@sap/cds 8.4.2 → 8.5.1

package/lib/ql/Query.js

@@ -3,7 +3,14 @@ const cds = require('../index')
 
 class Query {
 
-  constructor(_={}) { this[this.cmd] = _ }
+  /**
+   * The kind of query, as in CQN's SELECT, INSERT, UPDATE, DELETE, CREATE, DROP.
+   * Overridden in subclasses to return the respective kind.
+   */
+  get kind() { return this.constructor.name }
+  get _(){ return this[this.kind] }
+
+  constructor(_={}) { this[this.kind] = _ }
 
   /**
    * Note to self: We can't use .as (alias) as that would conflict with
@@ -16,12 +23,12 @@ class Query {
 
   /** Creates a derived instance that initially inherits all properties. */
   clone (_) {
-    const cmd = this.cmd || Object.keys(this)[0]
-    return {__proto__:this, [cmd]: {__proto__:this[cmd],..._} }
+    const kind = this.kind || Object.keys(this)[0]
+    return {__proto__:this, [kind]: {__proto__:this[kind],..._} }
   }
 
   flat (q=this) {
-    let x = q.cmd || Object.keys(q)[0], y = q[x]
+    let x = q.kind || Object.keys(q)[0], y = q[x]
     let protos = [y]; for (let o=y; o.__proto__;) protos.push (o = o.__proto__)
     q[x] = Object.assign ({}, ...protos.reverse())
     if (y.columns) for (let c of y.columns) if (c.SELECT) (this||Query.prototype).flat(c)
@@ -36,7 +43,7 @@ class Query {
   /** Turns all queries into Thenables which execute with primary db by default */
   get then() {
     const srv = this._srv || cds.db || cds.error `Can't execute query as no primary database is connected.`
-    const q = new AsyncResource('await cds.query')    
+    const q = new AsyncResource('await cds.query')
     return (r,e) => q.runInAsyncScope (srv.run, srv, this).then (r,e)
   }
 
@@ -75,7 +82,7 @@ class Query {
   }
 
   _add (property, values) {
-    const _ = this[this.cmd], pd = Reflect.getOwnPropertyDescriptor (_,property)
+    const {_} = this, pd = Reflect.getOwnPropertyDescriptor (_,property)
     _[property] = !pd || !pd.value ? values : [ ...pd.value, ...values ]
     return this
   }
@@ -85,8 +92,8 @@ class Query {
     return value
   }
 
-  valueOf (cmd=this.cmd) {
-    return `${cmd} ${_name(this._target.name)} `
+  valueOf (prelude = this.kind) {
+    return `${prelude} ${_name(this._target.name)} `
   }
 
   get _target_ref() {
@@ -115,6 +122,9 @@ class Query {
     return cds.infer (this, m?.definitions)
   }
   set target(t) { this._set('target',t) }
+
+  /** @deprecated use .kind instead */
+  get cmd() { return this.kind }
 }
 
 const _name = cds.env.sql.names === 'quoted' ? n =>`"${n}"` : n => n.replace(/[.:]/g,'_')

package/lib/ql/SELECT.js

@@ -3,6 +3,7 @@ const cds = require('../index')
 
 module.exports = class Query extends Whereable {
 
+  get kind() { return 'SELECT' }
   static _api() {
     const $ = Object.assign
     return $((..._)       => new this()._select_or_from(..._), {

package/lib/ql/UPDATE.js

@@ -3,6 +3,7 @@ const { parse } = require('../index')
 
 module.exports = class Query extends Whereable {
 
+  get kind() { return 'UPDATE' }
   static _api() {
     return Object.assign ((..._) => (new this).entity(..._), {
       entity: (..._) => (new this).entity(..._),
@@ -96,4 +97,4 @@ const _comma_separated_exprs = (s) => {
   return all
 }
 
-const operators = { '=':1, '-=':2, '+=':2, '*=':2, '/=':2, '%=':2 }
+const operators = { '=':1, '-=':2, '+=':2, '*=':2, '/=':2, '%=':2 }

package/lib/ql/UPSERT.js

@@ -1,3 +1,3 @@
 module.exports = class Query extends require('./INSERT') {
-  get _target_ref(){ return this.UPSERT.into }
+  get kind() { return 'UPSERT' }
 }

package/lib/ql/Whereable.js

@@ -11,12 +11,12 @@ class Query extends require('./Query') {
     if (!args[0]) return this
     let pred = predicate4(args, _where)
     if (pred && pred.length > 0) {
-      let _ = this[this.cmd]
+      let {_} = this
       const clause = _where ?? (
         _.having ? 'having' :
         _.where ? 'where' :
         _.from?.on ? 'on' :
-        error (`Invalid attempt to call '${this.cmd}.${and_or}()' before a prior call to '${this.cmd}.where()'`)
+        error (`Invalid attempt to call '${this.kind}.${and_or}()' before a prior call to '${this.kind}.where()'`)
       )
       if (clause === 'on') _ = _.from
       let left = _[clause]
@@ -102,7 +102,7 @@ const _object_predicate = ([arg], _clause) => { // e.g. .where ({ID:4711, stock:
     else if (x instanceof Buffer) pred.push('=', {val:x})
     else if (x instanceof RegExp) pred.push('like', {val:x})
     else if (x instanceof Date) pred.push('=', {val:x})
-    else if (typeof x === 'object') for (let op in x) x[op]?.in ? pred.push(op, ...predicate4([x[op]],_clause)) : pred.push(op, val(x[op])) // REVIST: Should always be proper recursion 
+    else if (typeof x === 'object') for (let op in x) x[op]?.in ? pred.push(op, ...predicate4([x[op]],_clause)) : pred.push(op, val(x[op])) // REVIST: Should always be proper recursion
     else if (_clause === 'on' && typeof x === 'string') pred.push('=', { ref: x.split('.') })
     else pred.push('=', {val:x})
   }

package/lib/ql/cds-ql.js

@@ -1,16 +1,13 @@
 const Query = require('./Query')
 require = path => { // eslint-disable-line no-global-assign
   const clazz = module.require (path); if (!clazz._api) return clazz
-  const kind = path.match(/\w+$/)[0]
-  Object.defineProperties (clazz.prototype, {
-    kind: { value: kind },
-    cmd: { value: kind }
-  })
-  const api = clazz._api()
-  return Object.assign (function (...args) {
-    if (new.target) return new clazz (...args) // allows: new SELECT
-    return api (...args)                      // allows: SELECT(...).from()
-  }, { class: clazz }, api)
+  const factory = clazz._api()
+  const constructor = Object.assign (function (...args) {
+    if (new.target) return new clazz (...args)  // allows: new SELECT
+    return factory (...args)                   // allows: SELECT(...).from()
+  }, factory)                                 // allows: SELECT.from()
+  constructor.class = clazz
+  return constructor
 }
 
 module.exports = exports = {
@@ -25,22 +22,19 @@ module.exports = exports = {
 }
 
 exports.clone = function (q,_) {
-  // q = this.query(q)
   return Query.prototype.clone.call(q,_)
 }
 
 exports.query = function (q) {
-  if (!q || q instanceof Query) return q
-  let kind = Object.keys(q)[0]; if (!kind) return
-  let clazz = exports[kind]; if (!clazz) return q
-  return new clazz (q[kind])
-},
+  if (q instanceof Query) return q
+  for (let k in q) return k in this ? new this[k](q[k]) : q
+}
 
 exports._reset = ()=>{ // for strange tests only
   const cds = require('../index')
   const _name = cds.env.sql.names === 'quoted' ? n =>`"${n}"` : n => n.replace(/[.:]/g,'_')
-  Object.defineProperty (Query.prototype,'valueOf',{ configurable:1, value: function(cmd=this.cmd) {
-    return `${cmd} ${_name(this._target.name)} `
+  Object.defineProperty (Query.prototype,'valueOf',{ configurable:1, value: function(kind=this.kind) {
+    return `${kind} ${_name(this._target.name)} `
   }})
   return this
 }

package/lib/req/user.js

@@ -74,3 +74,4 @@ Object.defineProperty (exports, 'default', {
   get() { return this._default },
 })
 exports._default = exports.anonymous
+exports.class = User

package/lib/req/validate.js

@@ -30,7 +30,7 @@ class Validation {
       typeof n === 'number' ? p + `[${n}]` :  //> some/array[1]...
       p && n ? p+'/'+n : n                    //> some/element...
     ),'')
-    if (val) err.args = [ val, ...args ]
+    if (val !== undefined) err.args = [ val, ...args ]
     return err
   }
 
@@ -111,7 +111,14 @@ const $any = class any {
       }
       if (this['@assert.range'] && !this.enum) {
         const [ min, max ] = this['@assert.range']
-        asserts.push ((v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, min, max))
+        if (min['='] === '_') min.val = -Infinity
+        if (max['='] === '_') max.val = +Infinity
+        asserts.push (
+          min.val !== undefined && max.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, v, '>'+min.val, '<'+max.val) :
+          min.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, '>'+min.val, max) :
+          max.val !== undefined ? (v,p,ctx) => v == null || min <= v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, v, min, '<'+max.val) :
+          (v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, min, max)
+        )
       }
       if (this['@assert.enum'] || this['@assert.range'] && this.enum) {
         const vals = Object.entries(this.enum).map(([k,v]) => 'val' in v ? v.val : k)
@@ -198,7 +205,9 @@ class struct extends $any {
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
       let /** @type {$any} */ d = elements[each]
       if (!d) ctx.unknown (each, this, data)
-      else if (ctx.cleanse && d._is_readonly()) delete data[each]
+      else if (ctx.cleanse && d._is_readonly() && !d.key) delete data[each]
+      // @Core.Immutable processed only for root, children are handled when knowing db state
+      else if (ctx.cleanse && d['@Core.Immutable'] && !ctx.insert && !path) delete data[each]
       else if (d['@cds.validate'] !== false) d.validate (data[each], path_, ctx)
     }
   }

package/lib/srv/factory.js

@@ -1,4 +1,4 @@
-const cds = require('..'), { path, isfile, _redacted } = cds.utils
+const cds = require('..'), { path, isfile, redacted } = cds.utils
 const paths = Array.from (new Set ([ cds.root, ...require.resolve.paths('x') ]))
 const DEBUG = cds.debug('cds.service.factory',); DEBUG && DEBUG ({ 'cds.root':cds.root, paths })
 
@@ -10,7 +10,7 @@ const ServiceFactory = function (name, model, options) { //NOSONAR
   const serve = !(conf && conf.external && (!o.mocked || conf.credentials))
   const defs = !model ? {[name]:{}} : model.definitions || cds.error `Invalid argument for 'model': ${model}`
   const def = !name || name === 'db' ? {} : defs[name] || {}
-  DEBUG?. ({ name, definition:def, options:_redacted(o) })
+  DEBUG?. ({ name, definition:def, options:redacted(o) })
 
   let it /* eslint-disable no-cond-assign */
   if (it = o.with)                 return _use (it) // from cds.serve (<options>)

package/lib/{auth → srv/middlewares/auth}/basic-auth.js

@@ -1,6 +1,6 @@
 module.exports = function basic_auth (options) {
 
-  const cds = require ('../index'), DEBUG = cds.debug('basic|auth')
+  const cds = require ('../../../index'), DEBUG = cds.debug('basic|auth')
   const users = require ('./mocked-users') (options)
   const login_required = options.login_required || cds.requires.multitenancy || process.env.NODE_ENV === 'production' && options.credentials
 

package/lib/{auth → srv/middlewares/auth}/dummy-auth.js

@@ -1,4 +1,4 @@
-const cds = require ('../index'), {privileged} = cds.User
+const cds = require ('../../../index'), {privileged} = cds.User
 
 module.exports = function dummy_auth() {
   return function dummy_auth (req, res, next) {

package/lib/srv/middlewares/auth/ias-auth.js

@@ -0,0 +1,96 @@
+const cds = require('../../../index.js')
+const LOG = cds.log('auth')
+
+const xssec = require('./xssec')
+
+// REVISIT: Why do we need to know and do that?
+const KNOWN_CLAIMS = Object.values({
+  /*
+   * JWT claims (https://datatracker.ietf.org/doc/html/rfc7519#section-4)
+   */
+  ISSUER: 'iss',
+  SUBJECT: 'sub',
+  AUDIENCE: 'aud',
+  EXPIRATION_TIME: 'exp',
+  NOT_BEFORE: 'nbf',
+  ISSUED_AT: 'iat',
+  JWT_ID: 'jti',
+  /*
+   * TokenClaims (com.sap.cloud.security.token.TokenClaims)
+   */
+  // ISSUER: "iss", //> already in JWT claims
+  IAS_ISSUER: 'ias_iss',
+  // EXPIRATION: "exp", //> already in JWT claims
+  // AUDIENCE: "aud", //> already in JWT claims
+  // NOT_BEFORE: "nbf", //> already in JWT claims
+  // SUBJECT: "sub", //> already in JWT claims
+  // USER_NAME: 'user_name', //> do not exclude
+  // GIVEN_NAME: 'given_name', //> do not exclude
+  // FAMILY_NAME: 'family_name', //> do not exclude
+  // EMAIL: 'email', //> do not exclude
+  SAP_GLOBAL_SCIM_ID: 'scim_id',
+  SAP_GLOBAL_USER_ID: 'user_uuid', //> exclude for now
+  SAP_GLOBAL_ZONE_ID: 'zone_uuid',
+  // GROUPS: 'groups', //> do not exclude
+  AUTHORIZATION_PARTY: 'azp',
+  CNF: 'cnf',
+  CNF_X5T: 'x5t#S256',
+  // own
+  APP_TENANT_ID: 'app_tid'
+})
+
+
+module.exports = function ias_auth(config) {
+  // cds.env.requires.auth.known_claims is not an official config!
+  const { kind, credentials, known_claims = KNOWN_CLAIMS } = config
+  const skipped_attrs = known_claims.reduce((a,x) => { a[x] = 1; return a }, {})
+
+  if (!credentials) throw new Error(
+    `Authentication kind "${kind}" configured, but no IAS instance bound to application. ` +
+    'Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
+  )
+
+  function getUser(tokenInfo) {
+    const payload = tokenInfo.getPayload()
+
+    const clientid = tokenInfo.getClientId()
+    if (clientid === payload.sub) { //> grant_type === client_credentials or x509
+      const roles = { 'system-user': 1 }
+      if (clientid === credentials.clientid) roles['internal-user'] = 1
+      return new cds.User({ id: 'system', roles, tokenInfo })
+    }
+
+    // add all unknown attributes to req.user.attr in order to keep public API small
+    const attr = {}
+    for (const key in payload) {
+      if (key in skipped_attrs) continue // REVISIT: Why do we need to do that?
+      else attr[key] = payload[key]
+    }
+
+    // REVISIT: just don't such things, please! -> We're just piling up tech dept through tons of unoficcial long tail APIs like that!
+    // REVISIT: looks like wrong direction to me, btw
+    // same api as xsuaa-auth for easier migration
+    if (attr.user_name) attr.logonName = attr.user_name
+    if (attr.given_name) attr.givenName = attr.given_name
+    if (attr.family_name) attr.familyName = attr.family_name
+
+    return new cds.User({ id: payload.sub, attr, tokenInfo })
+  }
+
+  // NOTE: Use named function for better stack traces... for the actual middleware, of course, not that much for the factory!
+  return function ias_auth (req, _, next) {
+    if (!req.headers.authorization) return next()
+    const token = req.headers.authorization.slice(7) // skip /^bearer /
+    xssec.createSecurityContext(token, credentials, 'IAS', function (err, securityContext, tokenInfo) {
+
+      if (err) LOG.warn('User could not be authenticated due to error:', err)
+      if (!securityContext) return next(401)
+      else req.authInfo = securityContext //> compat req.authInfo
+
+      const ctx = cds.context
+      ctx.user = getUser(tokenInfo)
+      ctx.tenant = tokenInfo.getZoneId()
+      next()
+    })
+  }
+}

package/lib/{auth → srv/middlewares/auth}/index.js

@@ -1,4 +1,4 @@
-const cds = require ('../index')
+const cds = require ('../../../index.js')
 
 const _builtin = {
   mocked: 'basic-auth',
@@ -30,7 +30,7 @@ module.exports = function auth_factory (o) {
 
   // try resolving the impl, throw if not found
   const config = { kind, impl: cds.utils.local(impl) }
-  // use cds.resolve() to allow './srv/auth.js' and 'srv/auth.js'
+  // use cds.resolve() to allow './srv/auth.js' and 'srv/auth.js' -> REVISIT: cds.resolve() is not needed here, and not meant for that !
   try { impl = require.resolve (cds.resolve (impl)?.[0], {paths:[cds.root]}) } catch {
     throw cds.error `Didn't find auth implementation for ${config}`
   }

package/lib/srv/middlewares/auth/jwt-auth.js

@@ -0,0 +1,62 @@
+const cds = require('../../../index.js')
+const LOG = cds.log('auth')
+
+const xssec = require('./xssec')
+
+module.exports = function jwt_auth(config) {
+  const { kind, credentials } = config
+
+  if (!credentials) throw new Error(
+    `Authentication kind "${kind}" configured, but no XSUAA instance bound to application. ` +
+    'Either bind an XSUAA instance, or switch to an authentication kind that does not require a binding.'
+  )
+
+  const xsappname = credentials.xsappname.length + 1
+
+  function getUser(tokenInfo) {
+    const payload = tokenInfo.getPayload()
+
+    let id = payload.user_name
+
+    const roles = {}
+    for (let scope of payload.scope) {
+      let role = scope.slice(xsappname) // Roles = scope names w/o xsappname...
+      if (role in { 'internal-user': 1, 'system-user': 1 }) continue  // Disallow setting system roles from external
+      else roles[role] = 1
+    }
+
+    // Add system roles in case of client credentials flow
+    if (payload.grant_type in { client_credentials: 1, client_x509: 1 }) {
+      id = 'system'
+      roles['system-user'] = 1
+      if (tokenInfo.getClientId() === credentials.clientid) roles['internal-user'] = 1
+    }
+
+    const attr = { ... payload['xs.user.attributes'] }
+    if (kind === 'xsuaa') {
+      attr.logonName = payload.user_name
+      attr.givenName = payload.given_name
+      attr.familyName = payload.family_name
+      attr.email = payload.email
+    }
+
+    return new cds.User({ id, roles, attr, tokenInfo })
+  }
+
+  // NOTE: Use named function for better stack traces... for the actual middleware, of course, not that much for the factory!
+  return function jwt_auth (req, _, next) {
+    if (!req.headers.authorization) return next()
+    const token = req.headers.authorization.slice(7) // skip /^bearer /
+    xssec.createSecurityContext(token, credentials, function (err, securityContext, tokenInfo) {
+
+      if (err) LOG.warn('User could not be authenticated due to error:', err)
+      if (!securityContext) return next(401)
+      else req.authInfo = securityContext //> compat req.authInfo
+
+      const ctx = cds.context
+      ctx.user = getUser(tokenInfo)
+      ctx.tenant = tokenInfo.getZoneId()
+      next()
+    })
+  }
+}

package/lib/{auth → srv/middlewares/auth}/mocked-users.js

@@ -1,4 +1,4 @@
-const cds = require ('../index'), { User } = cds
+const cds = require ('../../../index.js'), { User } = cds
 const LOG = cds.log('auth')
 
 class MockedUsers {

package/lib/srv/middlewares/auth/xssec.js

@@ -0,0 +1,7 @@
+try {
+  const xssec = require('@sap/xssec')
+  module.exports = xssec.v3 || xssec // use v3 compat api // REVISIT: why ???
+} catch (e) {
+  if (e.code === 'MODULE_NOT_FOUND') e.message = `Cannot find '@sap/xssec'. Make sure to install it with 'npm i @sap/xssec'\n` + e.message
+  throw e
+}

package/lib/srv/middlewares/index.js

@@ -1,4 +1,4 @@
-const auth      = exports.auth      = require('../../auth')
+const auth      = exports.auth      = require('./auth')
 const context   = exports.context   = require('./cds-context')
 const ctx_model = exports.ctx_model = require('./ctx-model')
 const errors    = exports.errors    = require('./errors')

package/lib/utils/cds-utils.js

@@ -111,13 +111,13 @@ exports.stack = (depth=11) => {
  * **WARNING:** This is an **expensive** function → handle with care!
  * @returns {[ filename:string, line:number, column:number ]}
  */
-exports.location = function (){
+exports.location = function() {
   const l = this.stack(3)[2]
   return [ l.getFileName(), l.getLineNumber(), l.getColumnNumber() ]
 }
 
 
-exports.exists = function exists (x) {
+exports.exists = function(x) {
   if (x) {
     const y = resolve (cds.root,x)
     return fs.existsSync(y)
@@ -167,29 +167,25 @@ exports.read = async function read (file, _encoding) {
 
 exports.write = function write (file, data, o) {
   if (arguments.length === 1) return {to:(...path) => write(join(...path),file)}
-  if (typeof data === 'object' && !Buffer.isBuffer(data))
-    data = JSON.stringify(data, null, ' '.repeat(o && o.spaces)) + '\n'
+  if (typeof data === 'object' && !Buffer.isBuffer(data)) {
+    let indent = o?.spaces || file.match(/(package|.cdsrc).json$/) && 2
+    data = JSON.stringify(data, null, indent) + '\n'
+  }
+  const f = resolve (cds.root,file)
+  return exports.mkdirp (dirname(f)).then (()=> fs.promises.writeFile (f,data,o))
+}
+
+exports.append = function append (file, data, o) {
+  if (arguments.length === 1) return {to:(...path) => append(join(...path), data)}
   const f = resolve (cds.root,file)
-  return fs.mkdirp (dirname(f)).then (()=> fs.promises.writeFile (f,data,o))
+  return exports.mkdirp (dirname(f)).then (()=> fs.promises.writeFile (f,data,o))
 }
 
 exports.copy = function copy (x,y) {
   if (arguments.length === 1) return {to:(...path) => copy(x,join(...path))}
   const src = resolve (cds.root,x)
   const dst = resolve (cds.root,y)
-  if (fs.promises.cp) return fs.promises.cp (src,dst,{recursive:true})
-  return fs.mkdirp (dirname(dst)) .then (async ()=>{
-    if (fs.isdir(src)) {
-      const entries = await fs.promises.readdir(src)
-      return Promise.all (entries.map (async each => {
-        const e = join (src,each)
-        const f = join (dst,each)
-        return copy (e,f)
-      }))
-    } else {
-      return fs.promises.copyFile (src,dst)
-    }
-  })
+  return fs.promises.cp (src,dst,{recursive:true})
 }
 
 exports.mkdirp = async function (...path) {
@@ -308,7 +304,7 @@ const SECRETS = /(passw)|(cert)|(ca)|(secret)|(key)/i
  * @param {any} cred - object or array with credentials
  * @returns {any}
  */
-exports._redacted = function _redacted(cred) {
+exports.redacted = function _redacted(cred) {
   if (!cred) return cred
   if (Array.isArray(cred)) return cred.map(c => typeof c === 'string' ? '...' : _redacted(c))
   if (typeof cred === 'object') {

package/lib/utils/tar.js

@@ -81,9 +81,9 @@ const tarInfo = async (info) => {
 const logDebugTar = async () => {
   const LOG = cds.log('tar')
   if (!LOG?._debug) return 
-  try {
-    LOG (`tar version: ${await tarInfo('version')}`)
+  try {    
     LOG (`tar path: ${await tarInfo('path')}`)
+    LOG (`tar version: ${await tarInfo('version')}`)
   } catch (err) {
     LOG('tar error', err)
   }

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -52,13 +52,13 @@ function _log(level, arg) {
   const _details = obj.details
 
   // REVISIT: the (ugly!) stuff re code is somewhat of a duplicate to what we do in normalizeError -> refactor with new adapters!
-  obj.message = getErrorMessage(obj)
+  obj.message = getErrorMessage(obj, '')
   if (_code) obj.code = obj.code.match?.(/^ASSERT_/) ? 400 : obj.code
   if (_details) {
     const details = []
     const codes = new Set()
     for (const d of obj.details) {
-      const entry = Object.assign({}, d, { message: getErrorMessage(d) })
+      const entry = Object.assign({}, d, { message: getErrorMessage(d, '') })
       if (!_code) {
         const k = d.statusCode ? 'statusCode' : d.status ? 'status' : d.code ? 'code' : undefined
         const v = d[k]?.match?.(/^ASSERT_/) ? 400 : d[k]

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/read.js

@@ -561,6 +561,7 @@ const read = service => {
       } else if (result.value && isStreaming(odataReq.getUriInfo().getPathSegments())) {
         if (odataRes._response.destroyed) {
           err = new Error('Response is closed while streaming')
+          err.code = 'ERR_STREAM_PREMATURE_CLOSE'
           tx.rollback(err).catch(() => {})
         } else {
           // REVISIT: temp workaround for url streaming

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/update.js

@@ -189,7 +189,7 @@ const update = service => {
       // try UPDATE and, on 404 error, try CREATE
       ;[result, req] = await _updateThenCreate(req, odataReq, odataRes, tx)
 
-      if (!(primitive && !_hasEtag(req.target)) && req._.readAfterWrite) {
+      if ((!primitive || _hasEtag(req.target)) && req._.readAfterWrite) {
         // REVISIT:
         // Performance: For `isReturnMinimal` it's enough to just read the etag.
         // Note: Without read access, one cannot return the etag.

package/libx/_runtime/common/error/frontend.js

@@ -8,11 +8,7 @@
  */
 const localeFrom = require('../../../../lib/req/locale')
 const { getErrorMessage } = require('./utils')
-let _i18n
-const i18n = (...args) => {
-  if (!_i18n) _i18n = require('../i18n')
-  return _i18n(...args)
-}
+const { i18n } = require('../../../../lib')
 
 const {
   ALLOWED_PROPERTIES_MAP,
@@ -121,7 +117,7 @@ const _statusCodeFromDetails = uniqueStatusCodes => {
 }
 
 const _getSanitizedError = (statusCode, locale) => ({
-  error: { code: String(statusCode), message: i18n(statusCode, locale) },
+  error: { code: String(statusCode), message: i18n.messages.at(statusCode, locale) }, // REVISIT: don't do that
   statusCode
 })
 

package/libx/_runtime/common/error/log.js

@@ -1,15 +1,11 @@
 // REVISIT: I think we can remove this file. Log output doesn't need localization.
+// REVISIT: We should remove the i18n machinery from log output.
 const cds = require('../../cds')
 const LOG = cds.log()
 
-let _i18n
-const i18n = (...args) => {
-  if (!_i18n) _i18n = require('../i18n')
-  return _i18n(...args)
-}
-
 const { isClientError } = require('./frontend')
 
+// REVISIT: Where is that being used...?
 module.exports = err => {
   // REVISIT: how does level behave compared to _log in (legacy) odata adapter?
   const level = isClientError(err) ? 'warn' : 'error'
@@ -18,11 +14,14 @@ module.exports = err => {
   // replace messages in toLog with developer texts (i.e., undefined locale)
   const _message = err.message
   const _details = err.details
-  err.message = i18n(err.message || err.code, undefined, err.args) || err.message
+  // REVISIT: We shouldn't run log output thru i18n machinery at all!
+  err.message = cds.i18n.messages.at(err.message || err.code, '', err.args) || err.message
   if (err.details) {
     const details = []
     for (const d of err.details) {
-      details.push(Object.assign({}, d, { message: i18n(d.message || d.code, undefined, d.args) || d.message }))
+      details.push(
+        Object.assign({}, d, { message: cds.i18n.messages.at(d.message || d.code, '', d.args) || d.message })
+      )
     }
     err.details = details
   }

package/libx/_runtime/common/error/utils.js

@@ -1,9 +1,4 @@
-let _i18n
-// REVISIT does it really make sense to delay i18n require here?
-const i18n = (...args) => {
-  if (!_i18n) _i18n = require('../i18n')
-  return _i18n(...args)
-}
+const { i18n } = require('../../../../lib')
 
 /**
  * Gets the localized error message for an error based on message, code, statusCode or status
@@ -11,9 +6,10 @@ const i18n = (...args) => {
  * @param {*} locale can be undefined for default language
  * @returns localized error message
  */
+// REVISIT: Where is that being used...?
 function getErrorMessage(error, locale) {
   const key = error.message || error.code || error.status || error.statusCode || '500'
-  const txt = i18n(key, locale, error.args)
+  const txt = i18n.messages.at(key, locale, error.args)
   return txt || error.message || String(error.code || error.status || error.statusCode)
 }