POLICY_QUALITY,
+    PRODUCTION: POLICY_PRODUCTION,
+};
+// ─── Carregamento da policy ───────────────────────────────────────
+/**
+ * Caminho do arquivo de policy central (planos Enterprise/Corporate).
+ * Gestores podem travar a policy criando este arquivo.
+ */
+const CENTRAL_POLICY_PATH = (0, path_1.join)(process.env.HOME || "~", ".abap-ai", "security-policy.json");
+/**
+ * Carrega a policy do ambiente a partir de:
+ *   1. Variável de ambiente ABAP_AI_SECURITY_POLICY (JSON inline)
+ *   2. Arquivo central ~/.abap-ai/security-policy.json (Enterprise/Corporate)
+ *   3. Variável ABAP_AI_ENV_ROLE (DEVELOPMENT | QUALITY | PRODUCTION)
+ *   4. Default: DEVELOPMENT
+ */
+function loadPolicy() {
+    // 1. JSON inline (env var)
+    const policyJson = process.env.ABAP_AI_SECURITY_POLICY;
+    if (policyJson) {
+        try {
+            const parsed = JSON.parse(policyJson);
+            return mergeWithDefault(parsed);
+        }
+        catch {
+            // fallthrough
+        }
+    }
+    // 2. Arquivo central (gestores Enterprise/Corporate)
+    if ((0, fs_1.existsSync)(CENTRAL_POLICY_PATH)) {
+        try {
+            const raw = (0, fs_1.readFileSync)(CENTRAL_POLICY_PATH, "utf-8");
+            const parsed = JSON.parse(raw);
+            return mergeWithDefault(parsed);
+        }
+        catch {
+            // fallthrough
+        }
+    }
+    // 3. Env role simples
+    const envRole = (process.env.ABAP_AI_ENV_ROLE || "").toUpperCase();
+    if (DEFAULT_POLICIES[envRole]) {
+        return deepClone(DEFAULT_POLICIES[envRole]);
+    }
+    // 4. Default: DEVELOPMENT
+    return deepClone(POLICY_DEVELOPMENT);
+}
+/**
+ * Verifica se uma tool pode ser executada sob a policy atual.
+ */
+function checkToolAccess(toolName, policy) {
+    // 1. abap_release_transport — SEMPRE bloqueado, independente de qualquer config
+    if (toolName === "abap_release_transport") {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: abap_release_transport é sempre bloqueado pelo LKPABAP.ia. `
+                + `Liberar transportes é uma operação irreversível que pode propagar mudanças para ambientes produtivos. `
+                + `Execute esta operação manualmente na transação SE09/SE10 do SAP GUI.`,
+        };
+    }
+    // 2. Tool na lista de always_blocked
+    if (policy.always_blocked.includes(toolName)) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: A tool "${toolName}" não é permitida no ambiente ${policy.environment_role}. `
+                + `Esta restrição é definida pela política de segurança do sistema. `
+                + describeEnvironmentRestriction(policy.environment_role),
+        };
+    }
+    // 3. Nível de risco da tool vs níveis permitidos
+    const riskLevel = getToolRisk(toolName);
+    if (!policy.allowed_levels.includes(riskLevel)) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: A tool "${toolName}" requer nível "${riskLevel}", `
+                + `mas o ambiente ${policy.environment_role} só permite: ${policy.allowed_levels.join(", ")}. `
+                + describeEnvironmentRestriction(policy.environment_role),
+        };
+    }
+    return { allowed: true };
+}
+/**
+ * Retorna o limite de rows para preview/sql considerando a policy.
+ * Se a policy define um limite, usa o menor entre o limite da policy e o solicitado.
+ */
+function getEffectiveMaxRows(requestedRows, policy) {
+    if (policy.max_preview_rows <= 0)
+        return requestedRows;
+    return Math.min(requestedRows, policy.max_preview_rows);
+}
+/**
+ * Verifica se transport request é obrigatório e não foi fornecido.
+ */
+function checkTransportRequired(toolName, transportRequest, policy) {
+    const riskLevel = getToolRisk(toolName);
+    if (policy.require_transport
+        && (riskLevel === "WRITE" || riskLevel === "CREATE")
+        && !transportRequest) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: O ambiente ${policy.environment_role} exige transport request para operações de ${riskLevel}. `
+                + `Informe o parâmetro transport_request (ex: "DEVK900123"). `
+                + `Use abap_list_transports ou abap_create_transport para obter um.`,
+        };
+    }
+    return { allowed: true };
+}
+// ─── Singleton ────────────────────────────────────────────────────
+let currentPolicy = null;
+/**
+ * Retorna a policy atual. Carrega do ambiente/arquivo na primeira chamada.
+ */
+function getPolicy() {
+    if (!currentPolicy) {
+        currentPolicy = loadPolicy();
+    }
+    return currentPolicy;
+}
+/**
+ * Força uma policy específica (usado em testes ou override programático).
+ */
+function setPolicy(policy) {
+    currentPolicy = policy;
+}
+/**
+ * Retorna a policy padrão para um environment role.
+ */
+function getDefaultPolicy(role) {
+    return deepClone(DEFAULT_POLICIES[role] || POLICY_DEVELOPMENT);
+}
+/**
+ * Lista os environment roles disponíveis.
+ */
+function listEnvironmentRoles() {
+    return ["DEVELOPMENT", "QUALITY", "PRODUCTION"];
+}
+// ─── Helpers ──────────────────────────────────────────────────────
+function describeEnvironmentRestriction(role) {
+    switch (role) {
+        case "PRODUCTION":
+            return "Em ambientes PRODUTIVOS, o LKPABAP.ia opera somente em modo leitura. "
+                + "Qualquer modificação deve ser feita via transporte a partir do ambiente de desenvolvimento.";
+        case "QUALITY":
+            return "Em ambientes de QUALIDADE (QAS), o LKPABAP.ia opera somente em modo leitura. "
+                + "Modificações devem ser transportadas a partir do ambiente de desenvolvimento.";
+        case "DEVELOPMENT":
+            return ""; // DEV não tem restrição descritiva
+        default:
+            return "";
+    }
+}
+function mergeWithDefault(partial) {
+    const role = partial.environment_role || "DEVELOPMENT";
+    const base = deepClone(DEFAULT_POLICIES[role] || POLICY_DEVELOPMENT);
+    return {
+        environment_role: partial.environment_role ?? base.environment_role,
+        allowed_levels: partial.allowed_levels ?? base.allowed_levels,
+        always_blocked: [
+            ...new Set([
+                ...base.always_blocked,
+                ...(partial.always_blocked ?? []),
+            ]),
+        ],
+        require_transport: partial.require_transport ?? base.require_transport,
+        max_preview_rows: partial.max_preview_rows ?? base.max_preview_rows,
+    };
+}
+function deepClone(obj) {
+    return JSON.parse(JSON.stringify(obj));
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@linkup-ai/abap-ai",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "LKPABAP.ia — AI-powered ABAP development tools for SAP S/4HANA via ADT REST API",
   "main": "dist/index.js",
   "bin": {
@@ -11,7 +11,7 @@
     "README.md"
   ],
   "publishConfig": {
-    "access": "restricted"
+    "access": "public"
   },
   "license": "SEE LICENSE IN LICENSE",
   "keywords": [