arc-1 0.1.0

package/dist/adt/features.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"features.js","sourceRoot":"","sources":["../../ts-src/adt/features.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAIzC,OAAO,EAAE,wBAAwB,EAAE,MAAM,iBAAiB,CAAC;AAS3D,MAAM,MAAM,GAAmB;IAC7B,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,mCAAmC,EAAE,WAAW,EAAE,eAAe,EAAE;IAC3F,EAAE,EAAE,EAAE,SAAS,EAAE,QAAQ,EAAE,2BAA2B,EAAE,WAAW,EAAE,qBAAqB,EAAE;IAC5F,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,8BAA8B,EAAE,WAAW,EAAE,qBAAqB,EAAE;IAC3F,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,2BAA2B,EAAE,WAAW,EAAE,gBAAgB,EAAE;IACpF,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,+BAA+B,EAAE,WAAW,EAAE,eAAe,EAAE;IACtF,EAAE,EAAE,EAAE,WAAW,EAAE,QAAQ,EAAE,mCAAmC,EAAE,WAAW,EAAE,0BAA0B,EAAE;CAC5G,CAAC;AAEF,iDAAiD;AACjD,SAAS,cAAc,CAAC,IAAiB,EAAE,WAAoB,EAAE,EAAU,EAAE,WAAmB;IAC9F,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,4BAA4B,EAAE,CAAC;IACpF,CAAC;IACD,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC;IACrF,CAAC;IACD,OAAO;IACP,OAAO;QACL,EAAE;QACF,SAAS,EAAE,WAAW;QACtB,IAAI,EAAE,MAAM;QACZ,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,GAAG,WAAW,eAAe,CAAC,CAAC,CAAC,GAAG,WAAW,mBAAmB;QACxF,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACnC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAqB,EAAE,MAAqB;IAC9E,MAAM,OAAO,GAAgC;QAC3C,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;IAEF,8CAA8C;IAC9C,MAAM,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,MAAM,CAAC,CAAC;IAEnE,qDAAqD;IACrD,MAAM,CAAC,YAAY,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACpD,OAAO,CAAC,GAAG,CACT,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YAC9B,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gBAClD,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,QAAQ,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC;YAChE,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;YAC5C,CAAC;QACH,CAAC,CAAC,CACH;QACD,iBAAiB,CAAC,MAAM,CAAC;KAC1B,CAAC,CAAC;IAEH,mBAAmB;IACnB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAmB,CAAC;IAC7C,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QAClC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;IAED,uBAAuB;IACvB,MAAM,MAAM,GAAkC,EAAE,CAAC;IACjD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC;QACzC,MAAM,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC;QACrD,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,GAAG,cAAc,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IACpF,CAAC;IAED,MAAM,QAAQ,GAAG,MAAqC,CAAC;IACvD,IAAI,WAAW,EAAE,CAAC;QAChB,QAAQ,CAAC,WAAW,GAAG,WAAW,CAAC;IACrC,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,8BAA8B,CAAC,OAAe;IAC5D,MAAM,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,mDAAmD;IACzF,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEnC,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC,KAAK,CAAC;IAE5C,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,oCAAoC;IACpC,IAAI,GAAG,IAAI,KAAK;QAAE,OAAO,OAAO,CAAC,QAAQ,CAAC;IAC1C,IAAI,GAAG,IAAI,KAAK;QAAE,OAAO,OAAO,CAAC,QAAQ,CAAC;IAC1C,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,QAAQ,CAAC;IACxC,IAAI,GAAG,IAAI,GAAG;QAAE,OAAO,OAAO,CAAC,IAAI,CAAC;IACpC,OAAO,OAAO,CAAC,IAAI,CAAC;AACtB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,iBAAiB,CAAC,MAAqB;IACpD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/D,IAAI,IAAI,CAAC,UAAU,IAAI,GAAG;YAAE,OAAO,SAAS,CAAC;QAC7C,MAAM,UAAU,GAAG,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,WAAW,CAAC,CAAC;QAC3E,OAAO,KAAK,EAAE,OAAO,IAAI,SAAS,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,qBAAqB,CAAC,MAAqB;IACzD,MAAM,MAAM,GAAkC,EAAE,CAAC;IACjD,MAAM,YAAY,GAA2B;QAC3C,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,qBAAqB;QAC9B,GAAG,EAAE,qBAAqB;QAC1B,IAAI,EAAE,gBAAgB;QACtB,GAAG,EAAE,eAAe;QACpB,SAAS,EAAE,0BAA0B;KACtC,CAAC;IAEF,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,MAAM,CAAC,EAAE,CAAC,GAAG,cAAc,CACzB,IAAmB,EACnB,IAAI,KAAK,IAAI,EAAE,kDAAkD;QACjE,EAAE,EACF,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,CACvB,CAAC;IACJ,CAAC;IAED,OAAO,MAAqC,CAAC;AAC/C,CAAC"}

package/dist/adt/http.d.ts

@@ -0,0 +1,116 @@
+/**
+ * ADT HTTP Transport for ARC-1.
+ *
+ * Handles all HTTP communication with SAP ADT REST API:
+ * - CSRF token lifecycle (fetch, cache, refresh on 403)
+ * - Cookie-based and Basic auth
+ * - Stateful sessions (lock → modify → unlock must share session)
+ * - Automatic retry on session expiry
+ *
+ * Design decisions:
+ *
+ * 1. CSRF token fetch uses HEAD /sap/bc/adt/core/discovery with "X-CSRF-Token: fetch".
+ *    HEAD is ~5s vs ~56s for GET on slow systems (learned from Go version benchmarks).
+ *
+ * 2. Modifying requests (POST/PUT/DELETE/PATCH) auto-include CSRF token.
+ *    On 403, token is refreshed and request is retried once.
+ *    (Pattern from both abap-adt-api and fr0ster implementations.)
+ *
+ * 3. Stateful sessions use "X-sap-adt-sessiontype: stateful" header.
+ *    Lock/modify/unlock must use the same session cookies.
+ *    withStatefulSession() ensures session isolation.
+ *    (fr0ster uses AsyncLocalStorage for this — we use a simpler approach
+ *    with an isolated axios instance per session.)
+ *
+ * 4. sap-client and sap-language are added to every request as query params.
+ *    This is an SAP convention, not ADT-specific.
+ */
+import type { BTPProxyConfig } from './btp.js';
+/** Session type for ADT requests */
+export type SessionType = 'stateful' | 'stateless' | undefined;
+/** Configuration for the ADT HTTP client */
+export interface AdtHttpConfig {
+    baseUrl: string;
+    username?: string;
+    password?: string;
+    client?: string;
+    language?: string;
+    insecure?: boolean;
+    cookies?: Record<string, string>;
+    sessionType?: SessionType;
+    /** BTP Connectivity proxy (Cloud Connector) */
+    btpProxy?: BTPProxyConfig;
+    /**
+     * Per-user SAP-Connectivity-Authentication header value.
+     * Set when using BTP Cloud Connector principal propagation.
+     * Contains a SAML assertion with the user's identity.
+     * When set, this header is sent on EVERY request to the connectivity proxy,
+     * which forwards it to the Cloud Connector for user mapping.
+     */
+    sapConnectivityAuth?: string;
+    /** PP Option 1: jwt-bearer exchanged token replacing Proxy-Authorization */
+    ppProxyAuth?: string;
+}
+/** Response from an ADT HTTP request */
+export interface AdtResponse {
+    statusCode: number;
+    headers: Record<string, string>;
+    body: string;
+}
+/**
+ * ADT HTTP Client — handles CSRF tokens, sessions, and authentication.
+ *
+ * Not a generic HTTP client: it's purpose-built for SAP ADT REST API conventions.
+ */
+export declare class AdtHttpClient {
+    private csrfToken;
+    private axios;
+    private config;
+    /**
+     * Cookie jar — stores Set-Cookie headers from responses and sends them back.
+     *
+     * SAP ties CSRF tokens to session cookies (SAP_SESSIONID_*).
+     * Without cookie persistence, CSRF-protected requests (POST/PUT/DELETE) fail with 403.
+     * This was the root cause of integration test failures: token was fetched via HEAD,
+     * but the subsequent POST didn't include the session cookie, so SAP rejected it.
+     *
+     * Design: simple Map<name, value> — we don't need full cookie jar semantics
+     * (domain, path, expiry) because all requests go to the same SAP host.
+     */
+    private cookieJar;
+    constructor(config: AdtHttpConfig);
+    /** GET request */
+    get(path: string, headers?: Record<string, string>): Promise<AdtResponse>;
+    /** POST request (includes CSRF token) */
+    post(path: string, body?: string, contentType?: string, headers?: Record<string, string>): Promise<AdtResponse>;
+    /** PUT request (includes CSRF token) */
+    put(path: string, body: string, contentType?: string, headers?: Record<string, string>): Promise<AdtResponse>;
+    /** DELETE request (includes CSRF token) */
+    delete(path: string, headers?: Record<string, string>): Promise<AdtResponse>;
+    /**
+     * Execute a function within an isolated stateful session.
+     * Ensures lock/modify/unlock share the same SAP session cookies.
+     *
+     * Creates a new axios instance with stateful session header,
+     * shares CSRF token with the main client.
+     */
+    withStatefulSession<T>(fn: (client: AdtHttpClient) => Promise<T>): Promise<T>;
+    /** Core request method */
+    private request;
+    /** Handle response: throw on error status, return normalized response */
+    private handleResponse;
+    /**
+     * Fetch CSRF token from SAP.
+     * Uses HEAD /sap/bc/adt/core/discovery for speed.
+     */
+    fetchCsrfToken(): Promise<void>;
+    /**
+     * Extract and store cookies from a response's Set-Cookie headers.
+     * Only stores the name=value part; ignores path, domain, expiry
+     * since all requests go to the same SAP host.
+     */
+    private storeCookies;
+    /** Build full URL with sap-client and sap-language query params */
+    private buildUrl;
+}
+//# sourceMappingURL=http.d.ts.map

package/dist/adt/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../ts-src/adt/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAMH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAG/C,oCAAoC;AACpC,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,WAAW,GAAG,SAAS,CAAC;AAE/D,4CAA4C;AAC5C,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B;;;;;;OAMG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,4EAA4E;IAC5E,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,wCAAwC;AACxC,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;GAIG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,SAAS,CAAM;IACvB,OAAO,CAAC,KAAK,CAAgB;IAC7B,OAAO,CAAC,MAAM,CAAgB;IAC9B;;;;;;;;;;OAUG;IACH,OAAO,CAAC,SAAS,CAAkC;gBAEvC,MAAM,EAAE,aAAa;IA2CjC,kBAAkB;IACZ,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAI/E,yCAAyC;IACnC,IAAI,CACR,IAAI,EAAE,MAAM,EACZ,IAAI,CAAC,EAAE,MAAM,EACb,WAAW,CAAC,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,OAAO,CAAC,WAAW,CAAC;IAIvB,wCAAwC;IAClC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAInH,2CAA2C;IACrC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC;IAIlF;;;;;;OAMG;IACG,mBAAmB,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,aAAa,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAYnF,0BAA0B;YACZ,OAAO;IA6JrB,yEAAyE;IACzE,OAAO,CAAC,cAAc;IAsBtB;;;OAGG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAgErC;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAgBpB,mEAAmE;IACnE,OAAO,CAAC,QAAQ;CAcjB"}

package/dist/adt/http.js

@@ -0,0 +1,374 @@
+/**
+ * ADT HTTP Transport for ARC-1.
+ *
+ * Handles all HTTP communication with SAP ADT REST API:
+ * - CSRF token lifecycle (fetch, cache, refresh on 403)
+ * - Cookie-based and Basic auth
+ * - Stateful sessions (lock → modify → unlock must share session)
+ * - Automatic retry on session expiry
+ *
+ * Design decisions:
+ *
+ * 1. CSRF token fetch uses HEAD /sap/bc/adt/core/discovery with "X-CSRF-Token: fetch".
+ *    HEAD is ~5s vs ~56s for GET on slow systems (learned from Go version benchmarks).
+ *
+ * 2. Modifying requests (POST/PUT/DELETE/PATCH) auto-include CSRF token.
+ *    On 403, token is refreshed and request is retried once.
+ *    (Pattern from both abap-adt-api and fr0ster implementations.)
+ *
+ * 3. Stateful sessions use "X-sap-adt-sessiontype: stateful" header.
+ *    Lock/modify/unlock must use the same session cookies.
+ *    withStatefulSession() ensures session isolation.
+ *    (fr0ster uses AsyncLocalStorage for this — we use a simpler approach
+ *    with an isolated axios instance per session.)
+ *
+ * 4. sap-client and sap-language are added to every request as query params.
+ *    This is an SAP convention, not ADT-specific.
+ */
+import { Agent as HttpAgent } from 'node:http';
+import { Agent as HttpsAgent } from 'node:https';
+import axios from 'axios';
+import { logger } from '../server/logger.js';
+import { AdtApiError, AdtNetworkError } from './errors.js';
+/**
+ * ADT HTTP Client — handles CSRF tokens, sessions, and authentication.
+ *
+ * Not a generic HTTP client: it's purpose-built for SAP ADT REST API conventions.
+ */
+export class AdtHttpClient {
+    csrfToken = '';
+    axios;
+    config;
+    /**
+     * Cookie jar — stores Set-Cookie headers from responses and sends them back.
+     *
+     * SAP ties CSRF tokens to session cookies (SAP_SESSIONID_*).
+     * Without cookie persistence, CSRF-protected requests (POST/PUT/DELETE) fail with 403.
+     * This was the root cause of integration test failures: token was fetched via HEAD,
+     * but the subsequent POST didn't include the session cookie, so SAP rejected it.
+     *
+     * Design: simple Map<name, value> — we don't need full cookie jar semantics
+     * (domain, path, expiry) because all requests go to the same SAP host.
+     */
+    cookieJar = new Map();
+    constructor(config) {
+        this.config = config;
+        const axiosConfig = {
+            baseURL: config.baseUrl,
+            // SAP ADT can be slow — 60s timeout
+            timeout: 60000,
+            // Don't throw on non-2xx (we handle errors ourselves)
+            validateStatus: () => true,
+            headers: {
+                Accept: '*/*',
+            },
+        };
+        // Basic auth
+        if (config.username && config.password) {
+            axiosConfig.auth = {
+                username: config.username,
+                password: config.password,
+            };
+        }
+        // Skip TLS verification (for self-signed SAP certs)
+        if (config.insecure) {
+            axiosConfig.httpsAgent = new HttpsAgent({ rejectUnauthorized: false });
+        }
+        // BTP Connectivity proxy (Cloud Connector)
+        // Routes requests through the BTP connectivity service to reach on-premise SAP.
+        // The Proxy-Authorization header is injected per-request in the request() method.
+        if (config.btpProxy) {
+            axiosConfig.proxy = {
+                host: config.btpProxy.host,
+                port: config.btpProxy.port,
+                protocol: config.btpProxy.protocol,
+            };
+            // Need an HTTP agent for the proxy connection (not HTTPS)
+            axiosConfig.httpAgent = new HttpAgent({ keepAlive: true });
+        }
+        this.axios = axios.create(axiosConfig);
+    }
+    /** GET request */
+    async get(path, headers) {
+        return this.request('GET', path, undefined, undefined, headers);
+    }
+    /** POST request (includes CSRF token) */
+    async post(path, body, contentType, headers) {
+        return this.request('POST', path, body, contentType, headers);
+    }
+    /** PUT request (includes CSRF token) */
+    async put(path, body, contentType, headers) {
+        return this.request('PUT', path, body, contentType, headers);
+    }
+    /** DELETE request (includes CSRF token) */
+    async delete(path, headers) {
+        return this.request('DELETE', path, undefined, undefined, headers);
+    }
+    /**
+     * Execute a function within an isolated stateful session.
+     * Ensures lock/modify/unlock share the same SAP session cookies.
+     *
+     * Creates a new axios instance with stateful session header,
+     * shares CSRF token with the main client.
+     */
+    async withStatefulSession(fn) {
+        const sessionConfig = {
+            ...this.config,
+            sessionType: 'stateful',
+        };
+        const sessionClient = new AdtHttpClient(sessionConfig);
+        // Share CSRF token and cookies so we don't need to re-fetch
+        sessionClient.csrfToken = this.csrfToken;
+        sessionClient.cookieJar = new Map(this.cookieJar);
+        return fn(sessionClient);
+    }
+    /** Core request method */
+    async request(method, path, body, contentType, extraHeaders) {
+        // Auto-fetch CSRF token for modifying requests
+        if (isModifyingMethod(method) && !this.csrfToken) {
+            await this.fetchCsrfToken();
+        }
+        const headers = {
+            ...extraHeaders,
+        };
+        if (isModifyingMethod(method)) {
+            headers['X-CSRF-Token'] = this.csrfToken;
+        }
+        if (this.config.sessionType === 'stateful') {
+            headers['X-sap-adt-sessiontype'] = 'stateful';
+        }
+        if (contentType) {
+            headers['Content-Type'] = contentType;
+        }
+        // Build cookie header from: config cookies + cookie jar (jar takes precedence)
+        const cookieParts = [];
+        if (this.config.cookies) {
+            for (const [k, v] of Object.entries(this.config.cookies)) {
+                cookieParts.push(`${k}=${v}`);
+            }
+        }
+        for (const [k, v] of this.cookieJar) {
+            cookieParts.push(`${k}=${v}`);
+        }
+        if (cookieParts.length > 0) {
+            headers.Cookie = cookieParts.join('; ');
+        }
+        // BTP Connectivity proxy: inject Proxy-Authorization JWT for Cloud Connector tunnel
+        if (this.config.btpProxy) {
+            if (this.config.ppProxyAuth) {
+                // PP Option 1 (not currently used — kept for future compatibility):
+                // The jwt-bearer exchanged token replaces the regular proxy token.
+                headers['Proxy-Authorization'] = this.config.ppProxyAuth;
+            }
+            else {
+                // Regular proxy auth — used for both non-PP and PP Option 2.
+                // For PP Option 2, this is the standard connectivity service token;
+                // the user identity is carried separately in SAP-Connectivity-Authentication.
+                const proxyToken = await this.config.btpProxy.getProxyToken();
+                headers['Proxy-Authorization'] = `Bearer ${proxyToken}`;
+            }
+        }
+        // Principal Propagation via SAP-Connectivity-Authentication header (Option 2).
+        // Contains the ORIGINAL user JWT (not exchanged). The Cloud Connector reads
+        // this header, extracts the user identity (email), generates a short-lived
+        // X.509 certificate (CN=<email>), and injects it as SSL_CLIENT_CERT when
+        // connecting to SAP's HTTPS port. SAP CERTRULE maps the cert to a SAP user.
+        // See: https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/configure-principal-propagation-via-user-exchange-token
+        if (this.config.sapConnectivityAuth && !this.config.ppProxyAuth) {
+            headers['SAP-Connectivity-Authentication'] = this.config.sapConnectivityAuth;
+        }
+        const url = this.buildUrl(path);
+        const httpStart = Date.now();
+        try {
+            const response = await this.axios.request({
+                method,
+                url,
+                data: body,
+                headers,
+            });
+            // Persist any Set-Cookie headers from the response
+            this.storeCookies(response);
+            // Handle CSRF token refresh on 403 (modifying requests only)
+            if (response.status === 403 && isModifyingMethod(method)) {
+                await this.fetchCsrfToken();
+                headers['X-CSRF-Token'] = this.csrfToken;
+                // Update cookie header after CSRF fetch may have set new cookies
+                const updatedCookieParts = [];
+                for (const [k, v] of this.cookieJar) {
+                    updatedCookieParts.push(`${k}=${v}`);
+                }
+                if (updatedCookieParts.length > 0) {
+                    headers.Cookie = updatedCookieParts.join('; ');
+                }
+                const retryResponse = await this.axios.request({
+                    method,
+                    url,
+                    data: body,
+                    headers,
+                });
+                this.storeCookies(retryResponse);
+                const result = this.handleResponse(retryResponse, path);
+                logger.emitAudit({
+                    timestamp: new Date().toISOString(),
+                    level: 'info',
+                    event: 'http_request',
+                    method,
+                    path,
+                    statusCode: retryResponse.status,
+                    durationMs: Date.now() - httpStart,
+                });
+                return result;
+            }
+            // Store CSRF token from response
+            const responseToken = response.headers['x-csrf-token'];
+            if (responseToken && responseToken !== 'Required') {
+                this.csrfToken = responseToken;
+            }
+            const result = this.handleResponse(response, path);
+            logger.emitAudit({
+                timestamp: new Date().toISOString(),
+                level: 'debug',
+                event: 'http_request',
+                method,
+                path,
+                statusCode: response.status,
+                durationMs: Date.now() - httpStart,
+            });
+            return result;
+        }
+        catch (err) {
+            // Log failed HTTP requests
+            const durationMs = Date.now() - httpStart;
+            if (err instanceof AdtApiError) {
+                logger.emitAudit({
+                    timestamp: new Date().toISOString(),
+                    level: 'warn',
+                    event: 'http_request',
+                    method,
+                    path,
+                    statusCode: err.statusCode,
+                    durationMs,
+                    errorBody: err.responseBody?.slice(0, 200),
+                });
+            }
+            if (axios.isAxiosError(err)) {
+                throw new AdtNetworkError(err.message, err);
+            }
+            throw err;
+        }
+    }
+    /** Handle response: throw on error status, return normalized response */
+    handleResponse(response, path) {
+        const body = typeof response.data === 'string' ? response.data : String(response.data ?? '');
+        if (response.status >= 400) {
+            throw new AdtApiError(body.slice(0, 500), response.status, path, body);
+        }
+        // Flatten headers to Record<string, string>
+        const headers = {};
+        for (const [key, value] of Object.entries(response.headers)) {
+            if (typeof value === 'string') {
+                headers[key] = value;
+            }
+        }
+        return {
+            statusCode: response.status,
+            headers,
+            body,
+        };
+    }
+    /**
+     * Fetch CSRF token from SAP.
+     * Uses HEAD /sap/bc/adt/core/discovery for speed.
+     */
+    async fetchCsrfToken() {
+        const url = this.buildUrl('/sap/bc/adt/core/discovery');
+        const headers = {
+            'X-CSRF-Token': 'fetch',
+            Accept: '*/*',
+        };
+        if (this.config.sessionType === 'stateful') {
+            headers['X-sap-adt-sessiontype'] = 'stateful';
+        }
+        // Include existing cookies (config + jar) so session is maintained
+        const cookieParts = [];
+        if (this.config.cookies) {
+            for (const [k, v] of Object.entries(this.config.cookies)) {
+                cookieParts.push(`${k}=${v}`);
+            }
+        }
+        for (const [k, v] of this.cookieJar) {
+            cookieParts.push(`${k}=${v}`);
+        }
+        if (cookieParts.length > 0) {
+            headers.Cookie = cookieParts.join('; ');
+        }
+        try {
+            const response = await this.axios.request({
+                method: 'HEAD',
+                url,
+                headers,
+            });
+            // Store cookies from CSRF response — critical for session correlation
+            this.storeCookies(response);
+            const token = response.headers['x-csrf-token'];
+            if (!token || token === 'Required') {
+                if (response.status === 401) {
+                    throw new AdtApiError('Authentication failed (401): check username/password', 401, '/sap/bc/adt/core/discovery');
+                }
+                if (response.status === 403) {
+                    throw new AdtApiError('Access forbidden (403): check user authorizations', 403, '/sap/bc/adt/core/discovery');
+                }
+                throw new AdtApiError(`No CSRF token in response (HTTP ${response.status})`, response.status, '/sap/bc/adt/core/discovery');
+            }
+            this.csrfToken = token;
+        }
+        catch (err) {
+            if (err instanceof AdtApiError)
+                throw err;
+            if (axios.isAxiosError(err)) {
+                throw new AdtNetworkError(`CSRF token fetch failed: ${err.message}`, err);
+            }
+            throw err;
+        }
+    }
+    /**
+     * Extract and store cookies from a response's Set-Cookie headers.
+     * Only stores the name=value part; ignores path, domain, expiry
+     * since all requests go to the same SAP host.
+     */
+    storeCookies(response) {
+        const setCookieHeaders = response.headers['set-cookie'];
+        if (!setCookieHeaders || !Array.isArray(setCookieHeaders))
+            return;
+        for (const cookie of setCookieHeaders) {
+            // Set-Cookie: name=value; Path=/; HttpOnly; ...
+            const nameValue = cookie.split(';')[0];
+            if (!nameValue)
+                continue;
+            const eqIdx = nameValue.indexOf('=');
+            if (eqIdx <= 0)
+                continue;
+            const name = nameValue.substring(0, eqIdx).trim();
+            const value = nameValue.substring(eqIdx + 1).trim();
+            this.cookieJar.set(name, value);
+        }
+    }
+    /** Build full URL with sap-client and sap-language query params */
+    buildUrl(path) {
+        const base = this.config.baseUrl.replace(/\/$/, '');
+        const normalizedPath = path.startsWith('/') ? path : `/${path}`;
+        const url = new URL(base + normalizedPath);
+        if (this.config.client) {
+            url.searchParams.set('sap-client', this.config.client);
+        }
+        if (this.config.language) {
+            url.searchParams.set('sap-language', this.config.language);
+        }
+        return url.toString();
+    }
+}
+/** HTTP methods that modify server state and require CSRF token */
+function isModifyingMethod(method) {
+    return ['POST', 'PUT', 'DELETE', 'PATCH'].includes(method.toUpperCase());
+}
+//# sourceMappingURL=http.js.map

package/dist/adt/http.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../ts-src/adt/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,WAAW,CAAC;AAC/C,OAAO,EAAE,KAAK,IAAI,UAAU,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,KAA0E,MAAM,OAAO,CAAC;AAC/F,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAE7C,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAoC3D;;;;GAIG;AACH,MAAM,OAAO,aAAa;IAChB,SAAS,GAAG,EAAE,CAAC;IACf,KAAK,CAAgB;IACrB,MAAM,CAAgB;IAC9B;;;;;;;;;;OAUG;IACK,SAAS,GAAwB,IAAI,GAAG,EAAE,CAAC;IAEnD,YAAY,MAAqB;QAC/B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,MAAM,WAAW,GAAuB;YACtC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,oCAAoC;YACpC,OAAO,EAAE,KAAK;YACd,sDAAsD;YACtD,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;YAC1B,OAAO,EAAE;gBACP,MAAM,EAAE,KAAK;aACd;SACF,CAAC;QAEF,aAAa;QACb,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACvC,WAAW,CAAC,IAAI,GAAG;gBACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;aAC1B,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,WAAW,CAAC,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,kBAAkB,EAAE,KAAK,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,2CAA2C;QAC3C,gFAAgF;QAChF,kFAAkF;QAClF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,WAAW,CAAC,KAAK,GAAG;gBAClB,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI;gBAC1B,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,IAAI;gBAC1B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;aACnC,CAAC;YACF,0DAA0D;YAC1D,WAAW,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACzC,CAAC;IAED,kBAAkB;IAClB,KAAK,CAAC,GAAG,CAAC,IAAY,EAAE,OAAgC;QACtD,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAClE,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,IAAI,CACR,IAAY,EACZ,IAAa,EACb,WAAoB,EACpB,OAAgC;QAEhC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;IAED,wCAAwC;IACxC,KAAK,CAAC,GAAG,CAAC,IAAY,EAAE,IAAY,EAAE,WAAoB,EAAE,OAAgC;QAC1F,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAC/D,CAAC;IAED,2CAA2C;IAC3C,KAAK,CAAC,MAAM,CAAC,IAAY,EAAE,OAAgC;QACzD,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IACrE,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CAAI,EAAyC;QACpE,MAAM,aAAa,GAAkB;YACnC,GAAG,IAAI,CAAC,MAAM;YACd,WAAW,EAAE,UAAU;SACxB,CAAC;QACF,MAAM,aAAa,GAAG,IAAI,aAAa,CAAC,aAAa,CAAC,CAAC;QACvD,4DAA4D;QAC5D,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QACzC,aAAa,CAAC,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAClD,OAAO,EAAE,CAAC,aAAa,CAAC,CAAC;IAC3B,CAAC;IAED,0BAA0B;IAClB,KAAK,CAAC,OAAO,CACnB,MAAc,EACd,IAAY,EACZ,IAAa,EACb,WAAoB,EACpB,YAAqC;QAErC,+CAA+C;QAC/C,IAAI,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACjD,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9B,CAAC;QAED,MAAM,OAAO,GAA2B;YACtC,GAAG,YAAY;SAChB,CAAC;QAEF,IAAI,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;QAC3C,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,OAAO,CAAC,uBAAuB,CAAC,GAAG,UAAU,CAAC;QAChD,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,CAAC,cAAc,CAAC,GAAG,WAAW,CAAC;QACxC,CAAC;QAED,+EAA+E;QAC/E,MAAM,WAAW,GAAa,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACpC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;QAED,oFAAoF;QACpF,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBAC5B,oEAAoE;gBACpE,mEAAmE;gBACnE,OAAO,CAAC,qBAAqB,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC3D,CAAC;iBAAM,CAAC;gBACN,6DAA6D;gBAC7D,oEAAoE;gBACpE,8EAA8E;gBAC9E,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;gBAC9D,OAAO,CAAC,qBAAqB,CAAC,GAAG,UAAU,UAAU,EAAE,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,4EAA4E;QAC5E,2EAA2E;QAC3E,yEAAyE;QACzE,4EAA4E;QAC5E,8HAA8H;QAC9H,IAAI,IAAI,CAAC,MAAM,CAAC,mBAAmB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YAChE,OAAO,CAAC,iCAAiC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC;QAC/E,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBACxC,MAAM;gBACN,GAAG;gBACH,IAAI,EAAE,IAAI;gBACV,OAAO;aACR,CAAC,CAAC;YAEH,mDAAmD;YACnD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAE5B,6DAA6D;YAC7D,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzD,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC5B,OAAO,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;gBACzC,iEAAiE;gBACjE,MAAM,kBAAkB,GAAa,EAAE,CAAC;gBACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;oBACpC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACvC,CAAC;gBACD,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAClC,OAAO,CAAC,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjD,CAAC;gBACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;oBAC7C,MAAM;oBACN,GAAG;oBACH,IAAI,EAAE,IAAI;oBACV,OAAO;iBACR,CAAC,CAAC;gBACH,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC;gBACjC,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;gBAExD,MAAM,CAAC,SAAS,CAAC;oBACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,MAAM;oBACb,KAAK,EAAE,cAAc;oBACrB,MAAM;oBACN,IAAI;oBACJ,UAAU,EAAE,aAAa,CAAC,MAAM;oBAChC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;iBACnC,CAAC,CAAC;gBAEH,OAAO,MAAM,CAAC;YAChB,CAAC;YAED,iCAAiC;YACjC,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;YACvD,IAAI,aAAa,IAAI,aAAa,KAAK,UAAU,EAAE,CAAC;gBAClD,IAAI,CAAC,SAAS,GAAG,aAAa,CAAC;YACjC,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YAEnD,MAAM,CAAC,SAAS,CAAC;gBACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,cAAc;gBACrB,MAAM;gBACN,IAAI;gBACJ,UAAU,EAAE,QAAQ,CAAC,MAAM;gBAC3B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;aACnC,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,2BAA2B;YAC3B,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC1C,IAAI,GAAG,YAAY,WAAW,EAAE,CAAC;gBAC/B,MAAM,CAAC,SAAS,CAAC;oBACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,MAAM;oBACb,KAAK,EAAE,cAAc;oBACrB,MAAM;oBACN,IAAI;oBACJ,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,UAAU;oBACV,SAAS,EAAE,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;iBAC3C,CAAC,CAAC;YACL,CAAC;YAED,IAAI,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,eAAe,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAC9C,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,yEAAyE;IACjE,cAAc,CAAC,QAAuB,EAAE,IAAY;QAC1D,MAAM,IAAI,GAAG,OAAO,QAAQ,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QAE7F,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;YAC3B,MAAM,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACzE,CAAC;QAED,4CAA4C;QAC5C,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5D,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACvB,CAAC;QACH,CAAC;QAED,OAAO;YACL,UAAU,EAAE,QAAQ,CAAC,MAAM;YAC3B,OAAO;YACP,IAAI;SACL,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,cAAc;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;QACxD,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,OAAO;YACvB,MAAM,EAAE,KAAK;SACd,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC3C,OAAO,CAAC,uBAAuB,CAAC,GAAG,UAAU,CAAC;QAChD,CAAC;QAED,mEAAmE;QACnE,MAAM,WAAW,GAAa,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACpC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBACxC,MAAM,EAAE,MAAM;gBACd,GAAG;gBACH,OAAO;aACR,CAAC,CAAC;YAEH,sEAAsE;YACtE,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;YAE5B,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;gBACnC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,MAAM,IAAI,WAAW,CACnB,sDAAsD,EACtD,GAAG,EACH,4BAA4B,CAC7B,CAAC;gBACJ,CAAC;gBACD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,MAAM,IAAI,WAAW,CAAC,mDAAmD,EAAE,GAAG,EAAE,4BAA4B,CAAC,CAAC;gBAChH,CAAC;gBACD,MAAM,IAAI,WAAW,CACnB,mCAAmC,QAAQ,CAAC,MAAM,GAAG,EACrD,QAAQ,CAAC,MAAM,EACf,4BAA4B,CAC7B,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,WAAW;gBAAE,MAAM,GAAG,CAAC;YAC1C,IAAI,KAAK,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5B,MAAM,IAAI,eAAe,CAAC,4BAA4B,GAAG,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,CAAC;YAC5E,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,YAAY,CAAC,QAAuB;QAC1C,MAAM,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,gBAAgB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,gBAAgB,CAAC;YAAE,OAAO;QAElE,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,gDAAgD;YAChD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACvC,IAAI,CAAC,SAAS;gBAAE,SAAS;YACzB,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,KAAK,IAAI,CAAC;gBAAE,SAAS;YACzB,MAAM,IAAI,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACpD,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,mEAAmE;IAC3D,QAAQ,CAAC,IAAY;QAC3B,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACpD,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;QAChE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,GAAG,cAAc,CAAC,CAAC;QAE3C,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACvB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACzB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IACxB,CAAC;CACF;AAED,mEAAmE;AACnE,SAAS,iBAAiB,CAAC,MAAc;IACvC,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;AAC3E,CAAC"}

package/dist/adt/safety.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Safety system for ARC-1.
+ *
+ * Gates all operations before they reach SAP. This is the first line of defense
+ * against unintended modifications — it runs before any HTTP call.
+ *
+ * Key design principle: safety checks are declarative and composable.
+ * Each check is independent: readOnly, blockFreeSQL, allowedOps, disallowedOps,
+ * allowedPackages, enableTransports, etc. They combine additively — if ANY
+ * check blocks the operation, it's blocked.
+ *
+ * This matches the Go implementation exactly (pkg/adt/safety.go) to ensure
+ * behavioral parity during migration.
+ */
+/**
+ * Operation type codes.
+ * Single-character codes used in allowedOps/disallowedOps strings.
+ * Example: "RSQ" = allow Read, Search, Query only.
+ */
+export declare const OperationType: {
+    readonly Read: "R";
+    readonly Search: "S";
+    readonly Query: "Q";
+    readonly FreeSQL: "F";
+    readonly Create: "C";
+    readonly Update: "U";
+    readonly Delete: "D";
+    readonly Activate: "A";
+    readonly Test: "T";
+    readonly Lock: "L";
+    readonly Intelligence: "I";
+    readonly Workflow: "W";
+    readonly Transport: "X";
+};
+export type OperationTypeCode = (typeof OperationType)[keyof typeof OperationType];
+export interface SafetyConfig {
+    readOnly: boolean;
+    blockFreeSQL: boolean;
+    allowedOps: string;
+    disallowedOps: string;
+    allowedPackages: string[];
+    dryRun: boolean;
+    enableTransports: boolean;
+    transportReadOnly: boolean;
+    allowedTransports: string[];
+    allowTransportableEdits: boolean;
+}
+/** Safe defaults: read-only, no free SQL, standard ops only */
+export declare function defaultSafetyConfig(): SafetyConfig;
+/** No restrictions — use with caution */
+export declare function unrestrictedSafetyConfig(): SafetyConfig;
+/** Check if an operation type is allowed by the safety config */
+export declare function isOperationAllowed(config: SafetyConfig, op: OperationTypeCode): boolean;
+/** Check operation and throw AdtSafetyError if blocked */
+export declare function checkOperation(config: SafetyConfig, op: OperationTypeCode, opName: string): void;
+/** Check if operations on a given package are allowed */
+export declare function isPackageAllowed(config: SafetyConfig, pkg: string): boolean;
+/** Check package and throw AdtSafetyError if blocked */
+export declare function checkPackage(config: SafetyConfig, pkg: string): void;
+/** Check if operations on a given transport are allowed */
+export declare function isTransportAllowed(config: SafetyConfig, transport: string): boolean;
+/** Check if transport write operations are allowed */
+export declare function isTransportWriteAllowed(config: SafetyConfig): boolean;
+/** Check transport operation and throw AdtSafetyError if blocked */
+export declare function checkTransport(config: SafetyConfig, transport: string, opName: string, isWrite: boolean): void;
+/** Check if editing a transportable object is allowed */
+export declare function checkTransportableEdit(config: SafetyConfig, transport: string, opName: string): void;
+/** Human-readable description of the safety configuration */
+export declare function describeSafety(config: SafetyConfig): string;
+//# sourceMappingURL=safety.d.ts.map

package/dist/adt/safety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safety.d.ts","sourceRoot":"","sources":["../../ts-src/adt/safety.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH;;;;GAIG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;CAchB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,OAAO,aAAa,CAAC,CAAC;AAKnF,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,CAAC;IAClB,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,uBAAuB,EAAE,OAAO,CAAC;CAClC;AAED,+DAA+D;AAC/D,wBAAgB,mBAAmB,IAAI,YAAY,CAalD;AAED,yCAAyC;AACzC,wBAAgB,wBAAwB,IAAI,YAAY,CAavD;AAED,iEAAiE;AACjE,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,iBAAiB,GAAG,OAAO,CAoBvF;AAED,0DAA0D;AAC1D,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAIhG;AAED,yDAAyD;AACzD,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAmB3E;AAED,wDAAwD;AACxD,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAMpE;AAoBD,2DAA2D;AAC3D,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAInF;AAED,sDAAsD;AACtD,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAGrE;AAED,oEAAoE;AACpE,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAsC9G;AAED,yDAAyD;AACzD,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAkBpG;AAED,6DAA6D;AAC7D,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAiB3D"}