@linkup-ai/abap-ai 2.0.0 → 2.2.0

package/README.md

@@ -4,7 +4,7 @@ MCP (Model Context Protocol) Server that connects [Claude Code](https://claude.a
 
 Once configured, Claude can read, write, create, activate, search, refactor, test and deploy ABAP objects — including RAP/Fiori stacks — directly from your editor without any manual SAP GUI interaction.
 
-**55 tools** covering the full ABAP development lifecycle, powered by a **curated knowledge base** with 49 reference guides on ABAP, CDS, RAP, Fiori and CAP.
+**55 tools** covering the full ABAP development lifecycle, powered by a **curated knowledge base** with 50 reference guides on ABAP, CDS, RAP, Fiori and CAP.
 
 ---
 
@@ -132,11 +132,11 @@ Once configured, Claude can read, write, create, activate, search, refactor, tes
 
 The knowledge base is the core differentiator of this MCP server. It provides Claude with **curated, LLM-optimized reference material** (70% code examples, 30% rules and anti-patterns) so that generated code follows best practices out of the box.
 
-**49 guides** organized in 4 domains:
+**50 guides** organized in 4 domains:
 
 | Domain | Topics | Examples |
 |--------|--------|----------|
-| **ABAP Core** | 25 | Internal tables, ABAP SQL, RAP (EML, draft, feature control, numbering, unmanaged), OO, clean code, performance, unit testing, cloud development |
+| **ABAP Core** | 26 | Internal tables, ABAP SQL, RAP (EML, draft, feature control, numbering, unmanaged), OO, enhancements/BAdIs, clean code, performance, unit testing, cloud development |
 | **ABAP CDS** | 6 | Annotations, associations, access control, expressions, functions, metadata extensions |
 | **Fiori / UI5** | 11 | Fiori Elements, annotations, value lists, side effects, XML views, controllers, routing, data binding, fragments, manifest, deployment |
 | **CAP (Node.js)** | 7 | CDL syntax, CQL queries, service definitions, event handlers, authentication, Fiori integration, deployment |
@@ -242,7 +242,7 @@ See [docs/CLI_GUIDE.md](docs/CLI_GUIDE.md) for the full step-by-step guide.
 | Command | Description |
 |---------|-------------|
 | `abap-ai init` | Interactive wizard to configure SAP system connections |
-| `abap-ai activate <KEY>` | Activate product license (BYOK or All-in-One) |
+| `abap-ai activate <KEY>` | Activate product license |
 | `abap-ai status` | Show license, systems (with connection test), usage metrics and knowledge base |
 | `abap-ai systems` | List configured SAP systems |
 | `abap-ai remove <name>` | Remove a SAP system from mcp.json |

package/dist/adt-client.js

@@ -49,19 +49,38 @@ function createHttpClient() {
 const http = createHttpClient();
 exports.http = http;
 // ─── Sessão CSRF ──────────────────────────────────────────────────
+/** Máximo de tentativas para obter CSRF token */
+const CSRF_MAX_RETRIES = 3;
+/** Intervalo entre tentativas de CSRF (ms) */
+const CSRF_RETRY_DELAY = 1000;
 async function ensureSession() {
     if (session)
         return session.csrfToken;
-    const response = await http.get("/discovery", {
-        headers: { "X-CSRF-Token": "Fetch", Accept: "application/xml" },
-        validateStatus: (status) => status < 500, // 406 é esperado mas traz o CSRF token
-    });
-    const token = response.headers["x-csrf-token"];
-    if (!token) {
-        throw new AdtError("Falha ao obter CSRF token do SAP ADT. Verifique se o serviço /sap/bc/adt/discovery está ativo.", 0, "/discovery");
+    let lastError;
+    for (let attempt = 1; attempt <= CSRF_MAX_RETRIES; attempt++) {
+        try {
+            const response = await http.get("/discovery", {
+                headers: { "X-CSRF-Token": "Fetch", Accept: "application/xml" },
+                validateStatus: (status) => status < 500, // 406 é esperado mas traz o CSRF token
+            });
+            const token = response.headers["x-csrf-token"];
+            if (token) {
+                session = { csrfToken: token };
+                return token;
+            }
+            lastError = new AdtError("CSRF token não retornado pelo SAP ADT.", 0, "/discovery");
+        }
+        catch (error) {
+            lastError = error;
+        }
+        // Retry com backoff linear (1s, 2s, 3s)
+        if (attempt < CSRF_MAX_RETRIES) {
+            await new Promise((r) => setTimeout(r, CSRF_RETRY_DELAY * attempt));
+        }
     }
-    session = { csrfToken: token };
-    return token;
+    throw lastError instanceof AdtError
+        ? lastError
+        : new AdtError("Falha ao obter CSRF token do SAP ADT após 3 tentativas. Verifique se o serviço /sap/bc/adt/discovery está ativo.", 0, "/discovery");
 }
 function resetSession() {
     session = null;

package/dist/cli/activate.js

@@ -35,12 +35,36 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.readLicense = readLicense;
 exports.activate = activate;
+const crypto = __importStar(require("crypto"));
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const LICENSE_DIR = path.join(process.env.HOME || "~", ".abap-ai");
 const LICENSE_PATH = path.join(LICENSE_DIR, "license.json");
-// TODO: Substituir pela URL real quando o license server existir
-const LICENSE_API_URL = "https://api.lkpabap.ai/v1/license/validate";
+// ── Beta key validation (offline, HMAC-based) ───────────────────────
+// Em produção será substituído por fetch ao license server (api.lkpabap.ai)
+const BETA_SECRET = "lkp-beta-2026-xK9mQ3vR";
+const PLAN_MAP = { ST: "starter", PR: "pro", EN: "enterprise" };
+function validateBetaKey(key) {
+    const upper = key.toUpperCase();
+    const match = upper.match(/^LK-([A-Z]{2})([A-Z]{2})-([A-Z0-9]{4})-([A-Z0-9]{4})$/);
+    if (!match)
+        return null;
+    const [, planCode, modeCode, rand, checksum] = match;
+    const plan = PLAN_MAP[planCode];
+    if (!plan || modeCode !== "BK")
+        return null;
+    // Recalcula HMAC e compara com o checksum da chave
+    const payload = `${planCode}${modeCode}-${rand}`;
+    const expected = crypto
+        .createHmac("sha256", BETA_SECRET)
+        .update(payload)
+        .digest("hex")
+        .toUpperCase()
+        .slice(0, 4);
+    if (checksum !== expected)
+        return null;
+    return { plan };
+}
 function saveLicense(license) {
     if (!fs.existsSync(LICENSE_DIR)) {
         fs.mkdirSync(LICENSE_DIR, { recursive: true });
@@ -58,10 +82,6 @@ function readLicense() {
 }
 async function activate(key) {
     console.log("\n  ⏳ Validando licença...");
-    // -----------------------------------------------------------------
-    // STUB: Enquanto o license server não existe, simula validação local
-    // Aceita qualquer chave no formato LK-XXXX-XXXX-XXXX
-    // -----------------------------------------------------------------
     const keyPattern = /^LK-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/i;
     if (!keyPattern.test(key)) {
         console.log(`  ✗ Formato de chave inválido.`);
@@ -69,25 +89,27 @@ async function activate(key) {
         console.log(`    Adquira em: https://lkpabap.ai\n`);
         process.exit(1);
     }
-    // Simular chamada ao license server
-    // TODO: Substituir por fetch real ao LICENSE_API_URL
-    const isAllInOne = key.toUpperCase().startsWith("LK-A");
-    const plan = key.toUpperCase().includes("ENT") ? "enterprise" : key.toUpperCase().includes("STA") ? "starter" : "pro";
+    // ── Tenta validação offline (beta keys com HMAC) ──────────────────
+    // TODO: Quando o license server existir, tentar fetch a api.lkpabap.ai primeiro
+    const beta = validateBetaKey(key);
+    if (!beta) {
+        console.log(`  ✗ Chave inválida ou expirada.`);
+        console.log(`    Verifique a chave recebida ou solicite uma nova.\n`);
+        process.exit(1);
+    }
+    const { plan } = beta;
     const license = {
         key: key.toUpperCase(),
         plan,
-        mode: isAllInOne ? "allinone" : "byok",
         limits: {
             systems: plan === "starter" ? 1 : plan === "pro" ? 3 : -1,
             calls_per_day: plan === "starter" ? 200 : -1,
-            tokens_per_month: isAllInOne ? (plan === "starter" ? 500000 : plan === "pro" ? 5000000 : 20000000) : undefined,
         },
-        expires: new Date(Date.now() + 365 * 24 * 60 * 60 * 1000).toISOString().split("T")[0],
+        expires: new Date(Date.now() + 90 * 24 * 60 * 60 * 1000).toISOString().split("T")[0],
         validated_at: new Date().toISOString(),
-        proxy_url: isAllInOne ? "https://proxy.lkpabap.ai/v1" : null,
     };
     saveLicense(license);
-    const planLabel = `${plan.charAt(0).toUpperCase() + plan.slice(1)} (${license.mode === "byok" ? "BYOK" : "All-in-One"})`;
+    const planLabel = `${plan.charAt(0).toUpperCase() + plan.slice(1)} (BYOK)`;
     const systemsLabel = license.limits.systems === -1 ? "Ilimitado" : `até ${license.limits.systems}`;
     const callsLabel = license.limits.calls_per_day === -1 ? "Ilimitado" : `${license.limits.calls_per_day}/dia`;
     console.log(`  ✓ Licença válida!`);
@@ -96,18 +118,9 @@ async function activate(key) {
   │  Plano:        ${planLabel.padEnd(25)}│
   │  Válido até:   ${license.expires.padEnd(25)}│
   │  Sistemas:     ${systemsLabel.padEnd(25)}│
-  │  Chamadas/dia: ${callsLabel.padEnd(25)}│`);
-    if (license.mode === "allinone") {
-        const tokensLabel = license.limits.tokens_per_month
-            ? `${(license.limits.tokens_per_month / 1000000).toFixed(0)}M`
-            : "N/A";
-        console.log(`  │  Tokens/mês:   ${tokensLabel.padEnd(25)}│`);
-        console.log(`  │${" ".repeat(42)}│`);
-        console.log(`  │  ✓ Claude proxy configurado${" ".repeat(13)}│`);
-        console.log(`  │    URL: ${(license.proxy_url || "").padEnd(32)}│`);
-    }
-    console.log(`  │${" ".repeat(42)}│`);
-    console.log(`  │  Licença salva em ~/.abap-ai/license${" ".repeat(4)}│`);
-    console.log(`  ╰──────────────────────────────────────────╯`);
+  │  Chamadas/dia: ${callsLabel.padEnd(25)}│
+  │${" ".repeat(42)}│
+  │  Licença salva em ~/.abap-ai/license${" ".repeat(4)}│
+  ╰──────────────────────────────────────────╯`);
     console.log(`\n  Próximo passo: abap-ai init\n`);
 }

package/dist/cli/init.js

@@ -149,6 +149,7 @@ function addSystemToConfig(config, system) {
         SAP_USER: system.user,
         SAP_PASS: system.pass,
         SAP_LANGUAGE: system.language,
+        ABAP_AI_ENV_ROLE: system.environmentRole,
     };
     if (system.selfSignedSsl) {
         env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
@@ -214,6 +215,17 @@ async function promptSystem() {
             message: "Certificado SSL self-signed?",
             initial: true,
         },
+        {
+            type: "select",
+            name: "environmentRole",
+            message: "Papel do ambiente (controla quais operações o LKPABAP.ai pode executar)",
+            choices: [
+                { title: "DEVELOPMENT — leitura + escrita + criação (padrão para DEV)", value: "DEVELOPMENT" },
+                { title: "QUALITY    — somente leitura (padrão para QAS/QA)", value: "QUALITY" },
+                { title: "PRODUCTION — somente leitura, mais restritivo (padrão para PRD)", value: "PRODUCTION" },
+            ],
+            initial: 0,
+        },
     ], {
         onCancel: () => {
             console.log("\n  Cancelado.");
@@ -231,6 +243,7 @@ async function promptSystem() {
         pass: response.pass,
         language: (response.language?.trim() || "PT").toUpperCase(),
         selfSignedSsl: response.selfSignedSsl ?? true,
+        environmentRole: response.environmentRole || "DEVELOPMENT",
     };
 }
 // ---------------------------------------------------------------------------
@@ -239,7 +252,7 @@ async function promptSystem() {
 async function init() {
     console.log(`
   ╭─────────────────────────────────────╮
-  │  LKPABAP.ia — Setup                │
+  │  LKPABAP.ai — Setup                │
   │  Conecte o Claude ao seu SAP       │
   ╰─────────────────────────────────────╯
 `);
@@ -318,7 +331,9 @@ async function init() {
             const sn = `abap-${name}`;
             const env = config.mcpServers[sn]?.env || {};
             const client = env.SAP_CLIENT || "?";
-            const line = `  │    • ${name}  (client ${client})`;
+            const role = env.ABAP_AI_ENV_ROLE || "DEV";
+            const roleTag = role === "PRODUCTION" ? "PRD" : role === "QUALITY" ? "QAS" : "DEV";
+            const line = `  │    • ${name}  (client ${client}, ${roleTag})`;
             console.log(`${line}${" ".repeat(Math.max(1, 48 - line.length))}│`);
         }
         console.log(`  │${" ".repeat(46)}│

package/dist/cli/status.js

@@ -146,7 +146,7 @@ function countKnowledge() {
 async function status() {
     console.log(`
   ╭──────────────────────────────────────────────╮
-  │  LKPABAP.ia v${VERSION}${" ".repeat(30 - VERSION.length)}│
+  │  LKPABAP.ai v${VERSION}${" ".repeat(30 - VERSION.length)}│
   ╰──────────────────────────────────────────────╯`);
     // Licença
     console.log(`
@@ -158,7 +158,7 @@ async function status() {
         const expires = new Date(license.expires);
         const daysLeft = Math.ceil((expires.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
         const expired = daysLeft <= 0;
-        const planLabel = `${license.plan.charAt(0).toUpperCase() + license.plan.slice(1)} (${license.mode === "byok" ? "BYOK" : "All-in-One"})`;
+        const planLabel = `${license.plan.charAt(0).toUpperCase() + license.plan.slice(1)} (BYOK)`;
         console.log(`  Plano:        ${planLabel}`);
         console.log(`  Válido até:   ${license.expires} (${expired ? "EXPIRADA" : `${daysLeft} dias restantes`})`);
         console.log(`  Status:       ${expired ? "✗ Expirada — renove em https://lkpabap.ai" : "✓ Ativa"}`);

package/dist/cli.js

@@ -8,7 +8,7 @@ const remove_js_1 = require("./cli/remove.js");
 const systems_js_1 = require("./cli/systems.js");
 const VERSION = "2.0.0";
 const HELP = `
-  LKPABAP.ia — AI-powered ABAP development for SAP
+  LKPABAP.ai — AI-powered ABAP development for SAP
 
   Uso:
     abap-ai <comando> [opções]
@@ -38,7 +38,7 @@ async function main() {
         return;
     }
     if (command === "--version" || command === "-v") {
-        console.log(`LKPABAP.ia v${VERSION}`);
+        console.log(`LKPABAP.ai v${VERSION}`);
         return;
     }
     switch (command) {

package/dist/index.js

@@ -55,15 +55,64 @@ const knowledge_js_1 = require("./tools/knowledge.js");
 const create_dcl_js_1 = require("./tools/create-dcl.js");
 const create_amdp_js_1 = require("./tools/create-amdp.js");
 const system_profile_js_1 = require("./system-profile.js");
+const security_policy_js_1 = require("./security-policy.js");
+const security_audit_js_1 = require("./security-audit.js");
+const license_guard_js_1 = require("./license-guard.js");
 const server = new mcp_js_1.McpServer({
     name: "abap-adt",
     version: "2.0.0",
 });
+// ─── License Guard (wraps all tool handlers) ─────────────────────
+// Intercepta server.tool para injetar licenseGuard() automaticamente.
+// Toda tool retorna erro amigável se a licença é ausente ou expirada.
+{
+    const _origTool = server.tool.bind(server);
+    server.tool = (...args) => {
+        const handler = args[args.length - 1];
+        args[args.length - 1] = async (...handlerArgs) => {
+            const licBlock = (0, license_guard_js_1.licenseGuard)();
+            if (licBlock)
+                return licBlock;
+            return await handler(...handlerArgs);
+        };
+        return _origTool.apply(server, args);
+    };
+}
+// ─── Security Guard ───────────────────────────────────────────────
+/**
+ * Verifica se uma tool pode ser executada sob a security policy atual.
+ * Retorna null se permitido, ou uma resposta de erro MCP se bloqueado.
+ */
+function securityGuard(toolName, transportRequest) {
+    const policy = (0, security_policy_js_1.getPolicy)();
+    const riskLevel = (0, security_policy_js_1.getToolRisk)(toolName);
+    // 1. Verificar acesso pela policy
+    const accessCheck = (0, security_policy_js_1.checkToolAccess)(toolName, policy);
+    if (!accessCheck.allowed) {
+        (0, security_audit_js_1.auditBlocked)(toolName, riskLevel, policy.environment_role, accessCheck.reason || "policy");
+        return {
+            content: [{ type: "text", text: accessCheck.reason || `Tool ${toolName} bloqueada.` }],
+            isError: true,
+        };
+    }
+    // 2. Verificar transport request obrigatório
+    const transportCheck = (0, security_policy_js_1.checkTransportRequired)(toolName, transportRequest, policy);
+    if (!transportCheck.allowed) {
+        (0, security_audit_js_1.auditBlocked)(toolName, riskLevel, policy.environment_role, transportCheck.reason || "transport required");
+        return {
+            content: [{ type: "text", text: transportCheck.reason || `Transport request obrigatório.` }],
+            isError: true,
+        };
+    }
+    // 3. Permitido — registrar no audit
+    (0, security_audit_js_1.auditAllowed)(toolName, riskLevel, policy.environment_role);
+    return null;
+}
 // Tool: abap_read
 server.tool("abap_read", "Lê o código-fonte de um objeto ABAP no sistema SAP via ADT API. Para tabelas (TABL/DT), estruturas (TABL/DS) e table types (TTYP/TT), retorna a lista de campos com tipo e descrição.", {
     object_type: zod_1.z
-        .enum(["PROG/P", "CLAS/OC", "FUGR/FF", "DOMA/D", "DTEL/D", "TABL/DT", "TABL/DS", "TTYP/TT", "INTF/OI", "DDLS/DF", "DDLX/MX", "SRVD/SRV", "BDEF/BDO", "SRVB/SVB"])
-        .describe("Tipo do objeto SAP. Ex: PROG/P (report), CLAS/OC (classe), DDLS/DF (CDS view), TABL/DT (tabela), TABL/DS (estrutura), TTYP/TT (table type)."),
+        .enum(["PROG/P", "CLAS/OC", "FUGR/FF", "DOMA/D", "DTEL/D", "TABL/DT", "TABL/DS", "TTYP/TT", "INTF/OI", "DDLS/DF", "DDLX/MX", "SRVD/SRV", "BDEF/BDO", "SRVB/SVB", "MSAG/N", "ENHO/EO"])
+        .describe("Tipo do objeto SAP. Ex: PROG/P (report), CLAS/OC (classe), DDLS/DF (CDS view), TABL/DT (tabela), MSAG/N (classe de mensagens), ENHO/EO (enhancement implementation)."),
     object_name: zod_1.z
         .string()
         .describe("Nome do objeto ABAP (ex: ZR_SD_PEDIDOS_ABERTOS)."),
@@ -106,6 +155,9 @@ server.tool("abap_write", "Grava código-fonte em um objeto ABAP existente no si
         .optional()
         .describe("Ordem de transporte (ex: ECDK900123). Obrigatória para objetos em pacotes não-locais."),
 }, async ({ object_type, object_name, source, class_include, transport_request }) => {
+    const blocked = securityGuard("abap_write", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, write_js_1.abapWrite)({ object_type, object_name, source, class_include, transport_request });
         return {
@@ -129,6 +181,9 @@ server.tool("abap_activate", "Ativa um objeto ABAP no sistema SAP via ADT API. R
         .string()
         .describe("Nome do objeto ABAP (ex: ZTESTEDENIS)."),
 }, async ({ object_type, object_name }) => {
+    const blocked = securityGuard("abap_activate");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, activate_js_1.abapActivate)({ object_type, object_name });
         return {
@@ -173,6 +228,9 @@ server.tool("abap_create", "Cria um novo objeto ABAP no sistema SAP via ADT API.
         .optional()
         .describe("Ordem de transporte (ex: ECDK900123). Se omitida, o SAP usa $TMP ou atribui automaticamente."),
 }, async ({ object_type, object_name, description, package: pkg, srvd_name, binding_type, transport_request }) => {
+    const blocked = securityGuard("abap_create", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_js_1.abapCreate)({ object_type, object_name, description, package: pkg, srvd_name, binding_type, transport_request });
         return {
@@ -302,6 +360,9 @@ server.tool("abap_assign_transport", "Vincula um objeto ABAP existente a uma ord
         .string()
         .describe("Nome do objeto ABAP a vincular."),
 }, async ({ transport_request, object_type, object_name }) => {
+    const blocked = securityGuard("abap_assign_transport", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, transports_js_1.abapAssignTransport)({ transport_request, object_type, object_name });
         return {
@@ -358,6 +419,9 @@ server.tool("abap_scaffold_rap", "Cria um stack RAP completo no SAP com 4 scenar
         .optional()
         .describe("Ordem de transporte para todos os objetos criados."),
 }, async ({ base_name, description, scenario, child_entities, with_feature_control, with_business_events, package: pkg, binding_type, transport_request }) => {
+    const blocked = securityGuard("abap_scaffold_rap", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, scaffold_rap_js_1.abapScaffoldRap)({ base_name, description, scenario, child_entities, with_feature_control, with_business_events, package: pkg, binding_type, transport_request });
         return {
@@ -382,6 +446,9 @@ server.tool("abap_publish_binding", "Publica uma Service Binding (SRVB/SVB) no S
         .optional()
         .describe("Versão do serviço no Gateway (padrão: '0001')."),
 }, async ({ binding_name, service_version }) => {
+    const blocked = securityGuard("abap_publish_binding");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, publish_binding_js_1.abapPublishBinding)({ binding_name, service_version });
         return {
@@ -417,6 +484,9 @@ server.tool("abap_deploy_bsp", "Faz deploy de uma aplicação Fiori/UI5 para o A
         .optional()
         .describe("Ordem de transporte (ex: ECDK900123). Obrigatória se o pacote não for $TMP."),
 }, async ({ bsp_name, folder_path, package: pkg, description, transport_request }) => {
+    const blocked = securityGuard("abap_deploy_bsp", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, deploy_bsp_js_1.abapDeployBsp)({ bsp_name, folder_path, package: pkg, description, transport_request });
         return {
@@ -492,8 +562,9 @@ server.tool("abap_data_preview", "Visualiza dados de uma tabela transparente ou
         .optional()
         .describe("Colunas a retornar, separadas por vírgula (ex: MATNR,MTART,MBRSH)."),
 }, async ({ object_name, max_rows, where_clause, order_by, columns }) => {
+    const effectiveRows = (0, security_policy_js_1.getEffectiveMaxRows)(max_rows ?? 100, (0, security_policy_js_1.getPolicy)());
     try {
-        const result = await (0, data_preview_js_1.abapDataPreview)({ object_name, max_rows, where_clause, order_by, columns });
+        const result = await (0, data_preview_js_1.abapDataPreview)({ object_name, max_rows: effectiveRows, where_clause, order_by, columns });
         return {
             content: [{ type: "text", text: result }],
         };
@@ -721,6 +792,9 @@ server.tool("abap_release_transport", "Libera uma ordem de transporte no SAP. AT
         .string()
         .describe("Número da ordem de transporte a liberar (ex: ECDK900123)."),
 }, async ({ transport_request }) => {
+    const blocked = securityGuard("abap_release_transport", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, release_transport_js_1.abapReleaseTransport)({ transport_request });
         return {
@@ -748,6 +822,9 @@ server.tool("abap_delete", "Exclui um objeto ABAP do sistema SAP. ATENÇÃO: ope
         .optional()
         .describe("Ordem de transporte (obrigatória para objetos em pacotes não-locais)."),
 }, async ({ object_type, object_name, transport_request }) => {
+    const blocked = securityGuard("abap_delete", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, delete_js_1.abapDeleteObject)({ object_type, object_name, transport_request });
         return {
@@ -787,6 +864,9 @@ server.tool("abap_refactor_rename", "Renomeia um símbolo (variável, método, a
         .optional()
         .describe("Include da classe. Apenas para CLAS/OC. Padrão: main."),
 }, async ({ object_type, object_name, old_name, new_name, line, column, class_include }) => {
+    const blocked = securityGuard("abap_refactor_rename");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, refactor_rename_js_1.abapRefactorRename)({ object_type, object_name, old_name, new_name, line, column, class_include });
         return {
@@ -879,6 +959,9 @@ server.tool("abap_quick_fix", "Obtém e aplica correções rápidas (quick fixes
         .describe("Include da classe. Apenas para CLAS/OC."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte para aplicar o fix."),
 }, async ({ object_type, object_name, line, column, fix_index, class_include, transport_request }) => {
+    const blocked = securityGuard("abap_quick_fix", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, quick_fix_js_1.abapQuickFix)({ object_type, object_name, line, column, fix_index, class_include, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -903,6 +986,9 @@ server.tool("abap_extract_method", "Extrai um trecho de código ABAP selecionado
         .describe("Include da classe. Apenas para CLAS/OC."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte (se necessário)."),
 }, async ({ object_type, object_name, start_line, end_line, new_method_name, class_include, transport_request }) => {
+    const blocked = securityGuard("abap_extract_method", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, extract_method_js_1.abapExtractMethod)({ object_type, object_name, start_line, end_line, new_method_name, class_include, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -933,8 +1019,9 @@ server.tool("abap_sql_console", "Executa uma consulta ABAP SQL (Open SQL) no sis
     sql: zod_1.z.string().describe("Consulta ABAP SQL. Ex: SELECT * FROM mara WHERE matnr LIKE 'Z%' ORDER BY matnr UP TO 100 ROWS"),
     max_rows: zod_1.z.number().optional().describe("Número máximo de linhas retornadas (padrão: 100)."),
 }, async ({ sql, max_rows }) => {
+    const effectiveRows = (0, security_policy_js_1.getEffectiveMaxRows)(max_rows ?? 100, (0, security_policy_js_1.getPolicy)());
     try {
-        const result = await (0, sql_console_js_1.abapSqlConsole)({ sql, max_rows });
+        const result = await (0, sql_console_js_1.abapSqlConsole)({ sql, max_rows: effectiveRows });
         return { content: [{ type: "text", text: result }] };
     }
     catch (error) {
@@ -961,6 +1048,9 @@ server.tool("abap_create_transport", "Cria uma nova ordem de transporte (workben
     type: zod_1.z.enum(["W", "K"]).optional().describe("Tipo: W=Workbench (padrão), K=Customizing."),
     target: zod_1.z.string().optional().describe("Sistema de destino (ex: QAS). Opcional."),
 }, async ({ description, type, target }) => {
+    const blocked = securityGuard("abap_create_transport");
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_transport_js_1.abapCreateTransport)({ description, type, target });
         return { content: [{ type: "text", text: result }] };
@@ -1144,6 +1234,9 @@ server.tool("abap_git_pull", "Executa pull de um repositório abapGit no sistema
     branch: zod_1.z.string().optional().describe("Nome do branch (padrão: main)."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte para os objetos importados."),
 }, async ({ repo_id, branch, transport_request }) => {
+    const blocked = securityGuard("abapgit_pull", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, abapgit_js_1.abapGitPull)({ repo_id, branch, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1163,6 +1256,9 @@ server.tool("abap_git_stage", "Mostra status de staging e executa push para um r
     message: zod_1.z.string().optional().describe("Mensagem de commit (obrigatória para push)."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte."),
 }, async ({ repo_id, action, message: commitMsg, transport_request }) => {
+    const blocked = securityGuard("abapgit_stage", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, abapgit_js_1.abapGitStage)({ repo_id, action, message: commitMsg, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1233,6 +1329,9 @@ server.tool("abap_create_dcl", "Cria um objeto DCL (Data Control Language) para
     package: zod_1.z.string().optional().describe("Pacote SAP. Padrão: '$TMP'."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte."),
 }, async ({ dcl_name, cds_entity, auth_type, auth_mappings, literal_conditions, with_user_aspect, package: pkg, transport_request }) => {
+    const blocked = securityGuard("abap_create_dcl", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_dcl_js_1.abapCreateDcl)({ dcl_name, cds_entity, auth_type, auth_mappings, literal_conditions, with_user_aspect, package: pkg, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1262,6 +1361,9 @@ server.tool("abap_create_amdp", "Cria uma classe AMDP (ABAP Managed Database Pro
     package: zod_1.z.string().optional().describe("Pacote SAP. Padrão: '$TMP'."),
     transport_request: zod_1.z.string().optional().describe("Ordem de transporte."),
 }, async ({ class_name, method_name, method_type, importing: imp, exporting_table, cds_entity, description, package: pkg, transport_request }) => {
+    const blocked = securityGuard("abap_create_amdp", transport_request);
+    if (blocked)
+        return blocked;
     try {
         const result = await (0, create_amdp_js_1.abapCreateAmdp)({ class_name, method_name, method_type, importing: imp, exporting_table, cds_entity, description, package: pkg, transport_request });
         return { content: [{ type: "text", text: result }] };
@@ -1305,12 +1407,32 @@ server.resource("system-profile", "abap://system-profile", { description: "Perfi
             }],
     };
 });
+// Resource: security-policy
+server.resource("security-policy", "abap://security-policy", { description: "Política de segurança ativa — environment role, níveis permitidos, tools bloqueadas, limites. Configurável via env ABAP_AI_ENV_ROLE ou arquivo ~/.abap-ai/security-policy.json." }, async () => {
+    const policy = (0, security_policy_js_1.getPolicy)();
+    const toolRiskMap = {
+        blocked_tools: policy.always_blocked,
+        environment: policy.environment_role,
+        allowed_operations: policy.allowed_levels,
+        require_transport: policy.require_transport,
+        max_preview_rows: policy.max_preview_rows,
+    };
+    return {
+        contents: [{
+                uri: "abap://security-policy",
+                mimeType: "application/json",
+                text: JSON.stringify(toolRiskMap, null, 2),
+            }],
+    };
+});
 // Inicializa o servidor via stdio (modo Claude Code MCP)
 async function main() {
     const transport = new stdio_js_1.StdioServerTransport();
     await server.connect(transport);
     const profile = (0, system_profile_js_1.getProfile)();
-    process.stderr.write(`abap-mcp-server v2.0.0 iniciado | System: ${profile.system.type} | ABAP: ${profile.system.abapPlatform}\n`);
+    const policy = (0, security_policy_js_1.getPolicy)();
+    const licLabel = (0, license_guard_js_1.licenseStatusLabel)();
+    process.stderr.write(`abap-mcp-server v2.2.0 iniciado | License: ${licLabel} | System: ${profile.system.type} | ABAP: ${profile.system.abapPlatform} | Security: ${policy.environment_role} (${policy.allowed_levels.join("+")})\n`);
 }
 main().catch((err) => {
     process.stderr.write(`Falha ao iniciar servidor: ${err}\n`);

package/dist/license-guard.js

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * License Guard — valida licença antes de executar qualquer tool.
+ *
+ * Singleton: lê ~/.abap-ai/license.json uma vez e cacheia.
+ * licenseGuard() retorna null se OK, ou MCP error response se bloqueado.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getLicense = getLicense;
+exports.reloadLicense = reloadLicense;
+exports.licenseGuard = licenseGuard;
+exports.licenseStatusLabel = licenseStatusLabel;
+const activate_js_1 = require("./cli/activate.js");
+// ─── Singleton ───────────────────────────────────────────────────
+let cachedLicense = undefined;
+/**
+ * Retorna a licença cacheada. null = arquivo não existe ou inválido.
+ */
+function getLicense() {
+    if (cachedLicense === undefined) {
+        cachedLicense = (0, activate_js_1.readLicense)();
+    }
+    return cachedLicense;
+}
+/**
+ * Força releitura do license.json (útil após activate).
+ */
+function reloadLicense() {
+    cachedLicense = undefined;
+    return getLicense();
+}
+function daysUntilExpiry(expiresStr) {
+    const expires = new Date(expiresStr + "T23:59:59");
+    const now = new Date();
+    return Math.ceil((expires.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
+}
+/**
+ * Verifica se a licença é válida.
+ * Retorna null se OK, ou MCP error response se bloqueado.
+ */
+function licenseGuard() {
+    const license = getLicense();
+    if (!license) {
+        return {
+            content: [{
+                    type: "text",
+                    text: "LKPABAP.ai — Licença não encontrada.\n\n" +
+                        "Para usar as ferramentas, ative sua licença:\n\n" +
+                        "  abap-ai activate LK-XXXX-XXXX-XXXX\n\n" +
+                        "Adquira em: https://lkpabap.ai",
+                }],
+            isError: true,
+        };
+    }
+    const daysLeft = daysUntilExpiry(license.expires);
+    if (daysLeft <= 0) {
+        return {
+            content: [{
+                    type: "text",
+                    text: `LKPABAP.ai — Licença expirada em ${license.expires}.\n\n` +
+                        "Renove sua licença:\n\n" +
+                        "  abap-ai activate <NOVA-CHAVE>\n\n" +
+                        "Renove em: https://lkpabap.ai",
+                }],
+            isError: true,
+        };
+    }
+    return null;
+}
+/**
+ * Retorna string de status para log no startup.
+ */
+function licenseStatusLabel() {
+    const license = getLicense();
+    if (!license)
+        return "SEM LICENÇA";
+    const daysLeft = daysUntilExpiry(license.expires);
+    if (daysLeft <= 0)
+        return "EXPIRADA";
+    return `${license.plan} até ${license.expires}`;
+}

package/dist/security-audit.js

@@ -0,0 +1,136 @@
+"use strict";
+/**
+ * Security Audit Log — registro de operações de segurança.
+ *
+ * Registra todas as operações WRITE, CREATE, DESTRUCTIVE e ADMIN,
+ * incluindo tentativas bloqueadas pela security policy.
+ * Separado do logger de chamadas ADT — este é focado em governança.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.auditLog = auditLog;
+exports.auditAllowed = auditAllowed;
+exports.auditBlocked = auditBlocked;
+exports.getSessionAudit = getSessionAudit;
+exports.getAuditSummary = getAuditSummary;
+exports.readTodayAudit = readTodayAudit;
+const fs_1 = require("fs");
+const path_1 = require("path");
+// ─── Config ───────────────────────────────────────────────────────
+const AUDIT_DIR = process.env.ABAP_AI_AUDIT_DIR || (0, path_1.join)(process.env.HOME || "~", ".abap-ai", "audit");
+const AUDIT_ENABLED = process.env.ABAP_AI_AUDIT !== "false";
+// ─── Estado da sessão ─────────────────────────────────────────────
+const sessionAuditEntries = [];
+// ─── Funções ──────────────────────────────────────────────────────
+function ensureAuditDir() {
+    if (!(0, fs_1.existsSync)(AUDIT_DIR)) {
+        (0, fs_1.mkdirSync)(AUDIT_DIR, { recursive: true });
+    }
+}
+function auditFileName() {
+    const date = new Date().toISOString().slice(0, 10);
+    return (0, path_1.join)(AUDIT_DIR, `security-${date}.jsonl`);
+}
+/**
+ * Extrai o hostname do SAP_URL para identificar o sistema no audit.
+ */
+function getSystemId() {
+    const url = process.env.SAP_URL || "unknown";
+    try {
+        return new URL(url).hostname;
+    }
+    catch {
+        return url;
+    }
+}
+/**
+ * Registra uma entrada no audit log de segurança.
+ */
+function auditLog(entry) {
+    const fullEntry = {
+        timestamp: new Date().toISOString(),
+        system: getSystemId(),
+        user: process.env.SAP_USER || "unknown",
+        ...entry,
+    };
+    sessionAuditEntries.push(fullEntry);
+    if (!AUDIT_ENABLED)
+        return;
+    try {
+        ensureAuditDir();
+        (0, fs_1.appendFileSync)(auditFileName(), JSON.stringify(fullEntry) + "\n", "utf-8");
+    }
+    catch {
+        // Audit silencioso — não deve quebrar operações
+    }
+}
+/**
+ * Atalho para registrar uma operação permitida.
+ */
+function auditAllowed(tool, riskLevel, environment, params) {
+    auditLog({
+        tool,
+        risk_level: riskLevel,
+        environment,
+        result: "ALLOWED",
+        params,
+    });
+}
+/**
+ * Atalho para registrar uma operação bloqueada.
+ */
+function auditBlocked(tool, riskLevel, environment, reason, params) {
+    auditLog({
+        tool,
+        risk_level: riskLevel,
+        environment,
+        result: "BLOCKED",
+        reason,
+        params,
+    });
+}
+/**
+ * Retorna as entradas de audit da sessão atual.
+ */
+function getSessionAudit() {
+    return [...sessionAuditEntries];
+}
+/**
+ * Retorna resumo do audit da sessão para exibição.
+ */
+function getAuditSummary() {
+    const allowed = sessionAuditEntries.filter((e) => e.result === "ALLOWED").length;
+    const blocked = sessionAuditEntries.filter((e) => e.result === "BLOCKED").length;
+    const byTool = {};
+    for (const entry of sessionAuditEntries) {
+        if (!byTool[entry.tool])
+            byTool[entry.tool] = { allowed: 0, blocked: 0 };
+        if (entry.result === "ALLOWED")
+            byTool[entry.tool].allowed++;
+        else
+            byTool[entry.tool].blocked++;
+    }
+    return {
+        total: sessionAuditEntries.length,
+        allowed,
+        blocked,
+        by_tool: byTool,
+    };
+}
+/**
+ * Lê o audit log do dia atual.
+ */
+function readTodayAudit() {
+    try {
+        const file = auditFileName();
+        if (!(0, fs_1.existsSync)(file))
+            return [];
+        const content = (0, fs_1.readFileSync)(file, "utf-8");
+        return content
+            .split("\n")
+            .filter((line) => line.trim())
+            .map((line) => JSON.parse(line));
+    }
+    catch {
+        return [];
+    }
+}

package/dist/security-policy.js

@@ -0,0 +1,322 @@
+"use strict";
+/**
+ * Security Policy — controle de acesso por camada de ambiente SAP.
+ *
+ * Implementa o princípio: "O LKPABAP.ai NUNCA sobrepõe as restrições de
+ * segurança do SAP. Em PRD, só leitura. Em QAS, leitura + debug.
+ * Em DEV, tudo liberado. abap_release_transport sempre bloqueado."
+ *
+ * A autorização de dados (S_TADIR, S_DEVELOP, etc.) é 100% delegada ao SAP.
+ * Esta camada controla quais CATEGORIAS de operação o MCP server aceita executar.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getToolRisk = getToolRisk;
+exports.loadPolicy = loadPolicy;
+exports.checkToolAccess = checkToolAccess;
+exports.getEffectiveMaxRows = getEffectiveMaxRows;
+exports.checkTransportRequired = checkTransportRequired;
+exports.getPolicy = getPolicy;
+exports.setPolicy = setPolicy;
+exports.getDefaultPolicy = getDefaultPolicy;
+exports.listEnvironmentRoles = listEnvironmentRoles;
+const fs_1 = require("fs");
+const path_1 = require("path");
+/**
+ * Mapa de cada tool para seu nível de risco.
+ * Tools não listadas aqui são consideradas READ (safe by default).
+ */
+const TOOL_RISK = {
+    // READ — sem guard extra (default para tools não listadas)
+    abap_read: "READ",
+    abap_search: "READ",
+    abap_where_used: "READ",
+    abap_check: "READ",
+    abap_object_structure: "READ",
+    abap_data_preview: "READ",
+    abap_sql_console: "READ",
+    abap_element_info: "READ",
+    abap_pretty_printer: "READ",
+    abap_unit_test: "READ",
+    abap_atc_check: "READ",
+    abap_package_contents: "READ",
+    abap_object_versions: "READ",
+    abap_function_group: "READ",
+    abap_message_class: "READ",
+    abap_doc: "READ",
+    abap_code_completion: "READ",
+    abap_navigate: "READ",
+    abap_call_hierarchy: "READ",
+    abap_code_coverage: "READ",
+    abap_transport_contents: "READ",
+    abap_cds_annotations: "READ",
+    abap_cds_dependencies: "READ",
+    abap_annotation_propagation: "READ",
+    abap_enhancement_spot: "READ",
+    abap_lock_object: "READ",
+    abap_auth_object: "READ",
+    abap_number_range: "READ",
+    abap_repository_tree: "READ",
+    abap_discovery: "READ",
+    abap_released_apis: "READ",
+    abap_object_documentation: "READ",
+    abap_system_info: "READ",
+    abap_list_transports: "READ",
+    abap_knowledge: "READ",
+    abap_traces: "READ",
+    abap_breakpoints: "READ",
+    abapgit_repos: "READ",
+    // WRITE — modifica objetos existentes
+    abap_write: "WRITE",
+    abap_activate: "WRITE",
+    abap_refactor_rename: "WRITE",
+    abap_extract_method: "WRITE",
+    abap_quick_fix: "WRITE",
+    abap_publish_binding: "WRITE",
+    abap_deploy_bsp: "WRITE",
+    abap_assign_transport: "WRITE",
+    abapgit_pull: "WRITE",
+    abapgit_stage: "WRITE",
+    // CREATE — cria objetos novos no SAP
+    abap_create: "CREATE",
+    abap_create_transport: "CREATE",
+    abap_create_dcl: "CREATE",
+    abap_create_amdp: "CREATE",
+    abap_scaffold_rap: "CREATE",
+    // WRITE — delete segue a mesma regra de escrita (permitido em DEV, bloqueado em QAS/PRD)
+    abap_delete: "WRITE",
+    // ADMIN — operações administrativas de alto impacto (sempre bloqueado)
+    abap_release_transport: "ADMIN",
+};
+/**
+ * Retorna o nível de risco de uma tool.
+ */
+function getToolRisk(toolName) {
+    return TOOL_RISK[toolName] ?? "READ";
+}
+// ─── Policies padrão por ambiente ─────────────────────────────────
+const POLICY_DEVELOPMENT = {
+    environment_role: "DEVELOPMENT",
+    allowed_levels: ["READ", "WRITE", "CREATE"],
+    always_blocked: ["abap_release_transport"],
+    require_transport: false,
+    max_preview_rows: 0,
+};
+const POLICY_QUALITY = {
+    environment_role: "QUALITY",
+    allowed_levels: ["READ"],
+    always_blocked: [
+        "abap_release_transport",
+        "abap_delete",
+        "abap_scaffold_rap",
+        "abap_create",
+        "abap_create_dcl",
+        "abap_create_amdp",
+        "abap_write",
+        "abap_activate",
+        "abap_refactor_rename",
+        "abap_extract_method",
+        "abap_quick_fix",
+        "abap_publish_binding",
+        "abap_deploy_bsp",
+        "abapgit_pull",
+    ],
+    require_transport: true,
+    max_preview_rows: 100,
+};
+const POLICY_PRODUCTION = {
+    environment_role: "PRODUCTION",
+    allowed_levels: ["READ"],
+    always_blocked: [
+        "abap_release_transport",
+        "abap_delete",
+        "abap_scaffold_rap",
+        "abap_create",
+        "abap_create_dcl",
+        "abap_create_amdp",
+        "abap_create_transport",
+        "abap_write",
+        "abap_activate",
+        "abap_refactor_rename",
+        "abap_extract_method",
+        "abap_quick_fix",
+        "abap_publish_binding",
+        "abap_deploy_bsp",
+        "abapgit_pull",
+        "abapgit_stage",
+        "abap_assign_transport",
+    ],
+    require_transport: true,
+    max_preview_rows: 50,
+};
+const DEFAULT_POLICIES = {
+    DEVELOPMENT: POLICY_DEVELOPMENT,
+    QUALITY: POLICY_QUALITY,
+    PRODUCTION: POLICY_PRODUCTION,
+};
+// ─── Carregamento da policy ───────────────────────────────────────
+/**
+ * Caminho do arquivo de policy central (planos Enterprise/Corporate).
+ * Gestores podem travar a policy criando este arquivo.
+ */
+const CENTRAL_POLICY_PATH = (0, path_1.join)(process.env.HOME || "~", ".abap-ai", "security-policy.json");
+/**
+ * Carrega a policy do ambiente a partir de:
+ *   1. Variável de ambiente ABAP_AI_SECURITY_POLICY (JSON inline)
+ *   2. Arquivo central ~/.abap-ai/security-policy.json (Enterprise/Corporate)
+ *   3. Variável ABAP_AI_ENV_ROLE (DEVELOPMENT | QUALITY | PRODUCTION)
+ *   4. Default: DEVELOPMENT
+ */
+function loadPolicy() {
+    // 1. JSON inline (env var)
+    const policyJson = process.env.ABAP_AI_SECURITY_POLICY;
+    if (policyJson) {
+        try {
+            const parsed = JSON.parse(policyJson);
+            return mergeWithDefault(parsed);
+        }
+        catch {
+            // fallthrough
+        }
+    }
+    // 2. Arquivo central (gestores Enterprise/Corporate)
+    if ((0, fs_1.existsSync)(CENTRAL_POLICY_PATH)) {
+        try {
+            const raw = (0, fs_1.readFileSync)(CENTRAL_POLICY_PATH, "utf-8");
+            const parsed = JSON.parse(raw);
+            return mergeWithDefault(parsed);
+        }
+        catch {
+            // fallthrough
+        }
+    }
+    // 3. Env role simples
+    const envRole = (process.env.ABAP_AI_ENV_ROLE || "").toUpperCase();
+    if (DEFAULT_POLICIES[envRole]) {
+        return deepClone(DEFAULT_POLICIES[envRole]);
+    }
+    // 4. Default: DEVELOPMENT
+    return deepClone(POLICY_DEVELOPMENT);
+}
+/**
+ * Verifica se uma tool pode ser executada sob a policy atual.
+ */
+function checkToolAccess(toolName, policy) {
+    // 1. abap_release_transport — SEMPRE bloqueado, independente de qualquer config
+    if (toolName === "abap_release_transport") {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: abap_release_transport é sempre bloqueado pelo LKPABAP.ai. `
+                + `Liberar transportes é uma operação irreversível que pode propagar mudanças para ambientes produtivos. `
+                + `Execute esta operação manualmente na transação SE09/SE10 do SAP GUI.`,
+        };
+    }
+    // 2. Tool na lista de always_blocked
+    if (policy.always_blocked.includes(toolName)) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: A tool "${toolName}" não é permitida no ambiente ${policy.environment_role}. `
+                + `Esta restrição é definida pela política de segurança do sistema. `
+                + describeEnvironmentRestriction(policy.environment_role),
+        };
+    }
+    // 3. Nível de risco da tool vs níveis permitidos
+    const riskLevel = getToolRisk(toolName);
+    if (!policy.allowed_levels.includes(riskLevel)) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: A tool "${toolName}" requer nível "${riskLevel}", `
+                + `mas o ambiente ${policy.environment_role} só permite: ${policy.allowed_levels.join(", ")}. `
+                + describeEnvironmentRestriction(policy.environment_role),
+        };
+    }
+    return { allowed: true };
+}
+/**
+ * Retorna o limite de rows para preview/sql considerando a policy.
+ * Se a policy define um limite, usa o menor entre o limite da policy e o solicitado.
+ */
+function getEffectiveMaxRows(requestedRows, policy) {
+    if (policy.max_preview_rows <= 0)
+        return requestedRows;
+    return Math.min(requestedRows, policy.max_preview_rows);
+}
+/**
+ * Verifica se transport request é obrigatório e não foi fornecido.
+ */
+function checkTransportRequired(toolName, transportRequest, policy) {
+    const riskLevel = getToolRisk(toolName);
+    if (policy.require_transport
+        && (riskLevel === "WRITE" || riskLevel === "CREATE")
+        && !transportRequest) {
+        return {
+            allowed: false,
+            reason: `BLOQUEADO: O ambiente ${policy.environment_role} exige transport request para operações de ${riskLevel}. `
+                + `Informe o parâmetro transport_request (ex: "DEVK900123"). `
+                + `Use abap_list_transports ou abap_create_transport para obter um.`,
+        };
+    }
+    return { allowed: true };
+}
+// ─── Singleton ────────────────────────────────────────────────────
+let currentPolicy = null;
+/**
+ * Retorna a policy atual. Carrega do ambiente/arquivo na primeira chamada.
+ */
+function getPolicy() {
+    if (!currentPolicy) {
+        currentPolicy = loadPolicy();
+    }
+    return currentPolicy;
+}
+/**
+ * Força uma policy específica (usado em testes ou override programático).
+ */
+function setPolicy(policy) {
+    currentPolicy = policy;
+}
+/**
+ * Retorna a policy padrão para um environment role.
+ */
+function getDefaultPolicy(role) {
+    return deepClone(DEFAULT_POLICIES[role] || POLICY_DEVELOPMENT);
+}
+/**
+ * Lista os environment roles disponíveis.
+ */
+function listEnvironmentRoles() {
+    return ["DEVELOPMENT", "QUALITY", "PRODUCTION"];
+}
+// ─── Helpers ──────────────────────────────────────────────────────
+function describeEnvironmentRestriction(role) {
+    switch (role) {
+        case "PRODUCTION":
+            return "Em ambientes PRODUTIVOS, o LKPABAP.ai opera somente em modo leitura. "
+                + "Qualquer modificação deve ser feita via transporte a partir do ambiente de desenvolvimento.";
+        case "QUALITY":
+            return "Em ambientes de QUALIDADE (QAS), o LKPABAP.ai opera somente em modo leitura. "
+                + "Modificações devem ser transportadas a partir do ambiente de desenvolvimento.";
+        case "DEVELOPMENT":
+            return ""; // DEV não tem restrição descritiva
+        default:
+            return "";
+    }
+}
+function mergeWithDefault(partial) {
+    const role = partial.environment_role || "DEVELOPMENT";
+    const base = deepClone(DEFAULT_POLICIES[role] || POLICY_DEVELOPMENT);
+    return {
+        environment_role: partial.environment_role ?? base.environment_role,
+        allowed_levels: partial.allowed_levels ?? base.allowed_levels,
+        always_blocked: [
+            ...new Set([
+                ...base.always_blocked,
+                ...(partial.always_blocked ?? []),
+            ]),
+        ],
+        require_transport: partial.require_transport ?? base.require_transport,
+        max_preview_rows: partial.max_preview_rows ?? base.max_preview_rows,
+    };
+}
+function deepClone(obj) {
+    return JSON.parse(JSON.stringify(obj));
+}

package/dist/tools/activate.js

@@ -32,6 +32,9 @@ async function abapActivate(input) {
         },
         params: { method: "activate", preauditRequested: "true" },
         responseType: "text",
+        // Aceita 200 (ativação OK) e 400 (erros de sintaxe) — sem isso, axios rejeita non-2xx
+        // e o erro pode não ser propagado corretamente pelo MCP SDK
+        validateStatus: (status) => status === 200 || status === 400,
     });
     const { success, alreadyActive, messages } = parseActivationResponse(response.data);
     if (!success) {

package/dist/tools/read.js

@@ -4,6 +4,7 @@ exports.abapReadTool = void 0;
 exports.abapRead = abapRead;
 const adt_client_js_1 = require("../adt-client.js");
 const object_versions_js_1 = require("./object-versions.js");
+const message_class_js_1 = require("./message-class.js");
 function resolveSourcePath(adtPath, name, objectType, classInclude) {
     if (objectType === "CLAS/OC" && classInclude && classInclude !== "main") {
         return `/${adtPath}/${name}/includes/${classInclude}/source/main`;
@@ -106,6 +107,10 @@ async function abapRead(input) {
     const { object_type, object_name, class_include } = input;
     const name = object_name.toUpperCase();
     const adtPath = (0, adt_client_js_1.resolveAdtPath)(object_type);
+    // MSAG/N: delegar para abapMessageClass que já faz parsing do XML
+    if (object_type === "MSAG/N") {
+        return (0, message_class_js_1.abapMessageClass)({ message_class_name: name });
+    }
     // Para TABL/DT, TABL/DS e TTYP/TT: tentar /source/main primeiro (CDS DDL), se 404 ler metadados XML
     if (DDIC_METADATA_TYPES.includes(object_type)) {
         const nameLower = name.toLowerCase();
@@ -155,7 +160,7 @@ exports.abapReadTool = {
             object_type: {
                 type: "string",
                 description: "Tipo do objeto SAP. Exemplos: PROG/P (report), CLAS/OC (classe), FUGR/FF (function module), DDLS/DF (CDS view), TABL/DT (tabela transparente), TABL/DS (estrutura), INTF/OI (interface).",
-                enum: ["PROG/P", "CLAS/OC", "FUGR/FF", "DOMA/D", "DTEL/D", "TABL/DT", "TABL/DS", "INTF/OI", "DDLS/DF", "DDLX/MX", "SRVD/SRV", "BDEF/BDO", "SRVB/SVB"],
+                enum: ["PROG/P", "CLAS/OC", "FUGR/FF", "DOMA/D", "DTEL/D", "TABL/DT", "TABL/DS", "TTYP/TT", "INTF/OI", "DDLS/DF", "DDLX/MX", "SRVD/SRV", "BDEF/BDO", "SRVB/SVB", "MSAG/N", "ENHO/EO"],
             },
             object_name: {
                 type: "string",

package/dist/tools/system-info.js

@@ -233,18 +233,19 @@ function detectSystemType(discoveryXml, basisVersion, platform) {
     if (discoveryXml.includes("bw/modelingtools") || discoveryXml.includes("bw/querydesigner")) {
         return "SAP_BW";
     }
-    // S/4HANA = BASIS 750+ com certas capabilities
-    if (bv >= 750) {
-        // Verifica se tem RAP-related collections (mais provável S/4)
-        if (discoveryXml.includes("behaviordefinitions") || discoveryXml.includes("ServiceBindings")) {
-            return "ON_PREMISE_S4";
-        }
-    }
-    // ECC ou sistema antigo
+    // ECC ou sistema antigo (BASIS < 750 é sempre ECC)
     if (bv < 750)
         return "ON_PREMISE_ECC";
-    // Default para on-premise S/4
-    return "ON_PREMISE_S4";
+    // BASIS 750+: distinguir S/4HANA de ECC EHP8 (ambos têm BASIS 750)
+    // S/4HANA sempre inclui collections RAP/Service no discovery XML.
+    // ECC 750 NÃO tem esses endpoints — essa é a diferença chave.
+    const hasS4Collections = discoveryXml.includes("behaviordefinitions") ||
+        discoveryXml.includes("ServiceBindings") ||
+        discoveryXml.includes("ddic/srvd/sources");
+    if (hasS4Collections)
+        return "ON_PREMISE_S4";
+    // BASIS 750 sem collections S/4 = ECC EHP8
+    return "ON_PREMISE_ECC";
 }
 function detectRelease(basisVersion) {
     const bv = parseInt(basisVersion, 10) || 0;

package/dist/tools/transports.js

@@ -29,7 +29,8 @@ async function abapListTransports(input) {
     });
     const requests = parseTransportResponse(response.data);
     if (requests.length === 0) {
-        return `Nenhuma ordem de transporte aberta encontrada para ${user.toUpperCase()}.`;
+        return `Nenhuma ordem de transporte aberta encontrada para ${user.toUpperCase()}.\n` +
+            `Para criar uma nova request, use abap_create_transport ou crie manualmente via SE09/SE10 no SAP GUI.`;
     }
     const header = `Ordens de transporte abertas — ${user.toUpperCase()} (${requests.length}):\n`;
     const rows = requests.map((r) => {

package/dist/tools/write.js

@@ -31,6 +31,12 @@ async function abapWrite(input) {
             await (0, adt_client_js_1.adtPut)(sourcePath, source, etag, transport_request);
         }
         catch (putError) {
+            // Detectar erro de transport request obrigatória
+            if (isTransportRequiredError(putError) && !transport_request) {
+                throw new Error(`Objeto ${name} requer transport request para gravação (pacote não-local).\n` +
+                    `Use abap_list_transports para verificar requests abertas, ou abap_create_transport para criar uma nova.\n` +
+                    `Depois, informe o parâmetro transport_request (ex: "DEVK900123").`);
+            }
             // Workaround: em on-premise S/4, o GET retorna ETag com sufixo diferente do esperado pelo PUT.
             // Se o PUT falha com 412, extrai o ETag correto da mensagem de erro e tenta novamente.
             if ((0, system_profile_js_1.getProfile)().quirks.etagRequiresManualFix && is412Error(putError)) {
@@ -54,6 +60,19 @@ async function abapWrite(input) {
     }
     return `Objeto ${object_name} gravado com sucesso.`;
 }
+/** Detecta erros do SAP indicando que transport request é obrigatória */
+function isTransportRequiredError(error) {
+    if (error instanceof adt_client_js_1.AdtError) {
+        const msg = (error.sapMessage ?? error.message).toLowerCase();
+        return msg.includes("correction") || msg.includes("transport") || msg.includes("request");
+    }
+    const data = error.response?.data;
+    if (typeof data === "string") {
+        const lower = data.toLowerCase();
+        return lower.includes("correction") || lower.includes("transport request") || lower.includes("corrNr");
+    }
+    return false;
+}
 function is412Error(error) {
     return typeof error === "object" && error !== null &&
         "response" in error &&

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@linkup-ai/abap-ai",
-  "version": "2.0.0",
-  "description": "LKPABAP.ia — AI-powered ABAP development tools for SAP S/4HANA via ADT REST API",
+  "version": "2.2.0",
+  "description": "LKPABAP.ai — AI-powered ABAP development tools for SAP S/4HANA via ADT REST API",
   "main": "dist/index.js",
   "bin": {
     "abap-ai": "dist/cli.js"
@@ -11,7 +11,7 @@
     "README.md"
   ],
   "publishConfig": {
-    "access": "restricted"
+    "access": "public"
   },
   "license": "SEE LICENSE IN LICENSE",
   "keywords": [