@sap/cds 9.0.4 → 9.2.0

package/lib/index.js

@@ -1,23 +1,23 @@
-if (process.env.CDS_STRICT_NODE_VERSION !== 'false') require ('./utils/check-version.js')
+if (process.env.CDS_STRICT_NODE_VERSION !== 'false') require('./utils/version').check()
 ! (global.__cds_loaded_from ??= new Set).add(__filename.toLowerCase()) // track from where we loaded cds, lowercase to avoid path duplicates on Windows
 
 const { AsyncLocalStorage } = require ('async_hooks')
 const context = new AsyncLocalStorage
 
 const { EventEmitter } = require('node:events')
-const cds = module.exports = global.cds = new class cds_facade extends EventEmitter {
+const cds = exports = module.exports = global.cds = new class cds extends EventEmitter {
 
-  /** Contexts and Transactions @type {import('./req/context')} */
+  /** Contexts and Transactions @type {import('./req/context.js')} */
   get context()  { return context.getStore() }
   set context(x) { this._with(x) }
   _with (x,fn,...args) {
-    const ctx = typeof x !== 'object' || x instanceof cds.EventContext ? x : x.context || cds.EventContext.for(x)
+    const ctx = typeof x !== 'object' || x instanceof exports.EventContext ? x : x.context || exports.EventContext.for(x)
     return fn ? context.run (ctx,fn,...args) : context.enterWith (ctx)
   }
-  get spawn() { return super.spawn = require('./req/spawn') }
+  get spawn() { return super.spawn = require('./req/spawn.js') }
 
-  /** @import {LinkedCSN} from './core/linked-csn' */
-  /** @import {Service} from './srv/cds.Service' */
+  /** @import {LinkedCSN} from './core/linked-csn.js' */
+  /** @import {Service} from './srv/cds.Service.js' */
   /** @type LinkedCSN */ model = undefined
   /** @type Service */ db = undefined
   /** CLI args */ cli = { command:'', options:{}, argv:[] }
@@ -33,24 +33,24 @@ const cds = module.exports = global.cds = new class cds_facade extends EventEmit
 
   // Configuration & Information
   get requires() { return super.requires = this.env.requires._resolved() }
-  get plugins()  { return super.plugins = require('./plugins').activate() }
+  get plugins()  { return super.plugins = require('./plugins.js').activate() }
   get version()  { return super.version = require('../package.json').version }
-  get env()      { return super.env = require('./env/cds-env').for(this) }
+  get env()      { return super.env = require('./env/cds-env.js').for(this) }
   get home()     { return super.home = __dirname.slice(0,-4) }
-  get schema()   { return super.schema = require('./env/schemas') } // REVISIT: Better move that to cds-dk?
+  get schema()   { return super.schema = require('./env/schemas/index.js') } // REVISIT: Better move that to cds-dk?
 
   // Loading and Compiling Models
-  get compiler() { return super.compiler = require('./compile/cdsc') }
-  get compile()  { return super.compile = require('./compile/cds-compile') }
-  get resolve()  { return super.resolve = require('./compile/resolve') }
-  get load()     { return super.load = require('./compile/load') }
+  get compiler() { return super.compiler = require('./compile/cdsc.js') }
+  get compile()  { return super.compile = require('./compile/cds-compile.js') }
+  get resolve()  { return super.resolve = require('./compile/resolve.js') }
+  get load()     { return super.load = require('./compile/load.js') }
   get get()      { return super.get = this.load.parsed }
-  get parse()    { return super.parse = require('./compile/parse') }
-  get minify()   { return super.minify = require('./compile/minify') }
-  get extend()   { return super.extend = require('./compile/extend') }
-  get deploy()   { return super.deploy = require('./dbs/cds-deploy') }
-  get localize() { return super.localize = require('./i18n/localize') }
-  get i18n()     { return super.i18n = require('./i18n') }
+  get parse()    { return super.parse = require('./compile/parse.js') }
+  get minify()   { return super.minify = require('./compile/minify.js') }
+  get extend()   { return super.extend = require('./compile/extend.js') }
+  get deploy()   { return super.deploy = require('./dbs/cds-deploy.js') }
+  get localize() { return super.localize = require('./i18n/localize.js') }
+  get i18n()     { return super.i18n = require('./i18n/index.js') }
 
   // Model Reflection, Builtin types and classes
   get entities()    { return this.db?.entities || this.model?.entities }
@@ -75,23 +75,23 @@ const cds = module.exports = global.cds = new class cds_facade extends EventEmit
     get _pending(){ return this.#pending ??= {} } #pending
   }
   get server() { return super.server = require('../server.js') }
-  get serve() { return super.serve = require('./srv/cds-serve') }
-  get connect() { return super.connect = require('./srv/cds-connect') }
+  get serve() { return super.serve = require('./srv/cds-serve.js') }
+  get connect() { return super.connect = require('./srv/cds-connect.js') }
   get outboxed() { return this.queued }
   get unboxed() { return this.unqueued }
-  get queued() { return super.queued = require('../libx/queue').queued }
-  get unqueued() { return super.unqueued = require('../libx/queue').unqueued }
-  get middlewares() { return super.middlewares = require('./srv/middlewares') }
-  get odata() { return super.odata = require('../libx/odata') }
-  get auth() { return super.auth = require('./auth') }
+  get queued() { return super.queued = require('../libx/queue/index.js').queued }
+  get unqueued() { return super.unqueued = require('../libx/queue/index.js').unqueued }
+  get middlewares() { return super.middlewares = require('./srv/middlewares/index.js') }
+  get odata() { return super.odata = require('../libx/odata/index.js') }
+  get auth() { return super.auth = require('./auth.js') }
   shutdown() { this.app?.server && process.exit() } // is overridden in bin/serve.js
 
   // Core Services API
-  get Service() { return super.Service = require('./srv/cds.Service') }
-  get EventContext() { return super.EventContext = require('./req/context') }
-  get Request() { return super.Request = require('./req/request') }
-  get Event() { return super.Event = require('./req/event') }
-  get User() { return super.User = require('./req/user') }
+  get Service() { return super.Service = require('./srv/cds.Service.js') }
+  get EventContext() { return super.EventContext = require('./req/context.js') }
+  get Request() { return super.Request = require('./req/request.js') }
+  get Event() { return super.Event = require('./req/event.js') }
+  get User() { return super.User = require('./req/user.js') }
   get validate() { return super.validate = require('./req/validate.js') }
 
   // Services, Protocols and Periphery
@@ -101,18 +101,18 @@ const cds = module.exports = global.cds = new class cds_facade extends EventEmit
   get RemoteService() { return super.RemoteService = require('../libx/_runtime/remote/Service.js') }
 
   // Helpers
-  get utils() { return super.utils = require('./utils/cds-utils') }
-  get error() { return super.error = require('./log/cds-error') }
-  get exec() { return super.exec = require('../bin/serve').exec }
-  get test() { return super.test = require('./test/cds-test') }
-  get log() { return super.log = require('./log/cds-log') }
+  get utils() { return super.utils = require('./utils/cds-utils.js') }
+  get error() { return super.error = require('./log/cds-error.js') }
+  get exec() { return super.exec = require('../bin/serve.js').exec }
+  get test() { return super.test = require('./test/cds-test.js') }
+  get log() { return super.log = require('./log/cds-log.js') }
   get debug() { return super.debug = this.log.debug }
   clone(x) { return structuredClone(x) }
 
   // Querying and Databases
   get infer(){ return super.infer = require('./ql/cds.ql-infer.js') }
   get txs()  { return super.txs = new this.Service('cds.tx') }
-  get ql()   { return super.ql = require('./ql/cds-ql') }
+  get ql()   { return super.ql = require('./ql/cds-ql.js') }
   // get tx() { return super.tx = this.Service.prototype.tx.bind (new this.Service) } // Note: this would break too much of existing code/tests
   tx         (..._) { return (this.db || this.txs).tx(..._) }
   run        (..._) { return (this.db || typeof _[0] === 'function' && this.txs || this.error._no_primary_db).run(..._) }

package/lib/log/cds-error.js

@@ -21,7 +21,7 @@ const { format, inspect } = require('../utils/cds-utils')
  * @param {object} [details] - Additional error details
  * @param {Function} [caller] - The function calling this
  */
-const error = exports = module.exports = function cds_error ( status, message, details, caller ) {
+const error = exports = module.exports = function error ( status, message, details, caller ) {
   if (typeof status !== 'number') [ status, message, details, caller ] = status.raw ? [ undefined, error.message(...arguments) ] : [ undefined, status, message, details ]
   if (typeof message === 'object') [ message, details, caller ] = [ undefined, message, details ]
   let err = details && 'stack' in details ? details : Object.assign (new Error (message, details), details)
@@ -61,16 +61,17 @@ exports.expected = ([,type], arg) => {
   return error (`Expected argument '${name}'${type}, but got: ${inspect(value)}`, undefined, error.expected)
 }
 
-
-const system_errors = [
-  TypeError,
-  ReferenceError,
-  SyntaxError,
-  RangeError,
-  URIError
-]
-exports.isSystemError = err => system_errors.some(e => err instanceof e) 
-
+exports.isSystemError = err => {
+  // all errors thrown by the peggy parser should not crash the app
+  if (err.name === 'SyntaxError' && err.constructor?.name === 'peg$SyntaxError') return false
+  return err.name in {
+    TypeError:1,
+    ReferenceError:1,
+    SyntaxError:1,
+    RangeError:1,
+    URIError:1,
+  }
+}
 
 //
 // Private helpers ...

package/lib/log/format/json.js

@@ -1,4 +1,4 @@
-const cds = require('../../')
+const cds = require('../..')
 
 const util = require('util')
 

package/lib/ql/SELECT.js

@@ -1,4 +1,6 @@
+const { pipeline } = require('stream/promises')
 const Whereable = require('./Whereable')
+const Query = require('./cds.ql-Query')
 const is_number = x => !isNaN(x)
 const cds = require('../index')
 const $ = Object.assign
@@ -163,6 +165,35 @@ class SELECT extends Whereable {
     return this
   }
 
+  async foreach(callback) {
+    for await (const row of this) {
+      callback(row)
+    }
+  }
+
+  [Symbol.asyncIterator]() {
+    return (async function* (self) {
+      const srv = self._srv || cds.db || cds.error`Can't execute query as no primary database is connected.`
+      const stream = await srv.send({
+        iterator: true,
+        objectMode: true,
+        query: self,
+      })
+      for await (const row of stream) yield row
+    })(this)
+  }
+
+  async pipeline(...args) {
+    const srv = this._srv || cds.db || cds.error`Can't execute query as no primary database is connected.`
+    const res = await srv.send({
+      iterator: true,
+      objectMode: false,
+      query: this,
+    })
+    if (args.length) return pipeline(res, ...args.map(a => a instanceof Query ? stream => a.entries(stream) : a))
+    return res
+  }
+
   hints (...args) {
     if (args.length) this.SELECT.hints = args.flat()
     return this

package/lib/ql/resolve.js

@@ -1,5 +1,5 @@
 const { resolveView, getTransition } = require('../../libx/_runtime/common/utils/resolveView')
-const cds = require('../../lib')
+const cds = require('..')
 
 const PERSISTENCE_TABLE = '@cds.persistence.table'
 const _isPersistenceTable = target =>

package/lib/req/context.js

@@ -1,6 +1,6 @@
 const cds = require ('../index'), { uuid } = cds.utils
 const async_events = { succeeded:1, failed:1, done:1, commit:1 }
-const locale = require('./../i18n/locale')
+const locale = require('../i18n/locale')
 const { EventEmitter } = require('events')
 
 /**

package/lib/req/request.js

@@ -110,7 +110,7 @@ class Request extends require('./event') {
       delete err.stack
       throw err
     }
-    let e = this.error(...args)
+    let e = this._errors.add(4, ...args)
     if (!('stack' in e)) Error.captureStackTrace (e = Object.assign(new Error,e), this.reject)
     if (!('message' in e)) e.message = String (e.code || e.status)
     throw e

package/lib/req/validate.js

@@ -24,15 +24,16 @@ class Validation {
     this.cleanse = options.cleanse !== false
   }
 
-  error (code, path, leaf, val, ...args) {
+  error (code, path, leaf, i18n, ...args) {
     const err = (this.errors ??= new ValidationErrors).add (code)
-    if (this.options.path) path = [ this.options.path, ...path ] // e.g. used to prefic 'in/' for actions
+    if (this.options.path) path = [ this.options.path, ...path ] // e.g. used to prefix 'in/' for actions
     if (path) err.target = (!leaf ? path : path.concat(leaf)).reduce?.((p,n)=> (
       n?.row ? p + this.filter4(n) :          //> some/entity(ID=1)...
       typeof n === 'number' ? p + `[${n}]` :  //> some/array[1]...
       p && n ? p+'/'+n : n                    //> some/element...
     ),'')
-    if (val !== undefined) err.args = [ val, ...args ]
+    if (typeof i18n === 'string') err.i18n = i18n
+    if (args.length) err.args = args
     return err
   }
 
@@ -64,10 +65,8 @@ class ValidationErrors extends Array {
     return err
   }
   static proto = Object.create (Error.prototype, {
+    stack: { configurable:true, get() { return this.message } },
     message: { writable:true, configurable:true },
-    stack: { configurable:true, get() { return this.message },
-      set(v) { Object.defineProperty (this, 'stack', { value:v, writable:true, configurable:true }) },
-    },
     status: { value: 400 },
   })
 }
@@ -100,30 +99,30 @@ const $any = class any {
       const asserts = []
       const type_check = conf.strict && this.strict_check || this.type_check
       if (type_check) {
-        asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, v, this ))
+        asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, null, v, this ))
       }
       if (this._is_mandatory()) {
-        asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
+        asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, this['@mandatory.message'] || this['@mandatory'], v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
       }
       if (this['@assert.format']) {
         const format = new RegExp(this['@assert.format'],'u')
-        asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, v, format))
+        asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, this['@assert.format.message'], v, format))
       }
       if (this['@assert.range'] && !this.enum) {
         const [ min, max ] = this['@assert.range']
         if (min['='] === '_') min.val = -Infinity
         if (max['='] === '_') max.val = +Infinity
         asserts.push (
-          min.val !== undefined && max.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, v, '>'+min.val, '<'+max.val) :
-          min.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, '>'+min.val, max) :
-          max.val !== undefined ? (v,p,ctx) => v == null || min <= v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, v, min, '<'+max.val) :
-          (v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, min, max)
+          min.val !== undefined && max.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, this['@assert.range.message'], v, '>'+min.val, '<'+max.val) :
+          min.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, this['@assert.range.message'], v, '>'+min.val, max) :
+          max.val !== undefined ? (v,p,ctx) => v == null || min <= v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, this['@assert.range.message'], v, min, '<'+max.val) :
+          (v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, null, v, min, max)
         )
       }
       if (this['@assert.enum'] || this['@assert.range'] && this.enum) {
         const vals = Object.entries(this.enum).map(([k,v]) => 'val' in v ? v.val : k)
         const enums = vals.reduce((a,v) => (a[v]=true, a),{})
-        asserts.push ((v,p,ctx) => v == null || v in enums || vals.some(x => x == v) || ctx.error ('ASSERT_ENUM', p, this.name, typeof v === 'string' ? `"${v}"` : v, vals.join(', ')))
+        asserts.push ((v,p,ctx) => v == null || v in enums || vals.some(x => x == v) || ctx.error ('ASSERT_ENUM', p, this.name, this['@assert.enum.message'], typeof v === 'string' ? `"${v}"` : v, vals.join(', ')))
       }
       if (!asserts.length) return ()=>{} // nothing to do
       return (v,p,ctx) => asserts.forEach (a => a(v,p,ctx))
@@ -194,19 +193,19 @@ class struct extends $any {
   validate (data, path, /** @type {Validation} */ ctx, elements = this.elements, skip={}) {
     if (data == null) return
     const path_ = !path ? [] : [...path, this.name]; if (path?.row) path_.push({...path})
-    if (typeof data !== 'object') return ctx.error ('ASSERT_DATA_TYPE', path_, this.name, data, this.target)
+    if (typeof data !== 'object') return ctx.error ('ASSERT_DATA_TYPE', path_, this.name, null, data, this.target)
     // check for required elements in case of inserts -- note: null values are handled in the payload loop below
     if (ctx.insert || data && path_.length && this._is_insert(data)) for (let each of this._required (elements)) {
       if (each.name in data) continue // got value for required element
       if (each.name in skip) continue // skip uplinks in deep inserts -> see Composition.validate()
       if (each.$struct in data) continue // got struct for flattened element/fk, e.g. {author:{ID:1}}
-      if (each.elements || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate()
+      if ((each.elements && each.kind !== 'param' ) || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate(), parameters don't have flat elements
       if (each.isAssociation) continue // unmanaged associations are always ignored (no value like)
       else ctx.error ('ASSERT_NOT_NULL', path_, each.name) // ASSERT_NOT_NULL should be ASSERT_REQUIRED
     }
     // check values of given data
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
-      let /** @type {$any} */ d = elements[each]
+      let /** @type {$any} */ d = Object.hasOwn(elements, each) && elements[each]
       if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data)
       else if (ctx.cleanse && d._is_readonly() && !d.key) delete data[each]
       // @Core.Immutable processed only for root, children are handled when knowing db state
@@ -242,8 +241,7 @@ class action extends struct {
     super.validate (data, path, ctx, this.params || {})
   }
 
-  // REVISIT: why is e['@mandatory'] not checked here?
-  _is_mandatory(e) { return e.notNull && !e.default } // params
+  _is_mandatory(e) { return e.notNull && !e.default || e._is_mandatory() } // params
 }
 
 /** Managed associations are struct-like, with foreign keys as elements to validate. */

package/lib/srv/cds.Service.js

@@ -24,32 +24,20 @@ class ConsumptionAPI {
     else return this.dispatch (new Event ({ event, data, headers }))
   }
 
-  send (req, path, data, headers) {
-    if (is_object(req)) return this.dispatch (req instanceof Request ? req : new Request(req))
-    if (is_object(path)) return this.dispatch (new Request (path.is_linked //...
-      ? { method:req, entity:path, data, headers }
-      : { method:req, data:path, headers:data }))
-    else return this.dispatch (new Request({ method:req, path, data, headers }))
+  send (...args) {
+    const req = _req4 (...args)
+    return this.dispatch (req)
   }
-  schedule (method, path, data, headers) {
-    // not great to normalize args... better way? need to 'merge' with after/every
-    const req = method instanceof cds.Request ? method : new cds.Request(_nrm4skd(method, path, data, headers))
+
+  schedule (...args) {
+    const req = _req4 (...args), {ms4} = cds.utils
     return {
-      after (ms) {
-        req.queue ??= {}
-        req.queue.after = ms
-        return this
-      },
-      every (ms) {
-        req.queue ??= {}
-        req.queue.every = ms
-        return this
-      },
-      then: (r, e) => {
-        return cds.queued(this).send(req).then(r, e)
-      }
+      after (t,u) { (req.queue ??= {}).after = ms4(t,u); return this },
+      every (t,u) { (req.queue ??= {}).every = ms4(t,u); return this },
+      then: (r,e) => cds.queued(this).send(req).then(r,e)
     }
   }
+
   get    (...args) { return is_rest(args[0]) ? this.send('GET',   ...args) : this.read   (...args) }
   put    (...args) { return is_rest(args[0]) ? this.send('PUT',   ...args) : this.update (...args) }
   post   (...args) { return is_rest(args[0]) ? this.send('POST',  ...args) : this.create (...args) }
@@ -179,13 +167,15 @@ const is_query = x => x?.bind || Array.isArray(x) && !x.raw
 const is_rest = x => typeof x === 'string' && x[0] === '/'
 const _service_in = m => cds.linked(m).services?.[0]?.name
 || cds.error.expected `${{model:m}} to be a CSN with a single service definition`
-const _nrm4skd = (method, path, data, headers) => {
-  if (typeof method === 'object') return method
-  if (typeof path !== 'object') return { method, path, data, headers }
-  if (path.is_linked) return { method, entity: path, data, headers }
-  return { method, data: path, headers: data }
-}
 
+const _req4 = (event, path, data, headers) => {
+  if (is_query(event)) return new Request({ query: event, data: path, headers })
+  if (is_object(event)) return event instanceof Request ? event : new Request(event)
+  if (is_object(path)) return new Request (path.is_linked //...
+    ? { method:event, entity:path, data, headers }
+    : { method:event, data:path, headers:data })
+  else return new Request({ method:event, path, data, headers })
+}
 
 exports = module.exports = Service
 exports.Service = Service

package/lib/srv/middlewares/auth/ias-auth.js

@@ -3,7 +3,10 @@ const LOG = cds.log('auth')
 
 const {
   createSecurityContext,
+  Token,
   IdentityService,
+  XsuaaService,
+  XsuaaToken,
   errors: { ValidationError }
 } = require('./xssec')
 
@@ -18,6 +21,12 @@ module.exports = function ias_auth(config) {
         'Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
     )
 
+  // enable signature cache by default
+  serviceConfig.validation ??= {}
+  if (!('signatureCache' in serviceConfig.validation)) serviceConfig.validation.signatureCache = { enabled: true }
+  // activate decode cache if not already done or explicitely disabled by setting Token.decodeCache to false or undefined
+  if (Token.decodeCache === null) Token.enableDecodeCache()
+
   const auth_service = new IdentityService(credentials, serviceConfig)
   const user_factory = get_user_factory(credentials, skipped_attrs)
 
@@ -44,16 +53,26 @@ module.exports = function ias_auth(config) {
     validating_auth_service = new IdentityService(credentials, _serviceConfig)
   }
 
+  // xsuaa fallback allows to also accept XSUAA tokens during migration to IAS
+  // automatically enabled if xsuaa credentials are available
+  let xsuaa_service, xsuaa_user_factory
+  if (cds.env.requires.xsuaa?.credentials) {
+    const { credentials: xsuaa_credentials, config: xsuaa_serviceConfig = {} } = cds.env.requires.xsuaa
+    xsuaa_service = new XsuaaService(xsuaa_credentials, xsuaa_serviceConfig)
+    const get_xsuaa_user_factory = require('./jwt-auth')._get_user_factory
+    xsuaa_user_factory = get_xsuaa_user_factory(xsuaa_credentials, xsuaa_credentials.xsappname, 'xsuaa')
+  }
+
   return async function ias_auth(req, _, next) {
     if (!req.headers.authorization) return next()
 
     try {
       const _auth_service =
         validating_auth_service && req.host.match(/\.cert\./) ? validating_auth_service : auth_service
-      const securityContext = await createSecurityContext(_auth_service, { req })
+      const securityContext = await createSecurityContext(xsuaa_service ? [_auth_service, xsuaa_service] : _auth_service, { req })
       const tokenInfo = securityContext.token
       const ctx = cds.context
-      ctx.user = user_factory(tokenInfo)
+      ctx.user = tokenInfo instanceof XsuaaToken ? xsuaa_user_factory(tokenInfo) : user_factory(tokenInfo)
       ctx.tenant = tokenInfo.getZoneId()
       req.authInfo = securityContext //> compat req.authInfo
     } catch (e) {
@@ -73,6 +92,14 @@ function get_user_factory(credentials, skipped_attrs) {
   return function user_factory(tokenInfo) {
     const payload = tokenInfo.getPayload()
 
+    /*
+     * NOTE:
+     *  for easier migration, xssec will offer IAS without policies via so-called XsuaaFallback.
+     *  in that case, we would need to add the roles here based on the tokenInfo (similar to xsuaa-auth).
+     *  however, it is not yet clear where the roles will be stored in IAS' tokenInfo object.
+     *  further, stakeholders would need to configure the "extension" programmatically (e.g., in a custom server.js).
+     */
+
     const clientid = tokenInfo.getClientId()
     if (clientid === payload.sub) {
       //> grant_type === client_credentials or x509

package/lib/srv/middlewares/auth/jwt-auth.js

@@ -3,7 +3,9 @@ const LOG = cds.log('auth')
 
 const {
   createSecurityContext,
+  Token,
   XsuaaService,
+  XsaService,
   errors: { ValidationError }
 } = require('./xssec')
 
@@ -16,7 +18,13 @@ module.exports = function jwt_auth(config) {
         'Either bind an XSUAA instance, or switch to an authentication kind that does not require a binding.'
     )
 
-  const auth_service = new XsuaaService(credentials, serviceConfig)
+  // enable signature cache by default
+  serviceConfig.validation ??= {}
+  if (!('signatureCache' in serviceConfig.validation)) serviceConfig.validation.signatureCache = { enabled: true }
+  // activate decode cache if not already done or explicitely disabled by setting Token.decodeCache to false or undefined
+  if (Token.decodeCache === null) Token.enableDecodeCache()
+
+  const auth_service = !credentials.uaadomain ? new XsaService(credentials, serviceConfig) : new XsuaaService(credentials, serviceConfig)
   const user_factory = get_user_factory(credentials, credentials.xsappname, kind)
 
   return async function jwt_auth(req, _, next) {
@@ -76,3 +84,5 @@ function get_user_factory(credentials, xsappname, kind) {
     return new cds.User({ id, roles, attr, tokenInfo })
   }
 }
+
+module.exports._get_user_factory = get_user_factory

package/lib/srv/middlewares/auth/xssec.js

@@ -1,6 +1,6 @@
 try {
   const xssec = require('@sap/xssec')
-  module.exports = xssec // use v3 compat api // REVISIT: why ???
+  module.exports = xssec
 } catch (e) {
   if (e.code === 'MODULE_NOT_FOUND') e.message = `Cannot find '@sap/xssec'. Make sure to install it with 'npm i @sap/xssec'\n` + e.message
   throw e

package/lib/srv/srv-models.js

@@ -31,7 +31,7 @@ class ExtendedModels {
       } catch (error) {
         // Better error message for client
         if (error.status === 404) throw error
-        cds.error('`extensibility: true` is configured but table "cds.xt.Extensions" does not exist. Please redeploy.', error)
+        cds.error(`\`extensibility: true\` is configured but table "cds.xt.Extensions" does not exist - please upgrade tenant '${tenant}'`, error)
       }
       if (!_has_extensions) {
         let k = cache.key4 (tenant = undefined, features)

package/lib/srv/srv-tx.js

@@ -1,4 +1,3 @@
-/** @typedef {import('./cds.Service')} Service } */
 
 const cds = require('../index'), { srv_tx_compat_for_afc = true } = cds.env.features
 const EventContext = require('../req/context')
@@ -9,8 +8,9 @@ class NestedContext extends EventContext { static for(_) { return _ instanceof E
 /**
  * This is the implementation of the `srv.tx(req)` method. It constructs
  * a new Transaction as a derivate of the `srv` (i.e. {__proto__:srv})
+ * @typedef {import('./cds.Service')} Service
+ * @this {Service} @param { EventContext } ctx
  * @returns { Promise<Transaction & Service> }
- * @param { EventContext } ctx
  */
 module.exports = exports = function srv_tx (ctx,fn) { const srv = this
 

package/lib/utils/cds-utils.js

@@ -20,7 +20,7 @@ exports = module.exports = new class {
   get uuid() { return super.uuid = require('crypto').randomUUID }
   get yaml() { const yaml = require('js-yaml'); return super.yaml = Object.assign(yaml,{parse:yaml.load}) }
   get tar()  { return super.tar = process.platform === 'win32' && _tarLib() ? require('./tar-lib') : require('./tar') }
-  get _unit()  { return super._unit = require('./unit') }
+  get semver() { return super.semver = require('./version') }
 }
 
 /** @type {import('node:path')} */
@@ -88,7 +88,14 @@ const chimera = Object.getOwnPropertyDescriptors (class Chimera {
 exports.decodeURIComponent = s => { try { return decodeURIComponent(s) } catch { return s } }
 exports.decodeURI = s => { try { return decodeURI(s) } catch { return s } }
 
-exports.local = (file) => file && relative(cwd,file)
+/**
+ * Computes a relative path from the a working directory to the given relative file,
+ * considering a divergent 'outer' root path that is not `cds.root`.
+ * Needed for `cds watch/run <dir>` calls.
+ * @param {string} file - the relative file path to compute
+ * @returns {string} - the relative path
+ */
+exports.local = (file) => file && relative(cwd, resolve(cds.root,file))
 
 const { prepareStackTrace, stackTraceLimit } = Error
 
@@ -334,3 +341,29 @@ exports.redacted = function _redacted(cred) {
   }
   return cred
 }
+
+
+/**
+ * Converts a time span with a unit into milliseconds. @example
+ * ms4(5,'s') //> 5000
+ * ms4('5s') //> 5000
+ * @param {number|string} ts - time span as number, or string with unit suffix, with or without spaces
+ * @param {string} [unit] - time span unit
+ * @returns {number} - time span in milliseconds
+ */
+const ms4 = exports.ms4 = (ts, unit, u=unit) => {
+  if (typeof ts === 'string') [,ts,u] = /(\d+) ?(\w*)/.exec(ts) || cds.error `Invalid time span format: ${ts}`
+  return ts * ms4[u||unit||'ms'] || cds.error `Invalid time span unit: ${unit} in ${ts}`
+}
+
+/**
+ * Constants for time spans factors to milliseconds. @example
+ * const { days, hours, minutes, second } = cds.utils.ms4
+ * 4 * days + 3 * hours + 2 * minutes + 1 * second //> 356521000
+ */
+const ms = ms4.ms = 1
+ms4.seconds = ms4.second = ms4.s = ms4.sec = 1000 *ms
+ms4.minutes = ms4.minute = ms4.m = ms4.min = 1000 *ms * 60
+ms4.hours   = ms4.hour   = ms4.h = ms4.hrs = 1000 *ms * 60 * 60
+ms4.days    = ms4.day    = ms4.d           = 1000 *ms * 60 * 60 * 24
+ms4.weeks   = ms4.week   = ms4.w           = 1000 *ms * 60 * 60 * 24 * 7

package/lib/utils/csv-reader.js

@@ -1,6 +1,6 @@
 const { createReadStream, createWriteStream, promises: fsp } = require('fs')
 const { Readable } = require('stream')
-const cds = require('../../lib')
+const cds = require('..')
 
 const SEPARATOR = /[,;\t]/
 

package/lib/utils/inflect.js

@@ -2,7 +2,7 @@
 this.singular4 = (dn,stripped) => {
 	let n = dn.name || dn; if (stripped) n = n.match(last)[0]
 	return dn['@singular'] || (
-		/species|news$/i.test(n) ? n  :
+		/(species|news)$/i.test(n) ? n  :
 		/ess$/.test(n) ? n :      							// Address
 		/ees$/.test(n) ? n.slice(0, -1) : 			// Employees --> Employee
 		/[sz]es$/.test(n) ?  n.slice(0, -2) :
@@ -15,7 +15,7 @@ this.singular4 = (dn,stripped) => {
 this.plural4 = (dn,stripped) => {
 	let n = dn.name || dn; if (stripped) n = n.match(last)[0]
 	return dn['@plural'] || (
-		/analysis|status|species|sheep|news$/i.test(n) ? n  :
+		/(analysis|status|species|sheep|news)$/i.test(n) ? n  :
 		/[^aeiou]y$/.test(n) ? n.slice(0,-1) + 'ies'  :
 		/(s|x|z|ch|sh)$/.test(n) ? n + 'es' :
 		n + 's'