arc-1 0.4.3 → 0.5.0

package/dist/handlers/hyperfocused.js.map

@@ -1 +1 @@
-{"version":3,"file":"hyperfocused.js","sourceRoot":"","sources":["../../src/handlers/hyperfocused.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,oDAAoD;AACpD,MAAM,cAAc,GAA2B;IAC7C,IAAI,EAAE,SAAS;IACf,MAAM,EAAE,WAAW;IACnB,KAAK,EAAE,UAAU;IACjB,KAAK,EAAE,UAAU;IACjB,QAAQ,EAAE,aAAa;IACvB,QAAQ,EAAE,aAAa;IACvB,IAAI,EAAE,SAAS;IACf,QAAQ,EAAE,aAAa;IACvB,SAAS,EAAE,cAAc;IACzB,OAAO,EAAE,YAAY;IACrB,MAAM,EAAE,WAAW;CACpB,CAAC;AAEF,uCAAuC;AACvC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;AAC/D,uCAAuC;AACvC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC;AAE7C;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc;IACjD,IAAI,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,OAAO,CAAC;IAC9C,IAAI,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,OAAO,CAAC;IAC9C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc;IACpD,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAA6B;IAMlE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAEjD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,OAAO,EAAE,KAAK,EAAE,oBAAoB,MAAM,qBAAqB,YAAY,EAAE,EAAE,CAAC;IAClF,CAAC;IAED,gEAAgE;IAChE,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,YAAY,GAA4B,EAAE,GAAG,MAAM,EAAE,CAAC;IAE5D,iCAAiC;IACjC,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAE3D,iEAAiE;IACjE,iFAAiF;IACjF,IAAI,CAAC,YAAY,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC1C,YAAY,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IACtC,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,6BAA6B,CAAC,MAAoB;IAChE,MAAM,WAAW,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IAC3F,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACtF,MAAM,UAAU,GAAG,CAAC,GAAG,WAAW,EAAE,GAAG,YAAY,EAAE,GAAG,YAAY,CAAC,CAAC;IAEtE,OAAO;QACL,IAAI,EAAE,KAAK;QACX,WAAW,EACT,+BAA+B;YAC/B,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YACrB,kGAAkG;QACpG,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,UAAU;oBAChB,WAAW,EAAE,sBAAsB;iBACpC;gBACD,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kEAAkE,EAAE;gBACzG,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE;gBACpD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,+DAA+D;oBAC5E,oBAAoB,EAAE,IAAI;iBAC3B;aACF;YACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;SACrB;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"hyperfocused.js","sourceRoot":"","sources":["../../src/handlers/hyperfocused.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,oDAAoD;AACpD,MAAM,cAAc,GAA2B;IAC7C,IAAI,EAAE,SAAS;IACf,MAAM,EAAE,WAAW;IACnB,KAAK,EAAE,UAAU;IACjB,KAAK,EAAE,UAAU;IACjB,QAAQ,EAAE,aAAa;IACvB,QAAQ,EAAE,aAAa;IACvB,IAAI,EAAE,SAAS;IACf,QAAQ,EAAE,aAAa;IACvB,SAAS,EAAE,cAAc;IACzB,OAAO,EAAE,YAAY;IACrB,MAAM,EAAE,WAAW;CACpB,CAAC;AAEF,uCAAuC;AACvC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;AAC5E,qCAAqC;AACrC,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AAEvC;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc;IACjD,IAAI,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,OAAO,CAAC;IAC9C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAc;IACpD,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,IAA6B;IAMlE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,MAAM,CAAC,CAAC;IAEjD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,OAAO,EAAE,KAAK,EAAE,oBAAoB,MAAM,qBAAqB,YAAY,EAAE,EAAE,CAAC;IAClF,CAAC;IAED,gEAAgE;IAChE,MAAM,MAAM,GAAI,IAAI,CAAC,MAAkC,IAAI,EAAE,CAAC;IAC9D,MAAM,YAAY,GAA4B,EAAE,GAAG,MAAM,EAAE,CAAC;IAE5D,iCAAiC;IACjC,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAC3D,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAE3D,iEAAiE;IACjE,iFAAiF;IACjF,IAAI,CAAC,YAAY,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAC1C,YAAY,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IACtC,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,6BAA6B,CAAC,MAAoB;IAChE,MAAM,WAAW,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IAC3F,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC5E,MAAM,YAAY,GAAG,MAAM,CAAC,gBAAgB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACtF,MAAM,UAAU,GAAG,CAAC,GAAG,WAAW,EAAE,GAAG,YAAY,EAAE,GAAG,YAAY,CAAC,CAAC;IAEtE,OAAO;QACL,IAAI,EAAE,KAAK;QACX,WAAW,EACT,+BAA+B;YAC/B,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YACrB,kGAAkG;QACpG,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,UAAU;oBAChB,WAAW,EAAE,sBAAsB;iBACpC;gBACD,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,kEAAkE,EAAE;gBACzG,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE;gBACpD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,+DAA+D;oBAC5E,oBAAoB,EAAE,IAAI;iBAC3B;aACF;YACD,QAAQ,EAAE,CAAC,QAAQ,CAAC;SACrB;KACF,CAAC;AACJ,CAAC"}

package/dist/handlers/intent.d.ts

@@ -34,6 +34,12 @@ export interface ToolResult {
  * A user with `write` scope but `readOnly=true` in config still can't write.
  */
 export declare const TOOL_SCOPES: Record<string, string>;
+/**
+ * Check if authInfo has the required scope, respecting implied scopes:
+ * - `write` implies `read`
+ * - `sql` implies `data`
+ */
+export declare function hasRequiredScope(authInfo: AuthInfo, requiredScope: string): boolean;
 /**
  * Handle an MCP tool call.
  *
@@ -42,9 +48,19 @@ export declare const TOOL_SCOPES: Record<string, string>;
  *   all tools are allowed (backward compatibility).
  * @param server - MCP Server instance for elicitation support.
  */
-export declare function handleToolCall(client: AdtClient, config: ServerConfig, toolName: string, args: Record<string, unknown>, authInfo?: AuthInfo, _server?: Server, cachingLayer?: CachingLayer): Promise<ToolResult>;
+export declare function handleToolCall(client: AdtClient, config: ServerConfig, toolName: string, args: Record<string, unknown>, authInfo?: AuthInfo, _server?: Server, cachingLayer?: CachingLayer, isPerUserClient?: boolean): Promise<ToolResult>;
+/**
+ * Build the type-specific XML body for ADT object creation.
+ *
+ * SAP ADT requires each object type to have its own root XML element.
+ * Using a generic body (e.g. adtcore:objectReferences) returns 400:
+ *   "System expected the element '{http://www.sap.com/adt/programs/programs}abapProgram'"
+ */
+export declare function buildCreateXml(type: string, name: string, pkg: string, description: string): string;
 /** Reset cached features (for testing) */
 export declare function resetCachedFeatures(): void;
 /** Set cached features directly (for testing BTP mode, etc.) */
 export declare function setCachedFeatures(features: ResolvedFeatures | undefined): void;
+/** Get cached features (for tool definition adaptation) */
+export declare function getCachedFeatures(): ResolvedFeatures | undefined;
 //# sourceMappingURL=intent.d.ts.map

package/dist/handlers/intent.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"intent.d.ts","sourceRoot":"","sources":["../../src/handlers/intent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACxE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAuBlD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAc9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAGvD,2BAA2B;AAC3B,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAY9C,CAAC;AAuCF;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,YAAY,EACpB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,QAAQ,CAAC,EAAE,QAAQ,EACnB,OAAO,CAAC,EAAE,MAAM,EAChB,YAAY,CAAC,EAAE,YAAY,GAC1B,OAAO,CAAC,UAAU,CAAC,CA4JrB;AAs9BD,0CAA0C;AAC1C,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C;AAED,gEAAgE;AAChE,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,SAAS,GAAG,IAAI,CAE9E"}
+{"version":3,"file":"intent.d.ts","sourceRoot":"","sources":["../../src/handlers/intent.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gDAAgD,CAAC;AAC/E,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACxE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAuBlD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAc9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAKvD,2BAA2B;AAC3B,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAY9C,CAAC;AAEF;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CASnF;AAuCD;;;;;;;GAOG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,YAAY,EACpB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,QAAQ,CAAC,EAAE,QAAQ,EACnB,OAAO,CAAC,EAAE,MAAM,EAChB,YAAY,CAAC,EAAE,YAAY,EAC3B,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,UAAU,CAAC,CAqLrB;AAyYD;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,CAyGnG;AAkqBD,0CAA0C;AAC1C,wBAAgB,mBAAmB,IAAI,IAAI,CAE1C;AAED,gEAAgE;AAChE,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,SAAS,GAAG,IAAI,CAE9E;AAED,2DAA2D;AAC3D,wBAAgB,iBAAiB,IAAI,gBAAgB,GAAG,SAAS,CAEhE"}

package/dist/handlers/intent.js

@@ -13,8 +13,8 @@ import { findDefinition, findReferences, findWhereUsed, getCompletion, } from '.
 import { createObject, deleteObject, lockObject, safeUpdateSource, unlockObject } from '../adt/crud.js';
 import { activate, activateBatch, runAtcCheck, runUnitTests, syntaxCheck } from '../adt/devtools.js';
 import { getDump, getTraceDbAccesses, getTraceHitlist, getTraceStatements, listDumps, listTraces, } from '../adt/diagnostics.js';
-import { AdtApiError, AdtNetworkError, AdtSafetyError } from '../adt/errors.js';
-import { mapSapReleaseToAbaplintVersion, probeFeatures } from '../adt/features.js';
+import { AdtApiError, AdtNetworkError, AdtSafetyError, isNotFoundError } from '../adt/errors.js';
+import { classifyTextSearchError, mapSapReleaseToAbaplintVersion, probeFeatures } from '../adt/features.js';
 import { isOperationAllowed, OperationType } from '../adt/safety.js';
 import { createTransport, getTransport, listTransports, releaseTransport } from '../adt/transport.js';
 import { extractCdsElements } from '../context/cds-deps.js';
@@ -26,6 +26,8 @@ import { sanitizeArgs } from '../server/audit.js';
 import { generateRequestId, requestContext } from '../server/context.js';
 import { logger } from '../server/logger.js';
 import { expandHyperfocusedArgs, getHyperfocusedScope } from './hyperfocused.js';
+import { getToolSchema } from './schemas.js';
+import { formatZodError } from './zod-errors.js';
 /**
  * Scope required for each tool.
  *
@@ -39,7 +41,7 @@ import { expandHyperfocusedArgs, getHyperfocusedScope } from './hyperfocused.js'
 export const TOOL_SCOPES = {
     SAPRead: 'read',
     SAPSearch: 'read',
-    SAPQuery: 'read',
+    SAPQuery: 'sql',
     SAPNavigate: 'read',
     SAPContext: 'read',
     SAPLint: 'read',
@@ -47,8 +49,24 @@ export const TOOL_SCOPES = {
     SAPWrite: 'write',
     SAPActivate: 'write',
     SAPManage: 'write',
-    SAPTransport: 'admin',
+    SAPTransport: 'write',
 };
+/**
+ * Check if authInfo has the required scope, respecting implied scopes:
+ * - `write` implies `read`
+ * - `sql` implies `data`
+ */
+export function hasRequiredScope(authInfo, requiredScope) {
+    const scopes = authInfo.scopes;
+    if (scopes.includes(requiredScope))
+        return true;
+    // Implied scopes
+    if (requiredScope === 'read' && scopes.includes('write'))
+        return true;
+    if (requiredScope === 'data' && scopes.includes('sql'))
+        return true;
+    return false;
+}
 function textResult(text) {
     return { content: [{ type: 'text', text }] };
 }
@@ -92,7 +110,7 @@ function classifyError(err) {
  *   all tools are allowed (backward compatibility).
  * @param server - MCP Server instance for elicitation support.
  */
-export async function handleToolCall(client, config, toolName, args, authInfo, _server, cachingLayer) {
+export async function handleToolCall(client, config, toolName, args, authInfo, _server, cachingLayer, isPerUserClient) {
     const reqId = generateRequestId();
     const start = Date.now();
     // Build user context for audit logging
@@ -112,7 +130,7 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
     // Scope enforcement — only when authInfo is present (XSUAA/OIDC mode)
     if (authInfo) {
         const requiredScope = TOOL_SCOPES[toolName];
-        if (requiredScope && !authInfo.scopes.includes(requiredScope)) {
+        if (requiredScope && !hasRequiredScope(authInfo, requiredScope)) {
             logger.emitAudit({
                 timestamp: new Date().toISOString(),
                 level: 'warn',
@@ -127,6 +145,29 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
             return errorResult(`Insufficient scope: '${requiredScope}' required for ${toolName}. Your scopes: [${authInfo.scopes.join(', ')}]`);
         }
     }
+    // Validate tool arguments with Zod schema
+    const isBtp = config.systemType === 'btp';
+    // Always use the full search schema for validation — the handler checks text search availability
+    // and returns a proper error message with the probe reason when source_code search is unavailable
+    const schema = getToolSchema(toolName, isBtp);
+    if (schema) {
+        const parsed = schema.safeParse(args);
+        if (!parsed.success) {
+            const validationError = formatZodError(parsed.error, toolName);
+            logger.emitAudit({
+                timestamp: new Date().toISOString(),
+                level: 'warn',
+                event: 'safety_blocked',
+                requestId: reqId,
+                user,
+                clientId,
+                operation: toolName,
+                reason: 'Input validation failed',
+            });
+            return errorResult(validationError);
+        }
+        args = parsed.data;
+    }
     // Run within request context so HTTP-level logs get the requestId
     return requestContext.run({ requestId: reqId, user, tool: toolName }, async () => {
         try {
@@ -163,7 +204,7 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
                     result = await handleSAPContext(client, args, cachingLayer);
                     break;
                 case 'SAPManage':
-                    result = await handleSAPManage(client, config, args, cachingLayer);
+                    result = await handleSAPManage(client, config, args, cachingLayer, isPerUserClient);
                     break;
                 case 'SAP': {
                     // Hyperfocused mode: route to the appropriate handler
@@ -175,13 +216,13 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
                     // Check scope for the delegated action
                     if (authInfo) {
                         const requiredScope = getHyperfocusedScope(String(args.action ?? ''));
-                        if (!authInfo.scopes.includes(requiredScope)) {
+                        if (!hasRequiredScope(authInfo, requiredScope)) {
                             result = errorResult(`Insufficient scope: '${requiredScope}' required for SAP(action="${args.action}"). Your scopes: [${authInfo.scopes.join(', ')}]`);
                             break;
                         }
                     }
                     // Delegate to the real handler (recursive call, but with the mapped tool name)
-                    result = await handleToolCall(client, config, expanded.toolName, expanded.expandedArgs, authInfo, _server, cachingLayer);
+                    result = await handleToolCall(client, config, expanded.toolName, expanded.expandedArgs, authInfo, _server, cachingLayer, isPerUserClient);
                     break;
                 }
                 default:
@@ -336,8 +377,17 @@ async function handleSAPRead(client, args, cachingLayer) {
             return textResult(await cachedGet('BDEF', name, () => client.getBdef(name)));
         case 'SRVD':
             return textResult(await cachedGet('SRVD', name, () => client.getSrvd(name)));
-        case 'DDLX':
-            return textResult(await cachedGet('DDLX', name, () => client.getDdlx(name)));
+        case 'DDLX': {
+            try {
+                return textResult(await cachedGet('DDLX', name, () => client.getDdlx(name)));
+            }
+            catch (err) {
+                if (isNotFoundError(err)) {
+                    return textResult(`No metadata extension (DDLX) found for "${name}". This means no @UI annotations are defined via DDLX for this view. The view may use inline annotations in the DDLS source, or the Fiori app may configure columns via manifest.json / app descriptor.`);
+                }
+                throw err;
+            }
+        }
         case 'SRVB':
             return textResult(await cachedGet('SRVB', name, () => client.getSrvb(name)));
         case 'TABL':
@@ -421,7 +471,9 @@ async function handleSAPRead(client, args, cachingLayer) {
         case 'VARIANTS':
             return textResult(await client.getVariants(name));
         default:
-            return errorResult(`Unknown SAPRead type: ${type}. Supported: PROG, CLAS, INTF, FUNC, FUGR, INCL, DDLS, DDLX, BDEF, SRVD, SRVB, TABL, VIEW, STRU, DOMA, DTEL, TRAN, TABLE_CONTENTS, DEVC, SOBJ, SYSTEM, COMPONENTS, MESSAGES, TEXT_ELEMENTS, VARIANTS`);
+            return errorResult(`Unknown SAPRead type: "${type}". Supported types: PROG, CLAS, INTF, FUNC, FUGR, INCL, DDLS, DDLX, BDEF, SRVD, SRVB, TABL, VIEW, STRU, DOMA, DTEL, TRAN, TABLE_CONTENTS, DEVC, SOBJ, SYSTEM, COMPONENTS, MESSAGES, TEXT_ELEMENTS, VARIANTS. ` +
+                'Tip: Map objectType from SAPSearch results by dropping the slash suffix (e.g., DDLS/DF → type="DDLS", CLAS/OC → type="CLAS", PROG/P → type="PROG"). ' +
+                'Do not pass a URI — use the "type" and "name" parameters instead.');
     }
 }
 async function handleSAPSearch(client, args) {
@@ -429,6 +481,11 @@ async function handleSAPSearch(client, args) {
     const maxResults = Number(args.maxResults ?? 100);
     const searchType = String(args.searchType ?? 'object');
     if (searchType === 'source_code') {
+        // If probe already determined textSearch is unavailable, return the precise reason
+        if (cachedFeatures?.textSearch && !cachedFeatures.textSearch.available) {
+            return errorResult(`Source code search is not available on this SAP system. ${cachedFeatures.textSearch.reason ?? ''}` +
+                `\nUse SAPSearch with searchType="object" to search by object name instead, or use SAPQuery to search metadata tables.`);
+        }
         const objectType = args.objectType;
         const packageName = args.packageName;
         try {
@@ -436,9 +493,13 @@ async function handleSAPSearch(client, args) {
             return textResult(JSON.stringify(results, null, 2));
         }
         catch (err) {
-            if (err instanceof AdtApiError && (err.statusCode === 404 || err.statusCode === 501)) {
-                return errorResult(`Source code search is not available on this SAP system (requires SAP_BASIS ≥ 7.51). ` +
-                    `Use SAPSearch with searchType="object" to search by object name instead, or use SAPQuery to search metadata tables.`);
+            if (err instanceof AdtApiError) {
+                const permanentCodes = [401, 403, 404, 501];
+                if (permanentCodes.includes(err.statusCode)) {
+                    const classified = classifyTextSearchError(err.statusCode);
+                    return errorResult(`Source code search is not available on this SAP system. ${classified.reason ?? ''}` +
+                        `\nUse SAPSearch with searchType="object" to search by object name instead, or use SAPQuery to search metadata tables.`);
+                }
             }
             throw err;
         }
@@ -474,6 +535,10 @@ async function handleSAPQuery(client, args) {
                 }
             }
         }
+        // JOIN-aware error: ADT freestyle SQL parser has known edge cases with JOINs (SAP Note 3605050)
+        if (err instanceof AdtApiError && err.statusCode === 400 && /\bJOIN\b/i.test(sql)) {
+            return errorResult(`${err.message}\n\nMulti-table JOIN query failed. The ADT freestyle SQL endpoint has known parser edge cases with JOINs (SAP Note 3605050). Try splitting into separate single-table queries.`);
+        }
         throw err;
     }
 }
@@ -540,6 +605,129 @@ function buildLintConfigOptions(config, ruleOverrides) {
         ruleOverrides,
     };
 }
+// ─── Object Creation XML ─────────────────────────────────────────────
+/**
+ * Build the type-specific XML body for ADT object creation.
+ *
+ * SAP ADT requires each object type to have its own root XML element.
+ * Using a generic body (e.g. adtcore:objectReferences) returns 400:
+ *   "System expected the element '{http://www.sap.com/adt/programs/programs}abapProgram'"
+ */
+export function buildCreateXml(type, name, pkg, description) {
+    switch (type) {
+        case 'PROG':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<program:abapProgram xmlns:program="http://www.sap.com/adt/programs/programs"
+                     xmlns:adtcore="http://www.sap.com/adt/core"
+                     adtcore:description="${escapeXml(description)}"
+                     adtcore:name="${escapeXml(name)}"
+                     adtcore:type="PROG/P"
+                     adtcore:masterLanguage="EN"
+                     adtcore:masterSystem="H00"
+                     adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</program:abapProgram>`;
+        case 'CLAS':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<class:abapClass xmlns:class="http://www.sap.com/adt/oo/classes"
+                 xmlns:adtcore="http://www.sap.com/adt/core"
+                 adtcore:description="${escapeXml(description)}"
+                 adtcore:name="${escapeXml(name)}"
+                 adtcore:type="CLAS/OC"
+                 adtcore:masterLanguage="EN"
+                 adtcore:masterSystem="H00"
+                 adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</class:abapClass>`;
+        case 'INTF':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<intf:abapInterface xmlns:intf="http://www.sap.com/adt/oo/interfaces"
+                    xmlns:adtcore="http://www.sap.com/adt/core"
+                    adtcore:description="${escapeXml(description)}"
+                    adtcore:name="${escapeXml(name)}"
+                    adtcore:type="INTF/OI"
+                    adtcore:masterLanguage="EN"
+                    adtcore:masterSystem="H00"
+                    adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</intf:abapInterface>`;
+        case 'INCL':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<include:abapInclude xmlns:include="http://www.sap.com/adt/programs/includes"
+                     xmlns:adtcore="http://www.sap.com/adt/core"
+                     adtcore:description="${escapeXml(description)}"
+                     adtcore:name="${escapeXml(name)}"
+                     adtcore:type="PROG/I"
+                     adtcore:masterLanguage="EN"
+                     adtcore:masterSystem="H00"
+                     adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</include:abapInclude>`;
+        case 'DDLS':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<ddl:ddlSource xmlns:ddl="http://www.sap.com/adt/ddic/ddlsources"
+               xmlns:adtcore="http://www.sap.com/adt/core"
+               adtcore:description="${escapeXml(description)}"
+               adtcore:name="${escapeXml(name)}"
+               adtcore:type="DDLS/DF"
+               adtcore:masterLanguage="EN"
+               adtcore:masterSystem="H00"
+               adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</ddl:ddlSource>`;
+        case 'BDEF':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<bdef:behaviorDefinition xmlns:bdef="http://www.sap.com/adt/bo/behaviordefinitions"
+                         xmlns:adtcore="http://www.sap.com/adt/core"
+                         adtcore:description="${escapeXml(description)}"
+                         adtcore:name="${escapeXml(name)}"
+                         adtcore:type="BDEF/BDO"
+                         adtcore:masterLanguage="EN"
+                         adtcore:masterSystem="H00"
+                         adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</bdef:behaviorDefinition>`;
+        case 'SRVD':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<srvd:srvdSource xmlns:srvd="http://www.sap.com/adt/ddic/srvd/sources"
+                 xmlns:adtcore="http://www.sap.com/adt/core"
+                 adtcore:description="${escapeXml(description)}"
+                 adtcore:name="${escapeXml(name)}"
+                 adtcore:type="SRVD/SRV"
+                 adtcore:masterLanguage="EN"
+                 adtcore:masterSystem="H00"
+                 adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</srvd:srvdSource>`;
+        case 'DDLX':
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<ddlx:ddlxSource xmlns:ddlx="http://www.sap.com/adt/ddic/ddlx/sources"
+                 xmlns:adtcore="http://www.sap.com/adt/core"
+                 adtcore:description="${escapeXml(description)}"
+                 adtcore:name="${escapeXml(name)}"
+                 adtcore:type="DDLX/EX"
+                 adtcore:masterLanguage="EN"
+                 adtcore:masterSystem="H00"
+                 adtcore:responsible="DEVELOPER">
+  <adtcore:packageRef adtcore:name="${escapeXml(pkg)}"/>
+</ddlx:ddlxSource>`;
+        default:
+            // Fallback — generic objectReferences using the correct URL for the type
+            return `<?xml version="1.0" encoding="UTF-8"?>
+<adtcore:objectReferences xmlns:adtcore="http://www.sap.com/adt/core">
+  <adtcore:objectReference adtcore:uri="${escapeXml(objectUrlForType(type, name))}" adtcore:type="${escapeXml(type)}" adtcore:name="${escapeXml(name)}" adtcore:packageName="${escapeXml(pkg)}"/>
+</adtcore:objectReferences>`;
+    }
+}
+/** Escape special characters for XML attribute values */
+function escapeXml(s) {
+    return s
+        .replace(/&/g, '&amp;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+}
 // ─── Object URL Mapping ──────────────────────────────────────────────
 /** Map object type + name to the ADT object URL used by CRUD/DevTools/etc. */
 function objectUrlForType(type, name) {
@@ -607,12 +795,26 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
         }
         case 'create': {
             const pkg = String(args.package ?? '$TMP');
-            // Build creation XML body
-            const body = `<?xml version="1.0" encoding="UTF-8"?>
-<adtcore:objectReferences xmlns:adtcore="http://www.sap.com/adt/core">
-  <adtcore:objectReference adtcore:uri="${objectUrl}" adtcore:type="${type}" adtcore:name="${name}" adtcore:packageName="${pkg}"/>
-</adtcore:objectReferences>`;
-            const result = await createObject(client.http, client.safety, objectUrl, body, 'application/xml', transport);
+            const description = String(args.description ?? name);
+            // Build type-specific creation XML body.
+            // SAP ADT requires the root element to match the object type —
+            // a generic objectReferences body returns 400 "System expected the element ...".
+            const body = buildCreateXml(type, name, pkg, description);
+            // Step 1: Create the object (metadata only)
+            const createUrl = objectUrl.replace(/\/[^/]+$/, ''); // parent collection URL
+            const result = await createObject(client.http, client.safety, createUrl, body, 'application/xml', transport);
+            // Step 2: Write source code if provided
+            if (source) {
+                // Pre-write lint validation
+                const lintWarnings = runPreWriteLint(source, type, name, config);
+                if (lintWarnings.blocked) {
+                    return textResult(`Created ${type} ${name} in package ${pkg}, but source was rejected by lint:\n${lintWarnings.result.content[0].text}`);
+                }
+                await safeUpdateSource(client.http, client.safety, objectUrl, srcUrl, source, transport);
+                cachingLayer?.invalidate(type, name);
+                const msg = `Created ${type} ${name} in package ${pkg} and wrote source code.`;
+                return lintWarnings.warnings ? textResult(`${msg}\n\n${lintWarnings.warnings}`) : textResult(msg);
+            }
             return textResult(`Created ${type} ${name} in package ${pkg}.\n${result}`);
         }
         case 'edit_method': {
@@ -1033,7 +1235,7 @@ async function handleSAPContext(client, args, cachingLayer) {
 // ─── SAPManage Handler ────────────────────────────────────────────────
 /** Cached feature status — populated on first probe */
 let cachedFeatures;
-async function handleSAPManage(client, config, args, cachingLayer) {
+async function handleSAPManage(client, config, args, cachingLayer, isPerUserClient) {
     const action = String(args.action ?? '');
     switch (action) {
         case 'features': {
@@ -1063,11 +1265,30 @@ async function handleSAPManage(client, config, args, cachingLayer) {
             featureConfig.amdp = config.featureAmdp;
             featureConfig.ui5 = config.featureUi5;
             featureConfig.transport = config.featureTransport;
-            cachedFeatures = await probeFeatures(client.http, featureConfig, config.systemType);
-            return textResult(JSON.stringify(cachedFeatures, null, 2));
+            const probed = await probeFeatures(client.http, featureConfig, config.systemType);
+            // In PP mode with a per-user client, auth-sensitive results (401/403 on any
+            // feature) must not poison the global cache — another user may have different
+            // authorizations.  Return the per-user result to the caller but keep the global
+            // cache unchanged.  However, when PP is enabled but the request fell back to the
+            // shared/default client (no JWT, missing btpConfig, or non-strict fallback), the
+            // probe ran with the same service-account credentials as the startup probe, so
+            // updating the cache is safe and allows a manual probe to repair a failed startup.
+            // Apply the same auth-failure sanitization as the startup probe: in PP mode,
+            // shared-client 401/403 on textSearch must not hide source_code from users who
+            // might have authorization via per-user clients.
+            if (!isPerUserClient) {
+                if (config.ppEnabled && probed.textSearch && !probed.textSearch.available) {
+                    const reason = probed.textSearch.reason ?? '';
+                    if (reason.includes('authorization') || reason.includes('401') || reason.includes('403')) {
+                        probed.textSearch = undefined;
+                    }
+                }
+                cachedFeatures = probed;
+            }
+            return textResult(JSON.stringify(probed, null, 2));
         }
         default:
-            return errorResult(`Unknown SAPManage action: ${action}. Supported: features, probe`);
+            return errorResult(`Unknown SAPManage action: ${action}. Supported: features, probe, cache_stats`);
     }
 }
 /** Reset cached features (for testing) */
@@ -1078,4 +1299,8 @@ export function resetCachedFeatures() {
 export function setCachedFeatures(features) {
     cachedFeatures = features;
 }
+/** Get cached features (for tool definition adaptation) */
+export function getCachedFeatures() {
+    return cachedFeatures;
+}
 //# sourceMappingURL=intent.js.map