@sap/cds 9.1.0 → 9.2.1

package/CHANGELOG.md

@@ -4,6 +4,49 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 9.2.1 - 2025-08-15
+
+### Fixed
+
+- Check whether token validation was configured
+- `UPDATE(Foo).with`foo=${'bar'}` erroneously constructed the equivalent of `UPDATE(Foo).with`foo=bar` instead of `UPDATE(Foo).with`foo='bar'`
+- Errors in emits for file-based messaging are thrown
+- Queue: Ensure `method`, `path`, `entity` and `params` are correctly taken over when creating tasks
+- Reject navigations in `$expand` without parsing the navigation path
+
+## Version 9.2.0 - 2025-07-29
+
+### Added
+
+- `srv.schedule` allows to specify the time in a more readable way, e.g. `srv.schedule(...).after('1min')`
+- Support for `jwt`/`xsuaa`-auth on XSA
+- Enable `@sap/xssec`'s caching mechanisms (requires `@sap/xssec^4.8`)
+  + The signature cache can be configured via `cds.requires.auth.config`, which is passed to `@sap/xssec`'s authentication services
+  + The token decode cache can be configured programmatically via `require('@sap/xssec').Token.enableDecodeCache(config?)` and deactivated via `require('@sap/xssec').Token.decodeCache = false`
+- `cds.requires` correctly resolve service credentials on Kyma when its merged env configuration is only `true` and the service is found via its property name.
+- `ias`-auth: Support for fallback XSUAA-based authentication meant to ease migration to IAS
+  + The fallback is automatically enabled if XSUAA credentials are available. To enable the credentials look-up, simply add `cds.requires.xsuaa = true` to your env.
+  + In case you need a custom config for the fallback (passed through to `@sap/xssec` as is!), configure it via `cds.requires.xsuaa = { config: { ... } }`
+- Better error message if `cds.xt.Extensions` table is missing in extensibility scenarios.
+
+### Changed
+
+- Upgrade to Peggy 5 version
+- Enabled conversion of `not exists where not` to OData `all`, integrating the inverse of the policy applied by the OData parser.
+- Numeric values in `.csv` files are now returned as numbers instead of strings, e.g. `1` instead of `'1'`;
+  when pre-padded with zeros, e.g., `0123`, they are returned as strings, e.g. `'0123'` instead of `123`.
+
+### Fixed
+
+- Runtime error in transaction handling in messaging services when used with outbox
+- Always use `cds.context` middleware for `enterprise-messaging` endpoints
+- Crash during Location header generation caused by custom response not matching the entity definition.
+- Support for logging of correct error locations with `cds watch` and `cds run`. 
+- Double-unescaping of values in double quotes during OData URL parsing
+- Throw explicit error if the result of a media data query is not an instance of `Readable`, rather than responding with `No Content`
+- When loading `.csv` files quoted strings containing the separator (comma or semicolon) where erroneously
+  parsed as two separate values instead of one.
+
 ## Version 9.1.0 - 2025-06-30
 
 ### Added
@@ -63,6 +106,7 @@
 ### Changed
 
 - Lean draft handler is registered in a service only if a draft-enabled service entity exists
+- Add back in server version on CAP server launch info log record
 
 ### Fixed
 
@@ -160,6 +204,15 @@
 - Deprecated stripping of unnecessary topic prefix `topic:` in messaging
 - Deprecated messaging `Outbox` class. Please use config or `cds.outboxed(srv)` to outbox your service.
 
+## Version 8.9.5 - 2025-07-25
+
+### Fixed
+
+- `req.diff` in case of draft entities using associations to joins/unions
+- Locale detection does not enforce `<http-req>.query` to be present. Some protocol adapters do not set it.
+- View metadata for requests with $apply
+- Handling of bad timestamps in URL ($filter and temporals)
+
 ## Version 8.9.4 - 2025-05-16
 
 ### Fixed

package/bin/deploy.js

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+/* eslint-disable no-console */
+
+const cds = require('../lib');
+const argv = process.argv.slice(2);
+const o = {};
+cds.cli = { command: 'deploy', argv, options: o }
+
+Promise.resolve(cds.plugins).then(async () => {
+  let db = cds.requires.db || {}
+  for (let i = 0; i < argv.length; ++i) {
+    let k = argv[i], v = argv[++i]
+    if (!k.startsWith('--')) return error `Invalid argument: ${k}. Expected format --key value`
+    if (v?.startsWith('--')) { --i; v = true } // allow --key without value
+    o[k = k.slice(2)] = v ?? true // allow last --key without value
+    if (k === 'to') db = { kind: v, dialect: v }
+    else (db.credentials ??= {})[k] = v
+  }
+  console.debug('Deploying with options:', db, o)
+  cds.db = await cds.connect.to(db)
+  return await cds.deploy('*',o).to(db)
+})
+.catch (e => { console.error(e); process.exitCode = 1 })
+.finally (() => cds.db?.disconnect?.())
+
+const error = (...args) => {
+  console.error (String.raw(...args))
+  process.exitCode = 1
+}

package/bin/serve.js

@@ -275,10 +275,6 @@ async function _local_server_js() {
 function _prepare_logging () { // NOSONAR
 
   const LOG = cds.log('cds.serve|server',{label:'cds'}); if (!LOG._info) return; else log = LOG.info
-  const _timer = process.env.NODE_ENV === 'production'
-    ? `[cds] - server launched at ${new Date().toLocaleString()}, version: ${cds.version}, in`
-    : '[cds] - server launched in'
-  console.time (_timer)
 
   // print information when model is loaded
   cds.on ('loaded', ({$sources:srcs})=>{
@@ -313,7 +309,7 @@ function _prepare_logging () { // NOSONAR
   cds.once ('listening', ({url})=>{
     console.log()
     LOG.info ('server listening on',{url})
-    _timer && console.timeEnd (_timer)
+    LOG.info ('server', 'v'+cds.version, 'launched in', performance.now().toFixed(0),'ms')
     if (process.stdin.isTTY) LOG.info (`[ terminate with ^C ]\n`)
   })
 }

package/lib/compile/etc/csv.js

@@ -34,6 +34,10 @@ function parse (csv) {
         if (headers.includes(currCol))  values.push (_value4(val, quoted)) // skip value if column was skipped
         val = undefined, quoted = false //> start new val
       }
+      else if (c === ' ' && val === undefined) {
+        // ignore leading spaces
+        continue
+      }
       else if (c === '"' && val === undefined) { // start quoted string
         val = ''
         inString = true
@@ -43,7 +47,7 @@ function parse (csv) {
         else inString = false, quoted = true // stop string
       }
       else {  // normal char
-        if (val === undefined)  val = ''
+        val ??= ''
         val += c
       }
     }
@@ -59,12 +63,13 @@ function parse (csv) {
   return rows
 }
 
-function _value4 (val, quoted = false) {
+const globals = { null:null, true:true, false:false }
+function _value4 (val, quoted) {
   if (quoted)  return val
-  if (val)  val = val.trim()
-  if (val === 'true') return true
-  else if (val === 'false') return false
-  else return val
+  if (val) val = val.trim(); else return undefined
+  if (val in globals) return globals[val] //> null, true, false
+  let n = Number(val)
+  return n.toString() == val ? n : val
 }
 
 function _ignoreLine(line) {

package/lib/compile/load.js

@@ -9,13 +9,16 @@ if (TRACE) {
 module.exports = exports = function load (files, options) {
   let any = cds.resolve(files,options)
 
+  // REVISIT: we need to find a better way to handle this -> doing that in cds.load is by far too central
   // REVISIT: bandaid for grow as you go scenario with task queues enabled by default
   let locations
-  const _is_outbox = p => cds.utils.path.posix.normalize(p).match(/\/cds\/srv\/outbox(\.cds)?$/)
-  const _outbox_only = any?.length === 1 && _is_outbox(any[0]) && (!Array.isArray(files) || !files.some(_is_outbox))
-  if (_outbox_only) {
-    any = undefined
-    locations = cds.resolve(files, false).filter(f => !_is_outbox(f))
+  if (cds.watched) {
+    const _is_outbox = p => cds.utils.path.posix.normalize(p).match(/\/cds\/srv\/outbox(\.cds)?$/)
+    const _outbox_only = any?.length === 1 && _is_outbox(any[0]) && (!Array.isArray(files) || !files.some(_is_outbox))
+    if (_outbox_only) {
+      any = undefined
+      locations = cds.resolve(files, false).filter(f => !_is_outbox(f))
+    }
   }
 
   if (!any) return Promise.reject (new cds.error ({

package/lib/compile/to/hdbtabledata.js

@@ -1,4 +1,4 @@
-const cds = require('../../../lib')
+const cds = require('../..')
 const { getElementCdsPersistenceName, getArtifactCdsPersistenceName } = require('@sap/cds-compiler')
 const { fs, path, isdir, csv } = cds.utils
 const { readdir } = fs.promises

package/lib/dbs/cds-deploy.js

@@ -1,4 +1,3 @@
-#!/usr/bin/env node
 const cds = require('../index'), { local, path } = cds.utils
 const DEBUG = cds.debug('deploy')
 const TRACE = cds.debug('trace')
@@ -387,33 +386,3 @@ const _entity4 = (file, csn) => {
   }
   return entity.name ? entity : { name, __proto__:entity }
 }
-
-/** CLI used as via cds-deploy as deployer for PostgreSQL */
-if (!module.parent) (async function CLI () {
-  cds.cli = { command: 'deploy', argv: process.argv.slice(2), options: {} }
-  await cds.plugins // IMPORTANT: that has to go before any call to cds.env, like through cds.deploy or cds.requires below
-  let db = cds.requires.db
-  try {
-    let o={}, recent
-    for (let each of process.argv.slice(2)) {
-      if (each.startsWith('--')) o[(recent = each.slice(2))] = true
-      else o[recent] = each
-    }
-    if (o.to) {
-      db = { kind: o.to, dialect: o.to }
-      if (o.url) (db.credentials ??= {}).url = o.url
-      if (o.host) (db.credentials ??= {}).host = o.host
-      if (o.port) (db.credentials ??= {}).port = o.port
-      if (o.username) (db.credentials ??= {}).username = o.username
-      if (o.password) (db.credentials ??= {}).password = o.password
-    }
-    cds.cli.options = o
-    db = await cds.connect.to(db);
-    db = await cds.deploy('*',o).to(db)
-  } finally {
-    await db?.disconnect?.()
-  }
-})().catch((e) => {
-  console.error(e)
-  process.exitCode = 1
-})

package/lib/env/cds-env.js

@@ -408,7 +408,8 @@ class Config {
       const { credentials } = this._find_credentials_for_required_service(service, conf, vcaps) || {}
       if (credentials)  {
         // Merge `credentials`.  Needed because some app-defined things like `credentials.destination` must survive.
-        any = conf.credentials = Object.assign ({}, conf.credentials, credentials)
+        if (conf === true) any = this.requires[service] = { credentials }
+        else any = conf.credentials = { ...conf.credentials, ...credentials }
       }
     }
     return !!any

package/lib/env/cds-requires.js

@@ -85,6 +85,9 @@ for (let each of Object.values(_authentication_strategies)) {
   }})
 }
 
+// enable credentials lookup for xsuaa fallback
+_authentication_strategies.xsuaa = { vcap: { label: 'xsuaa' } }
+
 const _services = {
 
   "app-service": {

package/lib/env/schemas/cds-rc.js

@@ -219,6 +219,10 @@ module.exports = {
             },
             db: {
               oneOf: [
+                {
+                  type: 'boolean',
+                  description: 'Shortcut to enable primary database.'
+                },
                 {
                   type: 'string',
                   description: 'Settings for the primary database (shortcut).',

package/lib/index.js

@@ -1,23 +1,23 @@
-if (process.env.CDS_STRICT_NODE_VERSION !== 'false') require ('./utils/check-version.js')
+if (process.env.CDS_STRICT_NODE_VERSION !== 'false') require('./utils/version').check()
 ! (global.__cds_loaded_from ??= new Set).add(__filename.toLowerCase()) // track from where we loaded cds, lowercase to avoid path duplicates on Windows
 
 const { AsyncLocalStorage } = require ('async_hooks')
 const context = new AsyncLocalStorage
 
 const { EventEmitter } = require('node:events')
-const cds = module.exports = global.cds = new class cds_facade extends EventEmitter {
+const cds = exports = module.exports = global.cds = new class cds extends EventEmitter {
 
-  /** Contexts and Transactions @type {import('./req/context')} */
+  /** Contexts and Transactions @type {import('./req/context.js')} */
   get context()  { return context.getStore() }
   set context(x) { this._with(x) }
   _with (x,fn,...args) {
-    const ctx = typeof x !== 'object' || x instanceof cds.EventContext ? x : x.context || cds.EventContext.for(x)
+    const ctx = typeof x !== 'object' || x instanceof exports.EventContext ? x : x.context || exports.EventContext.for(x)
     return fn ? context.run (ctx,fn,...args) : context.enterWith (ctx)
   }
-  get spawn() { return super.spawn = require('./req/spawn') }
+  get spawn() { return super.spawn = require('./req/spawn.js') }
 
-  /** @import {LinkedCSN} from './core/linked-csn' */
-  /** @import {Service} from './srv/cds.Service' */
+  /** @import {LinkedCSN} from './core/linked-csn.js' */
+  /** @import {Service} from './srv/cds.Service.js' */
   /** @type LinkedCSN */ model = undefined
   /** @type Service */ db = undefined
   /** CLI args */ cli = { command:'', options:{}, argv:[] }
@@ -33,24 +33,24 @@ const cds = module.exports = global.cds = new class cds_facade extends EventEmit
 
   // Configuration & Information
   get requires() { return super.requires = this.env.requires._resolved() }
-  get plugins()  { return super.plugins = require('./plugins').activate() }
+  get plugins()  { return super.plugins = require('./plugins.js').activate() }
   get version()  { return super.version = require('../package.json').version }
-  get env()      { return super.env = require('./env/cds-env').for(this) }
+  get env()      { return super.env = require('./env/cds-env.js').for(this) }
   get home()     { return super.home = __dirname.slice(0,-4) }
-  get schema()   { return super.schema = require('./env/schemas') } // REVISIT: Better move that to cds-dk?
+  get schema()   { return super.schema = require('./env/schemas/index.js') } // REVISIT: Better move that to cds-dk?
 
   // Loading and Compiling Models
-  get compiler() { return super.compiler = require('./compile/cdsc') }
-  get compile()  { return super.compile = require('./compile/cds-compile') }
-  get resolve()  { return super.resolve = require('./compile/resolve') }
-  get load()     { return super.load = require('./compile/load') }
+  get compiler() { return super.compiler = require('./compile/cdsc.js') }
+  get compile()  { return super.compile = require('./compile/cds-compile.js') }
+  get resolve()  { return super.resolve = require('./compile/resolve.js') }
+  get load()     { return super.load = require('./compile/load.js') }
   get get()      { return super.get = this.load.parsed }
-  get parse()    { return super.parse = require('./compile/parse') }
-  get minify()   { return super.minify = require('./compile/minify') }
-  get extend()   { return super.extend = require('./compile/extend') }
-  get deploy()   { return super.deploy = require('./dbs/cds-deploy') }
-  get localize() { return super.localize = require('./i18n/localize') }
-  get i18n()     { return super.i18n = require('./i18n') }
+  get parse()    { return super.parse = require('./compile/parse.js') }
+  get minify()   { return super.minify = require('./compile/minify.js') }
+  get extend()   { return super.extend = require('./compile/extend.js') }
+  get deploy()   { return super.deploy = require('./dbs/cds-deploy.js') }
+  get localize() { return super.localize = require('./i18n/localize.js') }
+  get i18n()     { return super.i18n = require('./i18n/index.js') }
 
   // Model Reflection, Builtin types and classes
   get entities()    { return this.db?.entities || this.model?.entities }
@@ -75,23 +75,23 @@ const cds = module.exports = global.cds = new class cds_facade extends EventEmit
     get _pending(){ return this.#pending ??= {} } #pending
   }
   get server() { return super.server = require('../server.js') }
-  get serve() { return super.serve = require('./srv/cds-serve') }
-  get connect() { return super.connect = require('./srv/cds-connect') }
+  get serve() { return super.serve = require('./srv/cds-serve.js') }
+  get connect() { return super.connect = require('./srv/cds-connect.js') }
   get outboxed() { return this.queued }
   get unboxed() { return this.unqueued }
-  get queued() { return super.queued = require('../libx/queue').queued }
-  get unqueued() { return super.unqueued = require('../libx/queue').unqueued }
-  get middlewares() { return super.middlewares = require('./srv/middlewares') }
-  get odata() { return super.odata = require('../libx/odata') }
-  get auth() { return super.auth = require('./auth') }
+  get queued() { return super.queued = require('../libx/queue/index.js').queued }
+  get unqueued() { return super.unqueued = require('../libx/queue/index.js').unqueued }
+  get middlewares() { return super.middlewares = require('./srv/middlewares/index.js') }
+  get odata() { return super.odata = require('../libx/odata/index.js') }
+  get auth() { return super.auth = require('./auth.js') }
   shutdown() { this.app?.server && process.exit() } // is overridden in bin/serve.js
 
   // Core Services API
-  get Service() { return super.Service = require('./srv/cds.Service') }
-  get EventContext() { return super.EventContext = require('./req/context') }
-  get Request() { return super.Request = require('./req/request') }
-  get Event() { return super.Event = require('./req/event') }
-  get User() { return super.User = require('./req/user') }
+  get Service() { return super.Service = require('./srv/cds.Service.js') }
+  get EventContext() { return super.EventContext = require('./req/context.js') }
+  get Request() { return super.Request = require('./req/request.js') }
+  get Event() { return super.Event = require('./req/event.js') }
+  get User() { return super.User = require('./req/user.js') }
   get validate() { return super.validate = require('./req/validate.js') }
 
   // Services, Protocols and Periphery
@@ -101,18 +101,18 @@ const cds = module.exports = global.cds = new class cds_facade extends EventEmit
   get RemoteService() { return super.RemoteService = require('../libx/_runtime/remote/Service.js') }
 
   // Helpers
-  get utils() { return super.utils = require('./utils/cds-utils') }
-  get error() { return super.error = require('./log/cds-error') }
-  get exec() { return super.exec = require('../bin/serve').exec }
-  get test() { return super.test = require('./test/cds-test') }
-  get log() { return super.log = require('./log/cds-log') }
+  get utils() { return super.utils = require('./utils/cds-utils.js') }
+  get error() { return super.error = require('./log/cds-error.js') }
+  get exec() { return super.exec = require('../bin/serve.js').exec }
+  get test() { return super.test = require('./test/cds-test.js') }
+  get log() { return super.log = require('./log/cds-log.js') }
   get debug() { return super.debug = this.log.debug }
   clone(x) { return structuredClone(x) }
 
   // Querying and Databases
   get infer(){ return super.infer = require('./ql/cds.ql-infer.js') }
   get txs()  { return super.txs = new this.Service('cds.tx') }
-  get ql()   { return super.ql = require('./ql/cds-ql') }
+  get ql()   { return super.ql = require('./ql/cds-ql.js') }
   // get tx() { return super.tx = this.Service.prototype.tx.bind (new this.Service) } // Note: this would break too much of existing code/tests
   tx         (..._) { return (this.db || this.txs).tx(..._) }
   run        (..._) { return (this.db || typeof _[0] === 'function' && this.txs || this.error._no_primary_db).run(..._) }

package/lib/log/cds-error.js

@@ -21,7 +21,7 @@ const { format, inspect } = require('../utils/cds-utils')
  * @param {object} [details] - Additional error details
  * @param {Function} [caller] - The function calling this
  */
-const error = exports = module.exports = function cds_error ( status, message, details, caller ) {
+const error = exports = module.exports = function error ( status, message, details, caller ) {
   if (typeof status !== 'number') [ status, message, details, caller ] = status.raw ? [ undefined, error.message(...arguments) ] : [ undefined, status, message, details ]
   if (typeof message === 'object') [ message, details, caller ] = [ undefined, message, details ]
   let err = details && 'stack' in details ? details : Object.assign (new Error (message, details), details)
@@ -61,16 +61,17 @@ exports.expected = ([,type], arg) => {
   return error (`Expected argument '${name}'${type}, but got: ${inspect(value)}`, undefined, error.expected)
 }
 
-
-const system_errors = [
-  TypeError,
-  ReferenceError,
-  SyntaxError,
-  RangeError,
-  URIError
-]
-exports.isSystemError = err => system_errors.some(e => err instanceof e) 
-
+exports.isSystemError = err => {
+  // all errors thrown by the peggy parser should not crash the app
+  if (err.name === 'SyntaxError' && err.constructor?.name === 'peg$SyntaxError') return false
+  return err.name in {
+    TypeError:1,
+    ReferenceError:1,
+    SyntaxError:1,
+    RangeError:1,
+    URIError:1,
+  }
+}
 
 //
 // Private helpers ...

package/lib/log/format/json.js

@@ -1,4 +1,4 @@
-const cds = require('../../')
+const cds = require('../..')
 
 const util = require('util')
 

package/lib/ql/SELECT.js

@@ -1,4 +1,6 @@
+const { pipeline } = require('stream/promises')
 const Whereable = require('./Whereable')
+const Query = require('./cds.ql-Query')
 const is_number = x => !isNaN(x)
 const cds = require('../index')
 const $ = Object.assign
@@ -163,6 +165,35 @@ class SELECT extends Whereable {
     return this
   }
 
+  async foreach(callback) {
+    for await (const row of this) {
+      callback(row)
+    }
+  }
+
+  [Symbol.asyncIterator]() {
+    return (async function* (self) {
+      const srv = self._srv || cds.db || cds.error`Can't execute query as no primary database is connected.`
+      const stream = await srv.send({
+        iterator: true,
+        objectMode: true,
+        query: self,
+      })
+      for await (const row of stream) yield row
+    })(this)
+  }
+
+  async pipeline(...args) {
+    const srv = this._srv || cds.db || cds.error`Can't execute query as no primary database is connected.`
+    const res = await srv.send({
+      iterator: true,
+      objectMode: false,
+      query: this,
+    })
+    if (args.length) return pipeline(res, ...args.map(a => a instanceof Query ? stream => a.entries(stream) : a))
+    return res
+  }
+
   hints (...args) {
     if (args.length) this.SELECT.hints = args.flat()
     return this

package/lib/ql/UPDATE.js

@@ -31,7 +31,9 @@ class UPDATE extends Whereable {
 
     // A tagged template string with a single expression, e.g. .with `my.stock -= 1`
     if (args[0].raw) {
-      _add (this, ..._parse_set_expr (this, String.raw(...args)))
+      const [ strings, ...values ] = args
+      const vals = values.map (v => typeof v === 'string' ? `'${v}'` : v)
+      _add (this, ..._parse_set_expr (this, String.raw(strings, ...vals)))
     }
 
     // Alternating expr fragment / values args, e.g. .with ('my.stock -=',1, 'lastOrder =', '$now')

package/lib/ql/resolve.js

@@ -1,5 +1,5 @@
 const { resolveView, getTransition } = require('../../libx/_runtime/common/utils/resolveView')
-const cds = require('../../lib')
+const cds = require('..')
 
 const PERSISTENCE_TABLE = '@cds.persistence.table'
 const _isPersistenceTable = target =>

package/lib/req/context.js

@@ -1,6 +1,6 @@
 const cds = require ('../index'), { uuid } = cds.utils
 const async_events = { succeeded:1, failed:1, done:1, commit:1 }
-const locale = require('./../i18n/locale')
+const locale = require('../i18n/locale')
 const { EventEmitter } = require('events')
 
 /**

package/lib/req/validate.js

@@ -24,15 +24,16 @@ class Validation {
     this.cleanse = options.cleanse !== false
   }
 
-  error (code, path, leaf, val, ...args) {
+  error (code, path, leaf, i18n, ...args) {
     const err = (this.errors ??= new ValidationErrors).add (code)
-    if (this.options.path) path = [ this.options.path, ...path ] // e.g. used to prefic 'in/' for actions
+    if (this.options.path) path = [ this.options.path, ...path ] // e.g. used to prefix 'in/' for actions
     if (path) err.target = (!leaf ? path : path.concat(leaf)).reduce?.((p,n)=> (
       n?.row ? p + this.filter4(n) :          //> some/entity(ID=1)...
       typeof n === 'number' ? p + `[${n}]` :  //> some/array[1]...
       p && n ? p+'/'+n : n                    //> some/element...
     ),'')
-    if (val !== undefined) err.args = [ val, ...args ]
+    if (typeof i18n === 'string') err.i18n = i18n
+    if (args.length) err.args = args
     return err
   }
 
@@ -64,10 +65,8 @@ class ValidationErrors extends Array {
     return err
   }
   static proto = Object.create (Error.prototype, {
+    stack: { configurable:true, get() { return this.message } },
     message: { writable:true, configurable:true },
-    stack: { configurable:true, get() { return this.message },
-      set(v) { Object.defineProperty (this, 'stack', { value:v, writable:true, configurable:true }) },
-    },
     status: { value: 400 },
   })
 }
@@ -100,30 +99,30 @@ const $any = class any {
       const asserts = []
       const type_check = conf.strict && this.strict_check || this.type_check
       if (type_check) {
-        asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, v, this ))
+        asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, null, v, this ))
       }
       if (this._is_mandatory()) {
-        asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
+        asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, this['@mandatory.message'] || this['@mandatory'], v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
       }
       if (this['@assert.format']) {
         const format = new RegExp(this['@assert.format'],'u')
-        asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, v, format))
+        asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, this['@assert.format.message'], v, format))
       }
       if (this['@assert.range'] && !this.enum) {
         const [ min, max ] = this['@assert.range']
         if (min['='] === '_') min.val = -Infinity
         if (max['='] === '_') max.val = +Infinity
         asserts.push (
-          min.val !== undefined && max.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, v, '>'+min.val, '<'+max.val) :
-          min.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, '>'+min.val, max) :
-          max.val !== undefined ? (v,p,ctx) => v == null || min <= v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, v, min, '<'+max.val) :
-          (v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, min, max)
+          min.val !== undefined && max.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, this['@assert.range.message'], v, '>'+min.val, '<'+max.val) :
+          min.val !== undefined ? (v,p,ctx) => v == null || min.val < v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, this['@assert.range.message'], v, '>'+min.val, max) :
+          max.val !== undefined ? (v,p,ctx) => v == null || min <= v && v < max.val || ctx.error ('ASSERT_RANGE', p, this.name, this['@assert.range.message'], v, min, '<'+max.val) :
+          (v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, null, v, min, max)
         )
       }
       if (this['@assert.enum'] || this['@assert.range'] && this.enum) {
         const vals = Object.entries(this.enum).map(([k,v]) => 'val' in v ? v.val : k)
         const enums = vals.reduce((a,v) => (a[v]=true, a),{})
-        asserts.push ((v,p,ctx) => v == null || v in enums || vals.some(x => x == v) || ctx.error ('ASSERT_ENUM', p, this.name, typeof v === 'string' ? `"${v}"` : v, vals.join(', ')))
+        asserts.push ((v,p,ctx) => v == null || v in enums || vals.some(x => x == v) || ctx.error ('ASSERT_ENUM', p, this.name, this['@assert.enum.message'], typeof v === 'string' ? `"${v}"` : v, vals.join(', ')))
       }
       if (!asserts.length) return ()=>{} // nothing to do
       return (v,p,ctx) => asserts.forEach (a => a(v,p,ctx))
@@ -194,19 +193,19 @@ class struct extends $any {
   validate (data, path, /** @type {Validation} */ ctx, elements = this.elements, skip={}) {
     if (data == null) return
     const path_ = !path ? [] : [...path, this.name]; if (path?.row) path_.push({...path})
-    if (typeof data !== 'object') return ctx.error ('ASSERT_DATA_TYPE', path_, this.name, data, this.target)
+    if (typeof data !== 'object') return ctx.error ('ASSERT_DATA_TYPE', path_, this.name, null, data, this.target)
     // check for required elements in case of inserts -- note: null values are handled in the payload loop below
     if (ctx.insert || data && path_.length && this._is_insert(data)) for (let each of this._required (elements)) {
       if (each.name in data) continue // got value for required element
       if (each.name in skip) continue // skip uplinks in deep inserts -> see Composition.validate()
       if (each.$struct in data) continue // got struct for flattened element/fk, e.g. {author:{ID:1}}
-      if (each.elements || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate()
+      if ((each.elements && each.kind !== 'param' ) || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate(), parameters don't have flat elements
       if (each.isAssociation) continue // unmanaged associations are always ignored (no value like)
       else ctx.error ('ASSERT_NOT_NULL', path_, each.name) // ASSERT_NOT_NULL should be ASSERT_REQUIRED
     }
     // check values of given data
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
-      let /** @type {$any} */ d = elements[each]
+      let /** @type {$any} */ d = Object.hasOwn(elements, each) && elements[each]
       if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data)
       else if (ctx.cleanse && d._is_readonly() && !d.key) delete data[each]
       // @Core.Immutable processed only for root, children are handled when knowing db state