@sap/cds 9.3.1 → 9.4.3

package/lib/compile/minify.js

@@ -1,64 +1,92 @@
-const cds = require('../index')
-const DEBUG = cds.debug('minify')
+module.exports = exports = (m,o) => m.meta?.minified ? m : (new Minifier) .minify (m,o)
 
-module.exports = function cds_minify (csn, roots = cds.env.features.skip_unused) {
-  if (roots === false) return csn
-  if ((csn.meta??={}).minified) return csn
-  const all = csn.definitions, reached = new Set
-  if (roots === 'services') {
-    for (let n in all) if (all[n].kind === 'service') _visit_service(n)
-  } else if (typeof roots === 'string') {
-    _visit_service(roots)
-  } else for (let n in all) {
-    let d = all[n]
-    if (d.kind === 'service') _visit_service(n)
-    else if (d.kind === 'entity') {
-      if (d['@cds.persistence.skip'] === 'if-unused') continue
-      if (n.endsWith('.texts')) {
-        let e = all[n.slice(0,-6)]
-        if (e && e['@cds.persistence.skip'] === 'if-unused') continue
+class Minifier {
+
+  /**
+   * Minifies a model by removing all definitions not reachable from given roots.
+   * @param {object} [options] - Options for the minification as follows...
+   * @param {kinds} [options.keep] Controls which children of services to keep.
+   * @param {string[]} [options.cleanse] Names of properties or annotations to be removed.
+   * @typedef {{ entity, aspect, type, event, action, function }} kinds
+   * @returns {CSN.Model} the minified model with kept definitions only.
+   */
+  minify (csn, options, { skip_unused } = global.cds.env.features) {
+
+    const o = this.options = options || {}
+    if (skip_unused === false) return csn
+    if (skip_unused === 'services') o.services = 'all'
+    const all = new Map (Object.entries( this.defs ??= csn.definitions || {} ))
+    const children = (n,fn,pre=n+'.') => { for (let [n,d] of all) if (n.startsWith(pre)) fn (n,d) }
+    const events = { event:1, action:1, function:1 }
+    const keep = o.keep ??= { entity:1, type:1, ...events }
+    const kept = this.kept = csn.definitions = {}
+    const skipped = this.skipped = {}
+
+    if (o.services) {
+      // If o.services is specified, only keep matching services and their children
+      const rx = o.services == 'all' || o.services == '/all/i' ? {test:()=>true} : o.services
+      for (let [s,d] of all) if (d.kind === 'service' && rx.test(s)) {
+        this.keep (s,d); children (s, (c,d) => this.keep (c,d))
+      }
+    } else {
+      // Otherwise first mark all external services and their children as initially skipped
+      for (let [s,d] of all) if (d.kind === 'service' && _skip_service(s,d)) {
+        skipped[s] = 0; children (s, (c,d) => d.kind in events ? this.keep (c,d) : skipped[c] = s) // used later on in this.keep()
+      }
+      // Then keep all own services and their children
+      for (let [s,d] of all) if (d.kind === 'service' && !(s in skipped)) {
+        this.keep (s,d); children (s, (c,d) => d.kind in keep ? this.keep (c,d) : skipped[c] = 0)
+      }
+      // Also keep remaining non-service entities
+      for (let [e,d] of all) if (d.kind === 'entity') {
+        e in kept || e in skipped || _skip_entity(e,d) || this.keep (e,d)
       }
-      _visit(d)
     }
+
+    ;(csn.meta ??= {}) .minified = true
+    return csn
   }
-  function _visit_service (service) {
-    reached.add (all[service])
-    for (let e in all) if (e.startsWith(service+'.')) _visit(all[e])
-  }
-  function _visit_query (q) {
-    if (q.SELECT) return _visit_query (q.SELECT)
-    if (q.SET) return q.SET.args.forEach (_visit_query)
-    if (q.mixin) for (let e in q.mixin) _visit (q.mixin[e])
-    if (q.from) {
-      if (q.from.join) return q.from.args.forEach (_visit)
-      else return _visit (q.from)
+
+  cleanse (d, o = this.options, keep = this._keep ??= Object.keys (o.keep)) {
+    for (let p in o.cleanse) {
+      if (p[0] !== '@') delete d[p] // a single property
+      for (let a in d) if (a.startsWith(p) && !keep.some(k => a.startsWith(k))) delete d[a]
     }
   }
-  function _visit (d) {
-    if (typeof d === 'string') {
-      d = all[d]
-      if (!d) return // builtins like cds.String
-    } else if (d.ref) return d.ref.reduce((p,n) => {
-      let d = (p.elements || all[p.target || p.type].elements)[n.id || n] // > n.id -> view with parameters
-      if (d)  _visit(d)
-      return d
-    },{elements:all})
-    if (reached.has(d)) return; else reached.add(d)
-    if (d.includes)   d.includes.forEach(i => _visit(all[i]))  // Note: with delete d.includes, redirects in AFC broke
-    if (d.projection)         _visit_query (d.projection)
-    if (d.query)              _visit_query (d.query)
-    if (d.type)               _visit (d.type)
-    if (d.target)             _visit (d.target)
-    if (d.targetAspect)       _visit (d.targetAspect)
-    if (d.items)              _visit (d.items)
-    if (d.returns)            _visit (d.returns)
-    for (let e in d.elements) _visit (d.elements[e])
-    for (let a in d.actions)  _visit (d.actions[a])
-    for (let p in d.params)   _visit (d.params[p])
+
+  walk (d) { this.cleanse(d)
+    if (d.target)             this.keep (d.target)              // has to go first w/o return for redirected targets
+    if (d.type in this.defs)  return this.keep (d.type)         // return to avoid endless recursion
+    if (d.type?.ref)          return this.keep (d.type.ref[0])  // return to avoid endless recursion
+    if (d.projection)         this.view (d.projection)
+    if (d.query)              this.view (d.query)
+    if (d.items)              this.walk (d.items)
+    if (d.returns)            this.walk (d.returns)
+    for (let e in d.elements) this.walk (d.elements[e])
+    for (let a in d.actions)  this.walk (d.actions[a])
+    for (let p in d.params)   this.walk (d.params[p])
+    for (let i in d.includes) this.keep (d.includes[i])
+  // Note: this ^^^^^^^^^^^^ is required for cdsc.recompile; with delete d.includes, redirects in AFC broke
+  }
+
+  view (q) {
+    if (q.SELECT) q = q.SELECT // i.e. entity as select from ...
+    if (q.mixin) for (let e in q.mixin) this.walk (q.mixin[e])
+    if (q.from?.ref) return this.keep (_source(q.from.ref[0])) // keep sources of views
+    if (q.from?.join) return q.from.args.forEach (from => this.view ({from}))
+    if (q.SET) return q.SET.args.forEach (q => this.view (q.SELECT||q))
+    function _source (r) { return r.id || r }
+  }
+
+  keep (n,d) {
+    if (n in this.kept) return; else d ??= this.defs[n]
+    if (d) this.walk (this.kept[n] = d, n); else return
+    let texts = this.defs[n+'.texts']; if (texts) this.keep (n+'.texts', texts)
+    let parent = this.skipped[n]; if (parent) this.keep(parent) // keep initially skipped services
   }
-  const minified = csn, less = minified.definitions = {}
-  for (let n in all) if (reached.has(all[n])) less[n] = all[n]
-  else DEBUG?.('skipping', all[n].kind, n)
-  ;(minified.meta??={}).minified = true
-  return minified
+
 }
+
+const _skip_service = (s,d) => d['@cds.external'] >= 2
+const _skip_entity = (e,d) => d['@cds.external'] >= 2 || d['@cds.persistence.skip'] === 'if-unused' || e.endsWith('.texts')
+exports.Minifier = Minifier

package/lib/compile/to/csn.js

@@ -26,6 +26,8 @@ function cds_compile_to_csn (model, options, _flavor) {
   else return _finalize (cdsc.compileSources(model,o))                 //> compile CDL sources
 
   function _finalize (csn) {
+    // REVISIT: experimental implementation to automatically add aspect FlowHistory
+    if (cds.env.features.history_for_flows) cds.compile.for.flows(csn)
     if (o.min) csn = cds.minify(csn)
     // REVISIT: experimental implementation to detect external APIs
     for (let each in csn.definitions) {

package/lib/compile/to/yaml.js

@@ -29,7 +29,7 @@ module.exports = function _2yaml (object, {limit=111}={}) {
     if (typeof o === 'string') {
       if (o.indexOf('\n')>=0) return '|'+'\n'+indent+ o.replace(/\n/g,'\n'+indent)
       let s = o.trim()
-      return !s || /^[\^@#:,=!<>*|]/.test(s) || /:\s/.test(o) ? '"'+ o.replace(/\\/g,'\\\\') +'"'  :  s
+      return !s || /^[\^@#:,=!<>*+-/|]/.test(s) || /:\s/.test(o) ? '"'+ o.replace(/\\/g,'\\\\') +'"'  :  s
     }
     if (typeof o === 'function') return
     else return o

package/lib/env/cds-requires.js

@@ -276,3 +276,6 @@ exports.kinds = {
   ..._messaging,
   ..._platform_services,
 }
+
+// This is to hide that method in the output of cds env
+Object.defineProperty(exports,'_resolved',{value:exports._resolved,enumerable:false}) // hide it in outputs

package/lib/i18n/bundles.js

@@ -31,7 +31,14 @@ class I18nBundle {
   at (key, locale, args) {
     if (typeof locale !== 'string') [ args, locale ] = [ locale, cds.context?.locale ?? i18n.default_language ]
     if (typeof key === 'object') key = this.key4(key)
-    let t = this.texts4 (locale) [key]
+
+    let t
+     // fallback for legacy assert message
+    if (key === 'ASSERT_MANDATORY') {
+      t = this.texts4 (locale) ['ASSERT_NOT_NULL']
+      if (!t) t = this.texts4 (locale) [key]
+    } else t = this.texts4 (locale) [key]
+
     if (t && args) t = t.replace (/{(\w+)}/g, (_,k) => args[k])
     return t
   }

package/lib/i18n/files.js

@@ -30,10 +30,14 @@ class I18nFiles {
     const _folders = I18nFiles.folders ??= {}
     const _entries = I18nFiles.entries ??= {}
 
+    // ensure we always load factory defaults for messages at very first
+    if (basename === 'messages') _add_entries4 (path.resolve (__dirname,'../../_i18n'))
+
     // fetch relatively specified i18n.folders in the neighborhood of sources...
     const relative_folders = folders.filter (f => f[0] !== '/')
     if (relative_folders.length) {
-      const leafs = model?.$sources.map(path.dirname) ?? roots, visited = {}
+      const outbox_cds = cds.env.requires.queue?.model // ignore outbox.cds if present in model.$sources
+      const leafs = model?.$sources.filter(f => !f.startsWith(outbox_cds)).map(path.dirname) ?? roots, visited = {}
       ;[...new Set(leafs)].reverse() .forEach (function _visit (dir) {
         if (dir in visited) return; else visited[dir] = true
         LOG.debug ('fetching', basename, 'bundles in', dir, relative_folders)

package/lib/i18n/index.js

@@ -16,13 +16,9 @@ class I18nFacade {
    * The default bundle for runtime messages.
    */
   get messages() {
-    // ensure we always find our factory defaults as fallback
-    const factory_defaults = cds.utils.path.resolve (__dirname,'../../_i18n')
-    const folders = [ ...cds.env.i18n.folders, factory_defaults ]
-    return super.messages = this.bundle4 ('messages', { folders })
+    return super.messages = this.bundle4 ('messages')
   }
 
-
   /**
    * The default bundle for UI labels and texts.
    */

package/lib/i18n/localize.js

@@ -73,17 +73,19 @@ exports.edmx = edmx => {
     '<'  : '&lt;',
     '>'  : '&gt;',
     '&'  : '&amp;', // if not followed by amp; quot; lt; gt; apos; or #
+    '\t' : '&#x9;',
     '\n' : '&#xa;',
+    '\f' : '&#xc;',
     '\r' : '',
   }
-  const _2b_escaped = /["<>\n\r]|&(?!quot;|amp;|lt;|gt;|apos;|#)/g
+  const _2b_escaped = /["<>\t\n\f\r]|&(?!quot;|amp;|lt;|gt;|apos;|#)/g
   const _xml_replacer = s => s?.replace (_2b_escaped, m => _xml_escapes[m])
   return localize (edmx) .using (_xml_replacer)
 }
 
 exports.json = json => {
   if (typeof json === 'object') json = JSON.stringify(json)
-  const _json_replacer = s => s?.replace(/"/g, '\\"')
+  const _json_replacer = s => s && JSON.stringify(s).slice(1,-1)
   return localize(json) .using (_json_replacer)
 }
 

package/lib/index.js

@@ -82,7 +82,7 @@ const cds = exports = module.exports = global.cds = new class cds extends EventE
   get unqueued() { return super.unqueued = require('../libx/queue/index.js').unqueued }
   get middlewares() { return super.middlewares = require('./srv/middlewares/index.js') }
   get odata() { return super.odata = require('../libx/odata/index.js') }
-  get auth() { return super.auth = require('./auth.js') }
+  get auth() { return super.auth = require('./srv/middlewares/auth/index.js') }
   shutdown() { this.app?.server && process.exit() } // is overridden in bin/serve.js
 
   // Core Services API

package/lib/ql/SELECT.js

@@ -171,27 +171,24 @@ class SELECT extends Whereable {
     }
   }
 
+  /**
+   * Convenience for streaming individual rows with async iteration. @example
+   * for await (let row of await query.stream(true)) ...
+   * for await (let row of query) ... // convenience by this method
+   */
   [Symbol.asyncIterator]() {
-    return (async function* (self) {
-      const srv = self._srv || cds.db || cds.error`Can't execute query as no primary database is connected.`
-      const stream = await srv.send({
-        iterator: true,
-        objectMode: true,
-        query: self,
-      })
-      for await (const row of stream) yield row
-    })(this)
-  }
-
-  async pipeline(...args) {
+    const res = this.stream (true)
+    return async function* () { yield* await res }()
+  }
+
+  pipeline (...args_or_inserts) { if (!args_or_inserts.length) return this.stream() //> 4 compat only
+    const args = args_or_inserts.map (a => a instanceof Query ? s => a.entries(s) : a)
+    return this.stream() .then (stream => pipeline (stream, ...args))
+  }
+
+  stream (objectMode = false) {
     const srv = this._srv || cds.db || cds.error`Can't execute query as no primary database is connected.`
-    const res = await srv.send({
-      iterator: true,
-      objectMode: false,
-      query: this,
-    })
-    if (args.length) return pipeline(res, ...args.map(a => a instanceof Query ? stream => a.entries(stream) : a))
-    return res
+    return srv.send ({ query:this, iterator:true, objectMode })
   }
 
   hints (...args) {

package/lib/req/validate.js

@@ -10,6 +10,8 @@ const conf = module.exports = exports = function validate (data, target, options
   return vc.errors
 }
 
+// remove compat with cds^10
+const ASSERT_MANDATORY = cds.env.features.compat_assert_not_null ? 'ASSERT_NOT_NULL' : 'ASSERT_MANDATORY'
 
 /** Instances represent single validations and are mainly used to record errors during validation. */
 class Validation {
@@ -102,11 +104,11 @@ const $any = class any {
         asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, null, v, this ))
       }
       if (this._is_mandatory()) {
-        asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, this['@mandatory.message'] || this['@mandatory'], v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
+        asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error (ASSERT_MANDATORY, p, this.name, this['@mandatory.message'] || this['@mandatory'], v))
       }
       if (this['@assert.format']) {
         const format = new RegExp(this['@assert.format'],'u')
-        asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, this['@assert.format.message'], v, format))
+        asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, this['@assert.format.message'], v, this['@assert.format']))
       }
       if (this['@assert.range'] && !this.enum) {
         const [ min, max ] = this['@assert.range']
@@ -161,6 +163,10 @@ const $any = class any {
     })
   }
 
+  _is_immutable (d=this) {
+    return d['@insertonly'] || d['@Core.Immutable']
+  }
+
   /**
    * Checks if a nested row of a deep update is in turn to be inserted or updated.
    * This is the case if the row date does not contain all primary key elements of the target entity.
@@ -201,15 +207,14 @@ class struct extends $any {
       if (each.$struct in data) continue // got struct for flattened element/fk, e.g. {author:{ID:1}}
       if ((each.elements && each.kind !== 'param' ) || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate(), parameters don't have flat elements
       if (each.isAssociation) continue // unmanaged associations are always ignored (no value like)
-      else ctx.error ('ASSERT_NOT_NULL', path_, each.name) // ASSERT_NOT_NULL should be ASSERT_REQUIRED
+      else ctx.error (ASSERT_MANDATORY, path_, each.name)
     }
     // check values of given data
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
       let /** @type {$any} */ d = Object.hasOwn(elements, each) && elements[each]
       if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data)
       else if (ctx.cleanse && d._is_readonly() && !d.key) delete data[each]
-      // @Core.Immutable processed only for root, children are handled when knowing db state
-      else if (ctx.cleanse && d['@Core.Immutable'] && !ctx.insert && !path) delete data[each]
+      else if (ctx.cleanse && d._is_immutable() && !ctx.insert && !path) delete data[each] // @Core.Immutable processed only for root, children are handled when knowing db state
       else if (d['@cds.validate'] !== false) d.validate (data[each], path_, ctx)
     }
   }

package/lib/srv/bindings.js

@@ -22,7 +22,7 @@ class Bindings {
     let binding = this.provides [required?.service || service]
     if (binding?.endpoints) {
       const server = this.servers [binding.server]
-      const kind = [ required.kind, 'hcql', 'rest', 'odata' ].find (k => k in binding.endpoints)
+      const kind = [ required?.kind, 'hcql', 'rest', 'odata' ].find (k => k in binding.endpoints)
       const path = binding.endpoints [kind]
       // in case of cds.requires.Foo = { ... }
       if (typeof required === 'object') required.credentials = {

package/lib/srv/cds-serve.js

@@ -51,7 +51,7 @@ async function _construct (services, o) {
     return [ await init (new services (services.name, cds.model, o)) ]
 
   // Resolve/load the model to use subsequently
-  const csn = !o.from || o.from === '*' ? cds.model || await cds.load('*')
+  const csn = !o.from || o.from === '*' || o.from === 'all' ? cds.model || await cds.load('*')
     : is_csn(o.from) ? o.from : await cds.load (o.from, { silent: true })
   const m = cds.compile.for.nodejs (csn)
 

package/lib/srv/middlewares/auth/ias-auth.js

@@ -82,10 +82,11 @@ module.exports = function ias_auth(config) {
       })
     } catch (e) {
       if (e instanceof ValidationError) {
-        LOG.warn('Unauthenticated request: ', e)
+        if (e.token?.payload) e.token_payload = e.token.payload
+        LOG.warn('Unauthenticated request:', e)
         return next(401)
       }
-      LOG.error('Error while authenticating user: ', e)
+      LOG.error('Error while authenticating user:', e)
       return next(500)
     }
 

package/lib/srv/middlewares/auth/jwt-auth.js

@@ -44,10 +44,11 @@ module.exports = function jwt_auth(config) {
       })
     } catch (e) {
       if (e instanceof ValidationError) {
-        LOG.warn('Unauthenticated request: ', e)
+        if (e.token?.payload) e.token_payload = e.token.payload
+        LOG.warn('Unauthenticated request:', e)
         return next(401)
       }
-      LOG.error('Error while authenticating user: ', e)
+      LOG.error('Error while authenticating user:', e)
       return next(500)
     }
 

package/lib/srv/middlewares/errors.js

@@ -2,13 +2,14 @@ const cds = require('../..'), {i18n} = cds
 const LOG = cds.log('error')
 const internals = /\n +at .*(?:node_modules\/express|node:).*/gm
 const is_test = typeof global.it === 'function'
+const { STATUS_CODES } = require('http')
 
 module.exports = () => {
   /** @param {import('express').Response} res */
   return function http_error (err, req, res, next) { // eslint-disable-line no-unused-vars
 
     // In case of 401 require login if available by auth strategy
-    if (typeof err === 'number') err = { code: err }
+    if (typeof err === 'number') err = { status: err, code: String(err), message: STATUS_CODES[err] }
     if (err.code == 401 && req._login) return req._login()
 
     // Shutdown on uncaught errors, which could be critical programming errors

package/lib/srv/protocols/hcql.js

@@ -27,7 +27,7 @@ class HCQLAdapter extends require('./http') {
 
     // Route for REST-style convenience shortcuts with queries in URL + body ...
     const $ = cb => (req,_,next) => { req.body = cb(req.params,req); next() }
-    PROD || router.route('/:entity/:id?')
+    PROD || router.route(express.application.del ? '/:entity/:id?' : '/:entity{/:id}')
     .get ($(({entity,id,tail}, req) => {
       if (entity.includes(' ')) [,entity,tail] = /^(\w+)( .*)?/.exec(entity)
       if (id?.includes(' ')) [,id,tail] = /^(\w+)( .*)/.exec(id)
@@ -74,7 +74,7 @@ class HCQLAdapter extends require('./http') {
    * which is expected to be a plain CQN object or a CQL string.
    */
   query4 (/** @type express.Request */ req) {
-    let q = req.body = cds.ql(req.body) || this.error (400, 'Invalid query', { query: req.body })
+    let q = req.body = cds.ql(req.body ?? {}) || this.error (400, 'Invalid query', { query: req.body })
     // handle request headers
     if (q.SELECT) {
       if (req.get('Accept-Language')) q.SELECT.localized = true
@@ -99,6 +99,7 @@ class HCQLAdapter extends require('./http') {
   valid (query) {
     if (!this.service.definition) return query
     let target = cds.infer.target (query, this.service)
+    if (!target) throw this.error (400, 'Cannot determine target entity of query.')
     if (target._unresolved) throw this.error (400, `${target.name} is not an entity served by '${this.service.name}'.`, { query })
     return query
   }
@@ -106,12 +107,13 @@ class HCQLAdapter extends require('./http') {
   /**
    * Serialize the results into response.
    */
-  reply (results, /** @type express.Response */ res) {
-    if (!results) return res.end()
+  reply (results, /** @type express.Response */ res, q = res.req.body) {
+    if (q.INSERT) res.statusCode = 201
+    if (results == null) return res.sendStatus(204)
     if (results.$count) res.set ('X-Total-Count', results.$count)
     if (typeof results === 'object') return res.json (results)
-    if (res.req.method === 'DELETE') return res.sendStatus(204)
-    else res.send (results)
+    if (typeof results === 'number') results = String (results)
+    res.set('Content-Type','application/json').send (results)
   }
 
   /**

package/lib/srv/srv-dispatch.js

@@ -40,17 +40,13 @@ exports.handle = async function handle (req) {
 
   // ._initial handlers run in sequence
   handlers = this.handlers._initial.filter (h => h.for(req))
-  if (handlers.length) {
-    for (const each of handlers) await each.handler.call (this,req)
-    if (req.errors) throw req.reject()
-  }
+  if (handlers.length) for (const each of handlers) await each.handler.call (this,req)
+  // no reject after _initial phase
 
   // .before handlers run in parallel
   handlers = this.handlers.before.filter (h => h.for(req))
-  if (handlers.length) {
-    await Promise.all (handlers.map (each => each.handler.call (this,req)))
-    if (req.errors) throw req.reject()
-  }
+  if (handlers.length) await Promise.all (handlers.map (each => each.handler.call (this,req)))
+  if (req.errors) throw req.reject()
 
   // .on handlers run in parallel for async events, and as interceptors stack for sync requests
   handlers = this.handlers.on.filter (h => h.for(req))

package/lib/srv/srv-handlers.js

@@ -50,10 +50,36 @@ class EventHandlers {
       for (let each of event) this.register (srv, phase, each, path, handler)
       return srv
     }
-    else if (event === 'SAVE' || event === 'WRITE') {
+    else if (event === 'SAVE') { //> special handling for SAVE
+      // REVISIT: remove compat with cds^10
+      if (cds.env.features?.compat_save_drafts) {
+        // no special handling for SAVE
+      } else {
+        if (is_array(path)) {
+          for (let each of path) this.register (srv, phase, event, each, handler)
+          return srv
+        }
+        if ((path.name || path).endsWith('.drafts')) {
+          const h = handler
+          path = typeof path === 'object' ? (path.actives || path) : path.slice(0, -7)
+          handler =
+            phase === 'before' ? function(req)      { return is_activate(req) ? h.call(this,req)      : null   } :
+            phase === 'after'  ? function(res,req)  { return is_activate(req) ? h.call(this,res,req)  : null   } :
+            phase === 'on'     ? function(req,next) { return is_activate(req) ? h.call(this,req,next) : next() } :
+            cds.error `SAVE not supported in ${phase} handlers`
+        }
+      }
       for (let each of ['CREATE','UPSERT','UPDATE']) this.register (srv, phase, each, path, handler)
       return srv
     }
+    else if (event === 'WRITE') {
+      for (let each of ['CREATE','UPSERT','UPDATE']) this.register (srv, phase, each, path, handler)
+      return srv
+    }
+    else if (event === 'DISCARD') { //> REVISIT: how solve in lean draft impl?
+      this.register (srv, phase, 'CANCEL', path, handler)
+      return srv
+    }
     else if (phase === 'after' && ( event === 'each'    //> srv.after ('each', Book, b => ...)    // event 'each' => READ each
       || event === 'READ' && path?.is_singular          //> srv.after ('READ', Book, b => ...)    // Book is a singular def from cds-typer
       || event === 'READ' && /^\(?each\b/.test(handler) //> srv.after ('READ', Book, each => ...) // handler's first param is named 'each'
@@ -109,6 +135,7 @@ class EventHandler {
 
 
 const is_array = Array.isArray
+const is_activate = req => req._?.event === 'draftActivate'
 const events = {
   SELECT: 'READ',
   GET: 'READ',