arc-1 0.6.10 → 0.7.0

package/dist/handlers/tools.js

@@ -133,7 +133,8 @@ const SAPWRITE_DESC_ONPREM = 'Create or update ABAP source code and DDIC metadat
     'SKTD (Knowledge Transfer Documents, Markdown docs attached to an ABAP object): create requires refObjectType (parent ADT type+subtype, e.g., "DDLS/DF"). A KTD inherits the name of the object it documents — so "name" MUST equal the parent object name (one KTD per object; refObjectName defaults to name and cannot differ). Update takes Markdown in "source"; delete uses the ADT deletion framework (two-step check/delete). Follow creates/updates with SAPActivate(type="SKTD", name="..."). ' +
     'For edit_method: surgically replace a single method body in a CLAS without sending the full class source. ' +
     'Provide just the new method implementation code in "source" — 95% fewer tokens than full-class updates. ' +
-    'For batch_create: create and activate multiple objects in a single call — ideal for RAP stacks (TABL → DDLS → DCLS → BDEF → SRVD). Pass "objects" array with dependency order.';
+    'For batch_create: create and activate multiple objects in a single call — ideal for RAP stacks (TABL → DDLS → DCLS → BDEF → SRVD). Pass "objects" array with dependency order. ' +
+    'For scaffold_rap_handlers: derive missing RAP behavior handler signatures from an interface BDEF and optionally inject declarations plus empty implementation stubs into an existing behavior pool class.';
 const SAPWRITE_DESC_BTP = 'Create or update ABAP source code and DDIC metadata (BTP ABAP Environment). Handles lock/modify/unlock automatically. Supports CLAS, INTF, DDLS, DDLX, BDEF, SRVD, SRVB, SKTD, TABL, DOMA, DTEL, MSAG. ' +
     'Type codes are auto-normalized and case-insensitive (e.g., "CLAS/OC" → "CLAS"). ' +
     'TABL supports custom table source writes via /source/main (define table syntax). ' +
@@ -144,7 +145,8 @@ const SAPWRITE_DESC_BTP = 'Create or update ABAP source code and DDIC metadata (
     'SKTD (Knowledge Transfer Documents, Markdown docs attached to an ABAP object): create requires refObjectType (parent ADT type+subtype, e.g., "DDLS/DF"). A KTD inherits the name of the object it documents — so "name" MUST equal the parent object name (one KTD per object; refObjectName defaults to name and cannot differ). Update takes Markdown in "source"; delete uses the ADT deletion framework (two-step check/delete). Follow creates/updates with SAPActivate(type="SKTD", name="..."). ' +
     'Must use ABAP Cloud language version (no classic statements). Only Z*/Y* namespace allowed on BTP. ' +
     'For edit_method: surgically replace a single method body in a CLAS without sending the full class source. ' +
-    'For batch_create: create and activate multiple objects in a single call — ideal for RAP stacks (TABL → DDLS → DCLS → BDEF → SRVD).';
+    'For batch_create: create and activate multiple objects in a single call — ideal for RAP stacks (TABL → DDLS → DCLS → BDEF → SRVD). ' +
+    'For scaffold_rap_handlers: derive missing RAP behavior handler signatures from an interface BDEF and optionally inject declarations plus empty implementation stubs into an existing behavior pool class.';
 // ─── SAPContext Types ───────────────────────────────────────────────
 const SAPCONTEXT_TYPES_ONPREM = ['CLAS', 'INTF', 'PROG', 'FUNC', 'DDLS'];
 const SAPCONTEXT_TYPES_BTP = ['CLAS', 'INTF', 'DDLS'];
@@ -153,7 +155,7 @@ const SAPCONTEXT_DESC_ONPREM = 'Get compressed dependency context or CDS blast-r
     '- "What breaks if I change <CDS view>?" / "Who consumes <I_*>?" / "Impact analysis on <DDLS>" / "Blast radius" → action="impact"\n' +
     '- "Understand dependencies before editing <object>" / "What does X depend on?" → action="deps" (default)\n' +
     '- "Find all callers of <object>" (cache-warmup required) → action="usages"\n\n' +
-    'action="impact" (CDS blast-radius, DDLS only): ALWAYS use this for CDS change-impact questions. Returns upstream AST dependencies plus downstream where-used results classified into RAP-aware buckets: projectionViews, bdefs, serviceDefinitions, serviceBindings, accessControls (DCLS), metadataExtensions (DDLX), abapConsumers, documentation (SKTD), tables, other. DO NOT replicate this with SAPQuery against DDDDLSRC/ACMDCLSRC/DDLXSRC_SRC/SRVDSRC_SRC — those text scans produce noise (non-dependency matches, package group nodes) that this classifier already filters out. Optional includeIndirect=true widens to transitive consumers.\n\n' +
+    'action="impact" (CDS blast-radius, DDLS only): ALWAYS use this for CDS change-impact questions. Returns upstream AST dependencies plus downstream where-used results classified into RAP-aware buckets: projectionViews, bdefs, serviceDefinitions, serviceBindings, accessControls (DCLS), metadataExtensions (DDLX), abapConsumers, documentation (SKTD), tables, other. Also emits additive sibling-consistency diagnostics (consistencyHints + siblingExtensionAnalysis) when sibling DDLS variants in the same package show asymmetric metadata-extension coverage. DO NOT replicate this with SAPQuery against DDDDLSRC/ACMDCLSRC/DDLXSRC_SRC/SRVDSRC_SRC — those text scans produce noise (non-dependency matches, package group nodes) that this classifier already filters out. Optional includeIndirect=true widens to transitive consumers. Optional siblingCheck=false disables sibling analysis; siblingMaxCandidates controls fan-out (default 4, hard cap 10).\n\n' +
     'action="deps" (default): Returns only the public API contracts (method signatures, interface definitions, type declarations) of all objects that the target depends on — NOT the full source code. The most token-efficient way to understand dependencies. Instead of N separate SAPRead calls returning full source (~200 lines each), returns ONE response with compressed contracts (~15-30 lines each). Typical compression: 7-30x fewer tokens.\n\n' +
     'What deps extracts per dependency:\n' +
     '- Classes: CLASS DEFINITION with PUBLIC SECTION only (methods, types, constants). PROTECTED, PRIVATE and IMPLEMENTATION stripped.\n' +
@@ -170,7 +172,7 @@ const SAPCONTEXT_DESC_BTP = 'Get compressed dependency context or CDS blast-radi
     "Decision rule — pick the action based on the user's question:\n" +
     '- "What breaks if I change <CDS view>?" / "Who consumes <I_*>?" / "Impact analysis on <DDLS>" / "Blast radius" → action="impact"\n' +
     '- "Understand dependencies before editing <object>" / "What does X depend on?" → action="deps" (default)\n\n' +
-    'action="impact" (CDS blast-radius, DDLS only): ALWAYS use this for CDS change-impact questions. Returns upstream AST dependencies plus downstream where-used results classified into RAP-aware buckets: projectionViews, bdefs, serviceDefinitions, serviceBindings, accessControls (DCLS), metadataExtensions (DDLX), abapConsumers, documentation (SKTD), tables, other. DO NOT replicate this with SAPQuery — the classifier already filters noise. Optional includeIndirect=true widens to transitive consumers.\n\n' +
+    'action="impact" (CDS blast-radius, DDLS only): ALWAYS use this for CDS change-impact questions. Returns upstream AST dependencies plus downstream where-used results classified into RAP-aware buckets: projectionViews, bdefs, serviceDefinitions, serviceBindings, accessControls (DCLS), metadataExtensions (DDLX), abapConsumers, documentation (SKTD), tables, other. Also emits additive sibling-consistency diagnostics (consistencyHints + siblingExtensionAnalysis) when sibling DDLS variants in the same package show asymmetric metadata-extension coverage. DO NOT replicate this with SAPQuery — the classifier already filters noise. Optional includeIndirect=true widens to transitive consumers. Optional siblingCheck=false disables sibling analysis; siblingMaxCandidates controls fan-out (default 4, hard cap 10).\n\n' +
     'action="deps" (default): Returns only the public API contracts (method signatures, interface definitions, type declarations) of all objects that the target depends on — NOT the full source code.\n\n' +
     'What deps extracts per dependency:\n' +
     '- Classes: CLASS DEFINITION with PUBLIC SECTION only (methods, types, constants).\n' +
@@ -185,7 +187,7 @@ const SAPQUERY_DESC_ONPREM = 'Execute ABAP SQL queries against SAP tables. Retur
     'Powerful for reverse-engineering: query metadata tables like DD02L (table catalog), DD03L (field catalog), ' +
     'SWOTLV (BOR method implementations), TADIR (object directory), TFDIR (function modules). ' +
     'If a table is not found, similar table names will be suggested automatically. ' +
-    'Note: Uses the ADT freestyle SQL endpoint (same as ADT SQL Console in Eclipse). Supports ABAP SQL syntax including JOINs, but the endpoint parser has known edge cases with complex queries on some system versions (SAP Note 3605050). If a complex query fails, try simplifying — split JOINs into separate single-table SELECTs.\n\n' +
+    'Note: Uses the ADT freestyle SQL endpoint (same family as ADT SQL Console in Eclipse). ABAP SQL language supports JOINs and subqueries, but this endpoint parser can reject valid-looking statements on some backend versions (for example grammar errors, single-SELECT enforcement). If parsing fails, simplify to one SELECT and split multi-table logic into staged single-table queries (SAP Note 3605050).\n\n' +
     'CDS impact analysis: DO NOT query DDDDLSRC, ACMDCLSRC, DDLXSRC_SRC, or SRVDSRC_SRC to find CDS consumers — those text scans produce noise (substring matches, package group nodes, generated patterns). Use SAPContext(action="impact", type="DDLS", name="...") instead — it uses SAP\'s where-used index and returns bucketed, filtered results (projection views, BDEFs, SRVDs, access controls, documentation, ABAP consumers).';
 const SAPQUERY_DESC_BTP = 'Execute ABAP SQL queries (BTP ABAP Environment). Returns structured data with column names and rows. ' +
     'IMPORTANT: On BTP, only custom Z/Y tables and released CDS entities can be queried. ' +
@@ -207,14 +209,14 @@ const SAPTRANSPORT_DESC_ONPREM = 'Manage CTS transport requests (SE09/SE10 equiv
     'get (details with tasks and objects), create (K=Workbench, W=Customizing, T=Transport of Copies), ' +
     'release, delete, reassign (change owner), release_recursive (release tasks first, then parent), ' +
     'check (check if a package requires a transport — provide type, name, package), ' +
-    'history (find transports referencing an object — provide type, name; read-only, works without --enable-transports). ' +
+    'history (find transports referencing an object — provide type, name; read-only, works without SAP_ALLOW_TRANSPORT_WRITES). ' +
     'Transport IDs look like A4HK900123. Status: D=modifiable, R=released.';
 const SAPTRANSPORT_DESC_BTP = 'Manage transport requests (BTP ABAP Environment, SE09/SE10 equivalent). ' +
     'Actions: list (defaults to current user, modifiable transports — both Workbench and Customizing), ' +
     'get (details with tasks and objects), create (K=Workbench, W=Customizing, T=Transport of Copies), ' +
     'release, delete, reassign (change owner), release_recursive (release tasks first, then parent), ' +
     'check (check if a package requires a transport — provide type, name, package), ' +
-    'history (find transports referencing an object — provide type, name; read-only, works without --enable-transports). ' +
+    'history (find transports referencing an object — provide type, name; read-only, works without SAP_ALLOW_TRANSPORT_WRITES). ' +
     'On BTP, transport release triggers a gCTS push to the software component Git repository. ' +
     'Import into target systems is done via the Manage Software Components app or Cloud Transport Management Service (cTMS), not via this tool.';
 // ─── SAPManage ──────────────────────────────────────────────────────
@@ -223,14 +225,14 @@ const SAPMANAGE_DESC_ONPREM = 'Probe and report SAP system capabilities. Use thi
     'Actions:\n' +
     '- "features": Get cached feature status from last probe (fast, no SAP round-trip). ' +
     'Returns which features are available, their mode (auto/on/off), and when they were last probed.\n' +
-    '- "probe": Re-probe the SAP system now (makes 8 parallel requests, ~1-2s). ' +
+    '- "probe": Re-probe the SAP system now (runs feature probes, auth checks, and ADT discovery refresh). ' +
     'Use this on first use or if you suspect feature availability has changed.\n' +
     '- "cache_stats": Show object cache health and warmup state.\n' +
-    '- "create_package": Create a package (DEVC) via ADT packages API.\n' +
-    '- "delete_package": Delete an existing package.\n' +
     '- "flp_list_catalogs": List FLP business catalogs.\n' +
     '- "flp_list_groups": List FLP groups.\n' +
     '- "flp_list_tiles": List tiles in a catalog (requires "catalogId").\n' +
+    '- "create_package": Create a package (DEVC) via ADT packages API.\n' +
+    '- "delete_package": Delete an existing package.\n' +
     '- "flp_create_catalog": Create a business catalog (requires "domainId", "title").\n' +
     '- "flp_create_group": Create a group (requires "groupId", "title").\n' +
     '- "flp_create_tile": Create a tile in a catalog (requires "catalogId", "tile").\n' +
@@ -243,20 +245,51 @@ const SAPMANAGE_DESC_BTP = 'Probe and report SAP system capabilities (BTP ABAP E
     'Returns feature status and system type. Also handles package (DEVC) lifecycle operations.\n\n' +
     'Actions:\n' +
     '- "features": Get cached feature status from last probe.\n' +
-    '- "probe": Re-probe the SAP system now.\n' +
+    '- "probe": Re-probe the SAP system now (feature probes + discovery refresh).\n' +
     '- "cache_stats": Show object cache health and warmup state.\n' +
     '- "create_package": Create a package (DEVC) via ADT packages API.\n' +
     '- "delete_package": Delete an existing package.\n' +
     '- FLP actions: flp_list_catalogs, flp_list_groups, flp_list_tiles, flp_create_catalog, flp_create_group, flp_create_tile, flp_add_tile_to_group, flp_delete_catalog.\n\n' +
     'Returns JSON with features and systemType="btp". On BTP, RAP/CDS and transports are always available. ' +
     'abapGit, AMDP, UI5/BSP, and FLP customization may not be available depending on the BTP ABAP configuration.';
+const SAPMANAGE_ACTIONS_READ = [
+    'features',
+    'probe',
+    'cache_stats',
+    'flp_list_catalogs',
+    'flp_list_groups',
+    'flp_list_tiles',
+];
+const SAPMANAGE_ACTIONS_WRITE = [
+    'create_package',
+    'delete_package',
+    'change_package',
+    'flp_create_catalog',
+    'flp_create_group',
+    'flp_create_tile',
+    'flp_add_tile_to_group',
+    'flp_delete_catalog',
+];
+const SAPTRANSPORT_ACTIONS_READ = ['list', 'get', 'check', 'history'];
+const SAPTRANSPORT_ACTIONS_WRITE = ['create', 'release', 'delete', 'reassign', 'release_recursive'];
+const SAPGIT_ACTIONS_READ = [
+    'list_repos',
+    'whoami',
+    'config',
+    'branches',
+    'external_info',
+    'history',
+    'objects',
+    'check',
+];
+const SAPGIT_ACTIONS_WRITE = ['stage', 'clone', 'pull', 'push', 'commit', 'switch_branch', 'create_branch', 'unlink'];
 // ─── SAPGit ─────────────────────────────────────────────────────────
 const SAPGIT_DESC_ONPREM = 'Git-based ABAP repository workflows with backend auto-selection: gCTS is preferred when available, otherwise abapGit bridge is used. ' +
     'Actions: list_repos (both), whoami/config/branches/history/objects (gCTS only), external_info/check/stage/push (abapGit only), clone/pull/commit/switch_branch/create_branch/unlink (backend-specific implementation). ' +
-    'Use backend="gcts" or backend="abapgit" to force a backend. Write actions require --enable-git and package allowlist compliance.';
+    'Use backend="gcts" or backend="abapgit" to force a backend. Write actions require SAP_ALLOW_WRITES=true, SAP_ALLOW_GIT_WRITES=true, git scope, and package allowlist compliance.';
 const SAPGIT_DESC_BTP = 'Git-based ABAP repository workflows for BTP ABAP and S/4 systems. Backend auto-selection prefers gCTS and falls back to abapGit bridge when gCTS is unavailable. ' +
     'Actions: list_repos (both), whoami/config/branches/history/objects (gCTS only), external_info/check/stage/push (abapGit only), clone/pull/commit/switch_branch/create_branch/unlink (backend-specific implementation). ' +
-    'Use backend="gcts" or backend="abapgit" to force a backend. Write actions require --enable-git and package allowlist compliance.';
+    'Use backend="gcts" or backend="abapgit" to force a backend. Write actions require SAP_ALLOW_WRITES=true, SAP_ALLOW_GIT_WRITES=true, git scope, and package allowlist compliance.';
 // ─── SAPSearch Builder ─────────────────────────────────────────────
 /** Strip source_code-specific lines from a SAPSearch description when textSearch is unavailable */
 function stripSourceCodeLines(desc) {
@@ -316,7 +349,7 @@ function buildSAPSearchTool(btp, textSearchAvailable) {
 export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures) {
     // Hyperfocused mode: single universal SAP tool (~200 tokens)
     if (config.toolMode === 'hyperfocused') {
-        return [getHyperfocusedToolDefinition(config)];
+        return [getHyperfocusedToolDefinition(config, resolvedFeatures)];
     }
     const btp = isBtpMode(config);
     const tools = [
@@ -365,7 +398,10 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                         description: 'Output format. "text" (default): raw source code. "structured" (CLAS only): JSON with metadata (description, language, category) + decomposed source (main, testclasses, definitions, implementations, macros). Useful when you need to understand class structure or separate test code from production code.',
                     },
                     maxRows: { type: 'number', description: 'For TABLE_CONTENTS: max rows to return (default 100)' },
-                    sqlFilter: { type: 'string', description: 'For TABLE_CONTENTS: SQL WHERE clause filter' },
+                    sqlFilter: {
+                        type: 'string',
+                        description: 'For TABLE_CONTENTS: condition expression only (no WHERE, no SELECT), e.g. "MANDT = \'100\'" or "MATNR LIKE \'Z%\'".',
+                    },
                     objectType: {
                         type: 'string',
                         description: 'For API_STATE and VERSIONS: SAP object type (CLAS, INTF, PROG, FUNC, INCL, DDLS, DCLS, BDEF, SRVD, etc.). For API_STATE: auto-detected from name if omitted. For VERSIONS: required to pick the correct revisions endpoint (e.g., "FUNC" + group for function modules); inferred from CL_/IF_/CX_ name prefixes when possible, defaults to PROG.',
@@ -380,8 +416,8 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
         },
         buildSAPSearchTool(btp, textSearchAvailable),
     ];
-    // Write tools — only registered when not in read-only mode
-    if (!config.readOnly) {
+    // Write tools — only registered when writes are enabled
+    if (config.allowWrites) {
         let sapWriteDesc = btp ? SAPWRITE_DESC_BTP : SAPWRITE_DESC_ONPREM;
         // Append package restriction info so the LLM knows its boundaries
         if (config.allowedPackages.length > 0) {
@@ -396,8 +432,8 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                 properties: {
                     action: {
                         type: 'string',
-                        enum: ['create', 'update', 'delete', 'edit_method', 'batch_create'],
-                        description: 'Write action. edit_method: surgically replace a single method body (requires type=CLAS, method, and source params). batch_create: create and activate multiple objects in sequence (requires objects array)',
+                        enum: ['create', 'update', 'delete', 'edit_method', 'batch_create', 'scaffold_rap_handlers'],
+                        description: 'Write action. edit_method: surgically replace a single method body (requires type=CLAS, method, and source params). batch_create: create and activate multiple objects in sequence (requires objects array). scaffold_rap_handlers: derive missing behavior-pool handler signatures from interface BDEF declarations and optionally inject declarations plus empty implementation stubs.',
                     },
                     type: {
                         type: 'string',
@@ -412,6 +448,18 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                         type: 'string',
                         description: 'For edit_method action: method name to replace (e.g., "get_name", "zif_order~process")',
                     },
+                    bdefName: {
+                        type: 'string',
+                        description: 'For scaffold_rap_handlers action: interface BDEF name used to derive required handler signatures (e.g., ZI_TRAVELREQ). The BDEF is parsed to find every action/determination/validation/authorization that must exist in the behavior pool.',
+                    },
+                    autoApply: {
+                        type: 'boolean',
+                        description: 'For scaffold_rap_handlers: when true, missing METHODS signatures are inserted into matching lhc_* class definitions, empty METHOD stubs are inserted into matching implementation blocks where possible, and the class source is written back under a single lock. When false (default), returns a JSON report of required vs. missing signatures without modifying the class — use this first to preview, then re-run with autoApply=true to commit.',
+                    },
+                    targetAlias: {
+                        type: 'string',
+                        description: 'For scaffold_rap_handlers: optional RAP entity alias filter (e.g., Travel, Segment) to scaffold only one handler class. When omitted, all entities declared in the BDEF are scaffolded. Case-insensitive.',
+                    },
                     description: {
                         type: 'string',
                         description: 'Object description for create action (defaults to name if omitted). Max 60 chars for most types.',
@@ -479,7 +527,15 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                     version: { type: 'string', description: 'SRVB: service version number (default: 0001)' },
                     lintBeforeWrite: {
                         type: 'boolean',
-                        description: 'Override server lint-before-write setting for this call. Set false to skip pre-write lint validation. Lint applies to ABAP types (PROG, CLAS, INTF, FUNC) and CDS views (DDLS). BDEF/SRVD/SRVB/DDLX/TABL are skipped (not supported by offline linter).',
+                        description: 'Override server lint-before-write setting for this call. Set false to skip pre-write lint validation. Lint applies to ABAP types (PROG, CLAS, INTF, FUNC) and CDS views (DDLS). BDEF/SRVD/SRVB/DDLX/TABL are skipped by offline linter; RAP preflight may still catch deterministic issues for those types.',
+                    },
+                    preflightBeforeWrite: {
+                        type: 'boolean',
+                        description: 'Enable/disable deterministic RAP preflight checks for this call (default: true). Useful for TABL/BDEF/DDLX static rules (e.g., curr/quan semantics, invalid BDEF enums, unsupported DDLX annotation scope on on-prem 7.5x).',
+                    },
+                    checkBeforeWrite: {
+                        type: 'boolean',
+                        description: 'Override server check-before-write setting (default off). When true, SAPWrite sends the proposed source to /sap/bc/adt/checkruns with inline <chkrun:content> and appends any error/warning messages to the success response — the write is NOT blocked. Useful for single-file edits to see compile diagnostics without a separate SAPDiagnose call. Off by default because (a) it adds a round-trip per write and (b) intermediate writes during multi-file refactors will legitimately trip dependency errors that resolve once the whole sequence lands. Activation remains the definitive compile check.',
                     },
                     refObjectType: {
                         type: 'string',
@@ -650,7 +706,7 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
         },
     });
     // SAPQuery — only registered when free SQL is allowed
-    if (!config.blockFreeSQL) {
+    if (config.allowFreeSQL) {
         tools.push({
             name: 'SAPQuery',
             description: btp ? SAPQUERY_DESC_BTP : SAPQUERY_DESC_ONPREM,
@@ -709,20 +765,32 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
         name: 'SAPDiagnose',
         description: 'Run diagnostics on ABAP objects and analyze runtime errors.\n\n' +
             'Actions:\n' +
-            '- "syntax": Syntax check an ABAP object. Requires name + type.\n' +
+            '- "syntax": Syntax check an ABAP object. Requires name + type. Optional: version ("active" or "inactive", defaults to active). Optional: source — when supplied, SAP compiles the given content as if it lived at the object\'s URI (pre-write dry-run, nothing is written). Omit source to check what is stored.\n' +
             '- "unittest": Run ABAP unit tests. Requires name + type.\n' +
             '- "atc": Run ATC code quality checks. Requires name + type. Optional: variant.\n' +
             '- "quickfix": Get SAP quick fix proposals for a specific source position. Requires name + type + source + line. Optional: column.\n' +
             '- "apply_quickfix": Apply one quick fix proposal and return text deltas (does not write source). Requires name + type + source + line + proposalUri + proposalUserContent. Optional: column.\n' +
-            '- "dumps": List or read ABAP short dumps (ST22). Without id: lists recent dumps (filter by user, maxResults). With id: returns full dump detail including formatted text, error analysis, source code extract, and call stack.\n' +
+            '- "dumps": List or read ABAP short dumps (ST22). Without id: lists recent dumps (filter by user, maxResults). With id: returns focused chapter sections by default; set includeFullText=true to include the full formatted dump blob. Optional sections=[kap0,kap3,...] to request specific chapter IDs.\n' +
             '- "traces": List or analyze ABAP profiler traces. Without id: lists trace files. With id + analysis: returns trace analysis (hitlist = hot spots, statements = call tree, dbAccesses = database access statistics).\n\n' +
+            '- "system_messages": List SM02 system messages via ADT feed (filter by user, maxResults, from, to).\n' +
+            '- "gateway_errors": List SAP Gateway error log entries (/IWFND/ERROR_LOG, on-prem). For detail mode provide detailUrl (preferred) or id+errorType.\n\n' +
             'Quickfix workflow: run syntax/ATC first to identify issues and line positions, then call quickfix to retrieve SAP-verified proposals, then apply_quickfix to get exact text deltas, and finally write the updated source via SAPWrite.',
         inputSchema: {
             type: 'object',
             properties: {
                 action: {
                     type: 'string',
-                    enum: ['syntax', 'unittest', 'atc', 'dumps', 'traces', 'quickfix', 'apply_quickfix'],
+                    enum: [
+                        'syntax',
+                        'unittest',
+                        'atc',
+                        'dumps',
+                        'traces',
+                        'system_messages',
+                        'gateway_errors',
+                        'quickfix',
+                        'apply_quickfix',
+                    ],
                     description: 'Diagnostic action',
                 },
                 name: { type: 'string', description: 'Object name (for syntax/unittest/atc)' },
@@ -739,6 +807,11 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                     type: 'number',
                     description: 'Source column number for quickfix evaluation (default 0 for quickfix actions).',
                 },
+                version: {
+                    type: 'string',
+                    enum: ['active', 'inactive'],
+                    description: 'Source version for syntax check (default "active"). Use "inactive" to validate pending changes.',
+                },
                 proposalUri: {
                     type: 'string',
                     description: 'Quickfix proposal URI from quickfix action (required for apply_quickfix).',
@@ -752,8 +825,36 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                     type: 'string',
                     description: 'Dump or trace ID (for dumps/traces actions). Omit to list, provide to get details.',
                 },
+                detailUrl: {
+                    type: 'string',
+                    description: 'ADT detail URL for gateway_errors detail mode (preferred over id+errorType). Accepts absolute or /sap/bc/adt/... path.',
+                },
+                errorType: {
+                    type: 'string',
+                    description: 'Gateway error type for gateway_errors detail by id (for example "Frontend Error"). Required when using id without detailUrl.',
+                },
                 user: { type: 'string', description: 'Filter dumps by SAP user (for dumps action)' },
-                maxResults: { type: 'number', description: 'Maximum results to return (for dumps action, default 50)' },
+                from: {
+                    type: 'string',
+                    description: 'Optional lower time boundary for feed-based diagnostics actions (system_messages/gateway_errors).',
+                },
+                to: {
+                    type: 'string',
+                    description: 'Optional upper time boundary for feed-based diagnostics actions (system_messages/gateway_errors).',
+                },
+                maxResults: {
+                    type: 'number',
+                    description: 'Maximum results to return for dumps/system_messages/gateway_errors (default 50, bounded to a safe cap).',
+                },
+                sections: {
+                    type: 'array',
+                    items: { type: 'string' },
+                    description: 'Dump chapter IDs to include for dumps detail mode (for example ["kap0","kap3","kap8"]). Omit to use focused defaults.',
+                },
+                includeFullText: {
+                    type: 'boolean',
+                    description: 'For dumps detail mode only: include full formattedText blob. Default false to reduce token usage.',
+                },
                 analysis: {
                     type: 'string',
                     enum: ['hitlist', 'statements', 'dbAccesses'],
@@ -774,7 +875,7 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                     type: 'string',
                     enum: ['impact', 'deps', 'usages'],
                     description: 'Action:\n' +
-                        '"impact" = CDS blast-radius analysis (DDLS only). USE THIS for any question like "what breaks if I change <view>", "who consumes <I_*>", "impact analysis on <CDS>", "downstream of <view>". Returns upstream AST dependencies + downstream where-used classified into RAP buckets (projectionViews, bdefs, serviceDefinitions, serviceBindings, accessControls, metadataExtensions, abapConsumers, documentation, tables, other). ALWAYS prefer over SAPQuery against DDDDLSRC/ACMDCLSRC/DDLXSRC_SRC/SRVDSRC_SRC (those text-scans produce noise this classifier filters out). Non-DDLS input returns a guardrail error.\n' +
+                        '"impact" = CDS blast-radius analysis (DDLS only). USE THIS for any question like "what breaks if I change <view>", "who consumes <I_*>", "impact analysis on <CDS>", "downstream of <view>". Returns upstream AST dependencies + downstream where-used classified into RAP buckets (projectionViews, bdefs, serviceDefinitions, serviceBindings, accessControls, metadataExtensions, abapConsumers, documentation, tables, other), plus additive sibling-consistency diagnostics (consistencyHints + siblingExtensionAnalysis) when related DDLS siblings show asymmetric DDLX coverage. ALWAYS prefer over SAPQuery against DDDDLSRC/ACMDCLSRC/DDLXSRC_SRC/SRVDSRC_SRC (those text-scans produce noise this classifier filters out). Non-DDLS input returns a guardrail error.\n' +
                         '"deps" (default, can be omitted) = forward dependency context — "what does <object> depend on?". Returns public API contracts of dependencies.\n' +
                         '"usages" = reverse dependency lookup — "who calls <object>?". Requires cache warmup (--cache-warmup). Only "name" is needed. For CDS entities prefer action="impact" instead.',
                 },
@@ -814,129 +915,129 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                     type: 'boolean',
                     description: 'Only for action="impact". Include indirect (transitive) downstream where-used entries. Default false.',
                 },
+                siblingCheck: {
+                    type: 'boolean',
+                    description: 'Only for action="impact". Enable sibling metadata-extension consistency analysis. Default true.',
+                },
+                siblingMaxCandidates: {
+                    type: 'number',
+                    description: 'Only for action="impact". Maximum sibling DDLS candidates to compare. Default 4; hard cap 10.',
+                },
             },
             required: ['name'],
         },
     });
-    // SAPManage — registered when not in read-only mode
-    if (!config.readOnly) {
-        tools.push({
-            name: 'SAPManage',
-            description: btp ? SAPMANAGE_DESC_BTP : SAPMANAGE_DESC_ONPREM,
-            inputSchema: {
-                type: 'object',
-                properties: {
-                    action: {
-                        type: 'string',
-                        enum: [
-                            'features',
-                            'probe',
-                            'cache_stats',
-                            'create_package',
-                            'delete_package',
-                            'change_package',
-                            'flp_list_catalogs',
-                            'flp_list_groups',
-                            'flp_list_tiles',
-                            'flp_create_catalog',
-                            'flp_create_group',
-                            'flp_create_tile',
-                            'flp_add_tile_to_group',
-                            'flp_delete_catalog',
-                        ],
-                        description: 'Action to execute. Includes package lifecycle (create/delete/move) and FLP actions for catalogs/groups/tiles via PAGE_BUILDER_CUST OData service.',
-                    },
-                    name: {
-                        type: 'string',
-                        description: 'Package name (required for create_package and delete_package).',
-                    },
-                    description: {
-                        type: 'string',
-                        description: 'Package description (required for create_package).',
-                    },
-                    superPackage: {
-                        type: 'string',
-                        description: 'Parent package for create_package (defaults to empty root package).',
-                    },
-                    softwareComponent: {
-                        type: 'string',
-                        description: 'Software component for create_package (default: LOCAL).',
-                    },
-                    transportLayer: {
-                        type: 'string',
-                        description: 'Transport layer for create_package (optional; required by some transportable landscapes).',
-                    },
-                    packageType: {
-                        type: 'string',
-                        enum: ['development', 'structure', 'main'],
-                        description: 'Package type for create_package (default: development).',
-                    },
-                    transport: {
-                        type: 'string',
-                        description: 'Optional transport request (corrNr) for create_package, delete_package, or change_package.',
-                    },
-                    objectUri: {
-                        type: 'string',
-                        description: 'ADT URI of the object to move (e.g., /sap/bc/adt/oo/classes/zcl_my_class). If not provided, resolved automatically from objectName + objectType via search.',
-                    },
-                    objectType: {
-                        type: 'string',
-                        description: 'ADT object type (e.g., CLAS/OC, DDLS/DF, PROG/P). Required for change_package.',
-                    },
-                    objectName: {
-                        type: 'string',
-                        description: 'Object name to move (e.g., ZCL_MY_CLASS). Required for change_package.',
-                    },
-                    oldPackage: {
-                        type: 'string',
-                        description: 'Current package of the object. Required for change_package.',
-                    },
-                    newPackage: {
-                        type: 'string',
-                        description: 'Target package to move the object to. Required for change_package.',
-                    },
-                    catalogId: {
-                        type: 'string',
-                        description: 'FLP catalog identifier — accepts either full ID (X-SAP-UI2-CATALOGPAGE:MY_CAT) or domain ID (MY_CAT). Required for flp_list_tiles, flp_create_tile, flp_add_tile_to_group, flp_delete_catalog.',
-                    },
-                    groupId: {
-                        type: 'string',
-                        description: 'FLP group/page identifier (required for flp_create_group, flp_add_tile_to_group).',
-                    },
-                    title: {
-                        type: 'string',
-                        description: 'Title for FLP catalog/group creation.',
-                    },
-                    domainId: {
-                        type: 'string',
-                        description: 'Domain ID for FLP catalog creation (e.g., ZARC1_SALES).',
-                    },
-                    tileInstanceId: {
-                        type: 'string',
-                        description: 'Tile instance ID in the source catalog (required for flp_add_tile_to_group).',
-                    },
-                    tile: {
-                        type: 'object',
-                        description: 'Tile definition for flp_create_tile.',
-                        properties: {
-                            id: { type: 'string', description: 'Tile ID (client-side logical id).' },
-                            title: { type: 'string', description: 'Display title.' },
-                            icon: { type: 'string', description: 'Optional icon URI.' },
-                            semanticObject: { type: 'string', description: 'Semantic object for intent navigation.' },
-                            semanticAction: { type: 'string', description: 'Semantic action for intent navigation.' },
-                            url: { type: 'string', description: 'Optional target URL.' },
-                            subtitle: { type: 'string', description: 'Optional subtitle text.' },
-                            info: { type: 'string', description: 'Optional info text.' },
-                        },
-                        required: ['id', 'title', 'semanticObject', 'semanticAction'],
-                    },
+    // SAPManage — always registered; mutating actions remain safety/scope-protected.
+    const sapManageActions = config.allowWrites
+        ? [...SAPMANAGE_ACTIONS_READ, ...SAPMANAGE_ACTIONS_WRITE]
+        : SAPMANAGE_ACTIONS_READ;
+    tools.push({
+        name: 'SAPManage',
+        description: btp ? SAPMANAGE_DESC_BTP : SAPMANAGE_DESC_ONPREM,
+        inputSchema: {
+            type: 'object',
+            properties: {
+                action: {
+                    type: 'string',
+                    enum: sapManageActions,
+                    description: 'Action to execute. Read actions: features, probe, cache_stats, flp_list_catalogs, flp_list_groups, flp_list_tiles. ' +
+                        'Mutating package/FLP actions require writable safety config and write scope in authenticated mode.',
+                },
+                name: {
+                    type: 'string',
+                    description: 'Package name (required for create_package and delete_package).',
+                },
+                description: {
+                    type: 'string',
+                    description: 'Package description (required for create_package).',
+                },
+                superPackage: {
+                    type: 'string',
+                    description: 'Parent package for create_package (defaults to empty root package).',
+                },
+                softwareComponent: {
+                    type: 'string',
+                    description: 'Software component for create_package (default: LOCAL).',
+                },
+                transportLayer: {
+                    type: 'string',
+                    description: 'Transport layer for create_package (optional; required by some transportable landscapes).',
+                },
+                packageType: {
+                    type: 'string',
+                    enum: ['development', 'structure', 'main'],
+                    description: 'Package type for create_package (default: development).',
+                },
+                transport: {
+                    type: 'string',
+                    description: 'Optional transport request (corrNr) for create_package, delete_package, or change_package.',
+                },
+                objectUri: {
+                    type: 'string',
+                    description: 'ADT URI of the object to move (e.g., /sap/bc/adt/oo/classes/zcl_my_class). If not provided, resolved automatically from objectName + objectType via search.',
+                },
+                objectType: {
+                    type: 'string',
+                    description: 'ADT object type (e.g., CLAS/OC, DDLS/DF, PROG/P). Required for change_package.',
+                },
+                objectName: {
+                    type: 'string',
+                    description: 'Object name to move (e.g., ZCL_MY_CLASS). Required for change_package.',
+                },
+                oldPackage: {
+                    type: 'string',
+                    description: 'Current package of the object. Required for change_package.',
+                },
+                newPackage: {
+                    type: 'string',
+                    description: 'Target package to move the object to. Required for change_package.',
+                },
+                catalogId: {
+                    type: 'string',
+                    description: 'FLP catalog identifier — accepts either full ID (X-SAP-UI2-CATALOGPAGE:MY_CAT) or domain ID (MY_CAT). Required for flp_list_tiles, flp_create_tile, flp_add_tile_to_group, flp_delete_catalog.',
+                },
+                groupId: {
+                    type: 'string',
+                    description: 'FLP group/page identifier (required for flp_create_group, flp_add_tile_to_group).',
+                },
+                title: {
+                    type: 'string',
+                    description: 'Title for FLP catalog/group creation.',
+                },
+                domainId: {
+                    type: 'string',
+                    description: 'Domain ID for FLP catalog creation (e.g., ZARC1_SALES).',
+                },
+                tileInstanceId: {
+                    type: 'string',
+                    description: 'Tile instance ID in the source catalog (required for flp_add_tile_to_group).',
+                },
+                tile: {
+                    type: 'object',
+                    description: 'Tile definition for flp_create_tile.',
+                    properties: {
+                        id: { type: 'string', description: 'Tile ID (client-side logical id).' },
+                        title: { type: 'string', description: 'Display title.' },
+                        icon: { type: 'string', description: 'Optional icon URI.' },
+                        semanticObject: { type: 'string', description: 'Semantic object for intent navigation.' },
+                        semanticAction: { type: 'string', description: 'Semantic action for intent navigation.' },
+                        url: { type: 'string', description: 'Optional target URL.' },
+                        subtitle: { type: 'string', description: 'Optional subtitle text.' },
+                        info: { type: 'string', description: 'Optional info text.' },
+                    },
+                    required: ['id', 'title', 'semanticObject', 'semanticAction'],
                 },
-                required: ['action'],
             },
-        });
-    }
-    // Transport tools — registered when transports are explicitly enabled
-    if (config.enableTransports) {
+            required: ['action'],
+        },
+    });
+    // Transport tools — always registered when the feature is available.
+    // Read actions (list/get/check/history) work with read scope.
+    // Write actions (create/release/delete/...) require 'transports' scope + allowTransportWrites=true.
+    if (config.featureTransport !== 'off') {
+        const sapTransportActions = config.allowWrites && config.allowTransportWrites
+            ? [...SAPTRANSPORT_ACTIONS_READ, ...SAPTRANSPORT_ACTIONS_WRITE]
+            : SAPTRANSPORT_ACTIONS_READ;
         tools.push({
             name: 'SAPTransport',
             description: btp ? SAPTRANSPORT_DESC_BTP : SAPTRANSPORT_DESC_ONPREM,
@@ -945,7 +1046,7 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                 properties: {
                     action: {
                         type: 'string',
-                        enum: ['list', 'get', 'create', 'release', 'delete', 'reassign', 'release_recursive', 'check', 'history'],
+                        enum: sapTransportActions,
                         description: 'list: show transports (defaults to current user, modifiable only). ' +
                             'get: fetch transport details including tasks and objects. ' +
                             'create: create a new transport request. ' +
@@ -954,7 +1055,7 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                             'reassign: change transport owner (use recursive=true for tasks too). ' +
                             'release_recursive: release all unreleased tasks first, then the transport itself. ' +
                             'check: check if a transport is needed for a package/object (requires type, name, package). ' +
-                            'history: list transports referencing an object (reverse lookup; requires type, name; works without --enable-transports).',
+                            'history: list transports referencing an object (reverse lookup; requires type, name; works without SAP_ALLOW_TRANSPORT_WRITES).',
                     },
                     id: {
                         type: 'string',
@@ -987,6 +1088,9 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
     }
     // SAPGit — registered only when gCTS or abapGit backend is available
     if (resolvedFeatures?.gcts?.available || resolvedFeatures?.abapGit?.available) {
+        const sapGitActions = config.allowWrites && config.allowGitWrites
+            ? [...SAPGIT_ACTIONS_READ, ...SAPGIT_ACTIONS_WRITE]
+            : SAPGIT_ACTIONS_READ;
         tools.push({
             name: 'SAPGit',
             description: btp ? SAPGIT_DESC_BTP : SAPGIT_DESC_ONPREM,
@@ -995,26 +1099,9 @@ export function getToolDefinitions(config, textSearchAvailable, resolvedFeatures
                 properties: {
                     action: {
                         type: 'string',
-                        enum: [
-                            'list_repos',
-                            'whoami',
-                            'config',
-                            'branches',
-                            'external_info',
-                            'history',
-                            'objects',
-                            'check',
-                            'stage',
-                            'clone',
-                            'pull',
-                            'push',
-                            'commit',
-                            'switch_branch',
-                            'create_branch',
-                            'unlink',
-                        ],
+                        enum: sapGitActions,
                         description: 'Git action. Read: list_repos, whoami, config, branches, external_info, history, objects, check. ' +
-                            'Write (requires --enable-git): clone, pull, push, commit, stage, switch_branch, create_branch, unlink.',
+                            'Write (requires SAP_ALLOW_WRITES=true and SAP_ALLOW_GIT_WRITES=true): clone, pull, push, commit, stage, switch_branch, create_branch, unlink.',
                     },
                     backend: {
                         type: 'string',