npm - arc-1 - Versions diffs - 0.6.10 → 0.7.0 - Mend

arc-1 0.6.10 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (115) hide show

package/README.md +8 -7
package/bin/arc1-cli.js +10 -0
package/bin/arc1.js +1 -1
package/dist/adt/cds-impact.d.ts +35 -0
package/dist/adt/cds-impact.d.ts.map +1 -1
package/dist/adt/cds-impact.js +71 -0
package/dist/adt/cds-impact.js.map +1 -1
package/dist/adt/client.d.ts +4 -1
package/dist/adt/client.d.ts.map +1 -1
package/dist/adt/client.js +18 -5
package/dist/adt/client.js.map +1 -1
package/dist/adt/crud.d.ts.map +1 -1
package/dist/adt/crud.js +32 -5
package/dist/adt/crud.js.map +1 -1
package/dist/adt/devtools.d.ts +39 -3
package/dist/adt/devtools.d.ts.map +1 -1
package/dist/adt/devtools.js +237 -25
package/dist/adt/devtools.js.map +1 -1
package/dist/adt/diagnostics.d.ts +69 -7
package/dist/adt/diagnostics.d.ts.map +1 -1
package/dist/adt/diagnostics.js +694 -36
package/dist/adt/diagnostics.js.map +1 -1
package/dist/adt/errors.d.ts +14 -1
package/dist/adt/errors.d.ts.map +1 -1
package/dist/adt/errors.js +40 -9
package/dist/adt/errors.js.map +1 -1
package/dist/adt/http.d.ts.map +1 -1
package/dist/adt/http.js +86 -1
package/dist/adt/http.js.map +1 -1
package/dist/adt/rap-handlers.d.ts +165 -0
package/dist/adt/rap-handlers.d.ts.map +1 -0
package/dist/adt/rap-handlers.js +835 -0
package/dist/adt/rap-handlers.js.map +1 -0
package/dist/adt/rap-preflight.d.ts +43 -0
package/dist/adt/rap-preflight.d.ts.map +1 -0
package/dist/adt/rap-preflight.js +405 -0
package/dist/adt/rap-preflight.js.map +1 -0
package/dist/adt/safety.d.ts +60 -36
package/dist/adt/safety.d.ts.map +1 -1
package/dist/adt/safety.js +202 -120
package/dist/adt/safety.js.map +1 -1
package/dist/adt/transport.d.ts +1 -1
package/dist/adt/transport.js +2 -2
package/dist/adt/transport.js.map +1 -1
package/dist/adt/types.d.ts +88 -0
package/dist/adt/types.d.ts.map +1 -1
package/dist/adt/xml-parser.d.ts +13 -1
package/dist/adt/xml-parser.d.ts.map +1 -1
package/dist/adt/xml-parser.js +26 -15
package/dist/adt/xml-parser.js.map +1 -1
package/dist/authz/policy.d.ts +53 -0
package/dist/authz/policy.d.ts.map +1 -0
package/dist/authz/policy.js +199 -0
package/dist/authz/policy.js.map +1 -0
package/dist/cli-args.d.ts +14 -0
package/dist/cli-args.d.ts.map +1 -0
package/dist/cli-args.js +62 -0
package/dist/cli-args.js.map +1 -0
package/dist/cli.d.ts +13 -7
package/dist/cli.d.ts.map +1 -1
package/dist/cli.js +252 -55
package/dist/cli.js.map +1 -1
package/dist/extract-sap-cookies.d.ts +24 -0
package/dist/extract-sap-cookies.d.ts.map +1 -0
package/dist/extract-sap-cookies.js +317 -0
package/dist/extract-sap-cookies.js.map +1 -0
package/dist/handlers/hyperfocused.d.ts +4 -3
package/dist/handlers/hyperfocused.d.ts.map +1 -1
package/dist/handlers/hyperfocused.js +25 -16
package/dist/handlers/hyperfocused.js.map +1 -1
package/dist/handlers/intent.d.ts +4 -12
package/dist/handlers/intent.d.ts.map +1 -1
package/dist/handlers/intent.js +1238 -114
package/dist/handlers/intent.js.map +1 -1
package/dist/handlers/schemas.d.ts +38 -10
package/dist/handlers/schemas.d.ts.map +1 -1
package/dist/handlers/schemas.js +69 -4
package/dist/handlers/schemas.js.map +1 -1
package/dist/handlers/tools.d.ts.map +1 -1
package/dist/handlers/tools.js +251 -164
package/dist/handlers/tools.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +7 -6
package/dist/index.js.map +1 -1
package/dist/server/audit.d.ts +26 -3
package/dist/server/audit.d.ts.map +1 -1
package/dist/server/audit.js.map +1 -1
package/dist/server/config.d.ts +34 -19
package/dist/server/config.d.ts.map +1 -1
package/dist/server/config.js +320 -193
package/dist/server/config.js.map +1 -1
package/dist/server/deny-actions.d.ts +31 -0
package/dist/server/deny-actions.d.ts.map +1 -0
package/dist/server/deny-actions.js +156 -0
package/dist/server/deny-actions.js.map +1 -0
package/dist/server/effective-policy-log.d.ts +27 -0
package/dist/server/effective-policy-log.d.ts.map +1 -0
package/dist/server/effective-policy-log.js +103 -0
package/dist/server/effective-policy-log.js.map +1 -0
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +15 -16
package/dist/server/http.js.map +1 -1
package/dist/server/server.d.ts +37 -3
package/dist/server/server.d.ts.map +1 -1
package/dist/server/server.js +231 -30
package/dist/server/server.js.map +1 -1
package/dist/server/types.d.ts +29 -13
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +10 -11
package/dist/server/types.js.map +1 -1
package/dist/server/xsuaa.d.ts +1 -2
package/dist/server/xsuaa.d.ts.map +1 -1
package/dist/server/xsuaa.js +13 -14
package/dist/server/xsuaa.js.map +1 -1
package/package.json +6 -3

package/dist/adt/safety.d.ts CHANGED Viewed

@@ -4,18 +4,24 @@
  * Gates all operations before they reach SAP. This is the first line of defense
  * against unintended modifications — it runs before any HTTP call.
  *
- * Key design principle: safety checks are declarative and composable.
- * Each check is independent: readOnly, blockFreeSQL, allowedOps, disallowedOps,
- * allowedPackages, enableTransports, etc. They combine additively — if ANY
- * check blocks the operation, it's blocked.
+ * Design (post-authz-refactor-v2):
+ *   - Safety flags are all POSITIVE opt-ins (`allow*=true` to enable a capability).
+ *     Defaults are restrictive. No mix of negations and opt-ins.
+ *   - Every mutation requires the matching server flag AND the user's scope
+ *     (two-gate rule; scope check happens in the handler layer).
+ *   - `allowWrites=false` is a TRUE no-mutation block — it stops object writes,
+ *     transport writes, git writes, and activation (no loopholes).
+ *   - Fine-grained per-action denials are expressed via `denyActions` (parsed
+ *     from `SAP_DENY_ACTIONS`), not via op-code allow/block lists.
  *
- * This matches the Go implementation exactly (pkg/adt/safety.go) to ensure
- * behavioral parity during migration.
+ * Internal only: `OperationType` is the classification used by the safety
+ * engine. It is NOT admin-facing — the env vars `SAP_ALLOWED_OPS` /
+ * `SAP_DISALLOWED_OPS` were removed in v0.7. Admins configure via the `allow*`
+ * flags and `SAP_DENY_ACTIONS`.
  */
 /**
- * Operation type codes.
- * Single-character codes used in allowedOps/disallowedOps strings.
- * Example: "RSQ" = allow Read, Search, Query only.
+ * Operation type codes (internal classification).
+ * NOT admin-facing — the code just uses these as a compact categorical label.
  */
 export declare const OperationType: {
     readonly Read: "R";
@@ -34,48 +40,66 @@ export declare const OperationType: {
 };
 export type OperationTypeCode = (typeof OperationType)[keyof typeof OperationType];
 export interface SafetyConfig {
-    readOnly: boolean;
-    blockFreeSQL: boolean;
-    blockData: boolean;
-    allowedOps: string;
-    disallowedOps: string;
+    allowWrites: boolean;
+    allowDataPreview: boolean;
+    allowFreeSQL: boolean;
+    allowTransportWrites: boolean;
+    allowGitWrites: boolean;
     allowedPackages: string[];
-    dryRun: boolean;
-    enableGit: boolean;
-    enableTransports: boolean;
-    transportReadOnly: boolean;
     allowedTransports: string[];
+    /** Resolved deny-action patterns from SAP_DENY_ACTIONS. Populated at config-parse time. */
+    denyActions: string[];
 }
-/** Safe defaults: read-only, no free SQL, standard ops only */
+/**
+ * Safe defaults — mirrors DEFAULT_CONFIG in src/server/types.ts.
+ * Use this when a test needs the real ship default without re-deriving it.
+ * If you change DEFAULT_CONFIG's safety fields, update this to match.
+ */
 export declare function defaultSafetyConfig(): SafetyConfig;
-/** No restrictions — use with caution */
+/** No restrictions — use with caution. */
 export declare function unrestrictedSafetyConfig(): SafetyConfig;
-/** Check if an operation type is allowed by the safety config */
+/** Check if an operation type is allowed by the safety config. */
 export declare function isOperationAllowed(config: SafetyConfig, op: OperationTypeCode): boolean;
-/** Check operation and throw AdtSafetyError if blocked */
+/** Check operation and throw AdtSafetyError if blocked. */
 export declare function checkOperation(config: SafetyConfig, op: OperationTypeCode, opName: string): void;
-/** Check if operations on a given package are allowed */
+/** Check if operations on a given package are allowed (write-only check). */
 export declare function isPackageAllowed(config: SafetyConfig, pkg: string): boolean;
-/** Check package and throw AdtSafetyError if blocked */
+/** Check package and throw AdtSafetyError if blocked. */
 export declare function checkPackage(config: SafetyConfig, pkg: string): void;
-/** Check transport operation and throw AdtSafetyError if blocked */
+/**
+ * Check transport operation. Writes require `allowWrites && allowTransportWrites`.
+ * Reads are always allowed at this layer (scope check enforces user gating upstream).
+ */
 export declare function checkTransport(config: SafetyConfig, transport: string, opName: string, isWrite: boolean): void;
-/** Check git operation and throw AdtSafetyError if blocked */
-export declare function checkGit(config: SafetyConfig, operation: string): void;
 /**
- * Expand implied scopes: `write` implies `read`, `sql` implies `data`.
- * Returns a new array with implied scopes added.
+ * Check git operation. Writes require `allowWrites && allowGitWrites`.
+ * Reads are always allowed at this layer.
  */
-export declare function expandImpliedScopes(scopes: string[]): string[];
+export declare function checkGit(config: SafetyConfig, operation: string, isWrite?: boolean): void;
 /**
- * Derive a per-user safety config by merging server-level config (ceiling)
- * with JWT scopes. Scopes can only RESTRICT further, never expand beyond
- * what the server config allows.
+ * Derive a per-user effective safety config by merging the server ceiling with
+ * the user's JWT scopes. Scopes can only RESTRICT further, never loosen.
  *
- * Key principle: start with server config, only tighten booleans (false→true).
- * Never loosen (true→false).
+ * Uses the scope expansion rules from src/authz/policy.ts (admin implies all,
+ * write implies read, sql implies data). Callers should pass the already-expanded
+ * scope list for speed; this function re-expands as a safety net.
  */
 export declare function deriveUserSafety(serverConfig: SafetyConfig, scopes: string[]): SafetyConfig;
-/** Human-readable description of the safety configuration */
+/**
+ * Derive a per-user effective safety by intersecting a partial SafetyConfig
+ * (from an API-key profile) with the server ceiling. Tight side wins field-by-field.
+ *
+ * Semantics:
+ *   - Boolean fields: result is `server && profile` (both must be true for capability on).
+ *   - `allowedPackages`:
+ *       * If either side is `[]` (no restriction), use the other.
+ *       * Else intersection by prefix semantics — profile entries covered by the
+ *         server ceiling survive. If none survive, the effective list denies all
+ *         packages/transports (true intersection).
+ *   - `allowedTransports`: same as allowedPackages.
+ *   - `denyActions`: union (both the server and profile denies apply).
+ */
+export declare function deriveUserSafetyFromProfile(serverConfig: SafetyConfig, profileSafety: Partial<SafetyConfig>): SafetyConfig;
+/** Human-readable description of the safety configuration. */
 export declare function describeSafety(config: SafetyConfig): string;
 //# sourceMappingURL=safety.d.ts.map

package/dist/adt/safety.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"safety.d.ts","sourceRoot":"","sources":["../../src/adt/safety.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;GAaG~~;AAIH~~;;;;GAIG~~;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;CAchB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,OAAO,aAAa,CAAC,CAAC;~~AAKnF~~,MAAM,WAAW,YAAY;IAC3B,~~QAAQ~~,EAAE,OAAO,CAAC;~~IAClB~~,~~YAAY~~,EAAE,OAAO,CAAC;~~IACtB~~,~~SAAS~~,EAAE,OAAO,CAAC;~~IACnB~~,~~UAAU~~,EAAE,~~MAAM~~,CAAC;~~IACnB~~,~~aAAa~~,EAAE,~~MAAM~~,CAAC;~~IACtB~~,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,~~MAAM~~,EAAE,~~OAAO~~,~~CAAC;IAChB,SAAS,~~EAAE,~~OAAO,~~CAAC;~~IACnB~~,~~gBAAgB,EAAE,OAAO,CAAC~~;~~IAC1B~~,~~iBAAiB~~,EAAE,~~OAAO,CAAC;IAC3B,iBAAiB,EAAE,~~MAAM,EAAE,CAAC;~~CAC7B~~;AAED~~,+DAA+D~~;~~AAC/D~~,wBAAgB,mBAAmB,IAAI,YAAY,~~CAclD~~;AAED,~~yCAAyC~~;~~AACzC~~,wBAAgB,wBAAwB,IAAI,YAAY,~~CAcvD~~;AAED,~~iEAAiE~~;~~AACjE~~,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,iBAAiB,GAAG,OAAO,~~CAuBvF~~;AAED,~~0DAA0D~~;~~AAC1D~~,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,~~CAIhG~~;~~AAED~~,~~yDAAyD~~;~~AACzD~~,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,~~CAmB3E~~;AAED,~~wDAAwD~~;~~AACxD~~,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAMpE;~~AAoBD,oEAAoE~~;~~AACpE~~,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,~~CAqB9G~~;AAED~~,8DAA8D~~;~~AAC9D~~,wBAAgB,QAAQ,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,~~CAMtE~~;AAED~~;;;GAGG~~;AACH,wBAAgB,~~mBAAmB~~,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,~~MAAM~~,~~EAAE,CAK9D~~;AAED~~;;;;;;;GAOG~~;AACH,wBAAgB,~~gBAAgB~~,~~CAAC~~,YAAY,EAAE,YAAY,~~EAAE~~,~~MAAM~~,EAAE,~~MAAM~~,~~EAAE~~,~~GAAG~~,YAAY,~~CA0B3F~~;AAED,~~6DAA6D~~;~~AAC7D~~,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,~~CAgB3D~~"}
1	+ {"version":3,"file":"safety.d.ts","sourceRoot":"","sources":["../../src/adt/safety.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH;;;GAGG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;CAchB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,OAAO,aAAa,CAAC,CAAC;AAcnF,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,OAAO,CAAC;IACrB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,cAAc,EAAE,OAAO,CAAC;IACxB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,2FAA2F;IAC3F,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,YAAY,CAWlD;AAED,0CAA0C;AAC1C,wBAAgB,wBAAwB,IAAI,YAAY,CAWvD;AAED,kEAAkE;AAClE,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,iBAAiB,GAAG,OAAO,CAgBvF;AAED,2DAA2D;AAC3D,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,EAAE,EAAE,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAMhG;AAYD,6EAA6E;AAC7E,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAoB3E;AAED,yDAAyD;AACzD,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI,CAMpE;AAqBD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAsB9G;AAED;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,UAAO,GAAG,IAAI,CAYtF;AAED;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,YAAY,CA6B3F;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,2BAA2B,CACzC,YAAY,EAAE,YAAY,EAC1B,aAAa,EAAE,OAAO,CAAC,YAAY,CAAC,GACnC,YAAY,CAuCd;AAED,8DAA8D;AAC9D,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAY3D"}

package/dist/adt/safety.js CHANGED Viewed

@@ -4,19 +4,25 @@
  * Gates all operations before they reach SAP. This is the first line of defense
  * against unintended modifications — it runs before any HTTP call.
  *
- * Key design principle: safety checks are declarative and composable.
- * Each check is independent: readOnly, blockFreeSQL, allowedOps, disallowedOps,
- * allowedPackages, enableTransports, etc. They combine additively — if ANY
- * check blocks the operation, it's blocked.
+ * Design (post-authz-refactor-v2):
+ *   - Safety flags are all POSITIVE opt-ins (`allow*=true` to enable a capability).
+ *     Defaults are restrictive. No mix of negations and opt-ins.
+ *   - Every mutation requires the matching server flag AND the user's scope
+ *     (two-gate rule; scope check happens in the handler layer).
+ *   - `allowWrites=false` is a TRUE no-mutation block — it stops object writes,
+ *     transport writes, git writes, and activation (no loopholes).
+ *   - Fine-grained per-action denials are expressed via `denyActions` (parsed
+ *     from `SAP_DENY_ACTIONS`), not via op-code allow/block lists.
  *
- * This matches the Go implementation exactly (pkg/adt/safety.go) to ensure
- * behavioral parity during migration.
+ * Internal only: `OperationType` is the classification used by the safety
+ * engine. It is NOT admin-facing — the env vars `SAP_ALLOWED_OPS` /
+ * `SAP_DISALLOWED_OPS` were removed in v0.7. Admins configure via the `allow*`
+ * flags and `SAP_DENY_ACTIONS`.
  */
 import { AdtSafetyError } from './errors.js';
 /**
- * Operation type codes.
- * Single-character codes used in allowedOps/disallowedOps strings.
- * Example: "RSQ" = allow Read, Search, Query only.
+ * Operation type codes (internal classification).
+ * NOT admin-facing — the code just uses these as a compact categorical label.
  */
 export const OperationType = {
     Read: 'R',
@@ -33,73 +39,85 @@ export const OperationType = {
     Workflow: 'W',
     Transport: 'X',
 };
-/** Write operations that are blocked in read-only mode */
-const WRITE_OPS = 'CDUAW';
-/** Safe defaults: read-only, no free SQL, standard ops only */
+/** Mutating operation types — blocked when `allowWrites=false`. */
+const MUTATING_OPS = 'CDUAWX';
+const DENY_ALL_LIST_ENTRY = '__ARC1_DENY_ALL__';
+function listDeniesAll(list) {
+    return list.includes(DENY_ALL_LIST_ENTRY);
+}
+function displayAllowList(list) {
+    return listDeniesAll(list) ? '[]' : `[${list.join(',')}]`;
+}
+/**
+ * Safe defaults — mirrors DEFAULT_CONFIG in src/server/types.ts.
+ * Use this when a test needs the real ship default without re-deriving it.
+ * If you change DEFAULT_CONFIG's safety fields, update this to match.
+ */
 export function defaultSafetyConfig() {
     return {
-        readOnly: true,
-        blockFreeSQL: true,
-        blockData: true,
-        allowedOps: 'RSQTI',
-        disallowedOps: '',
-        allowedPackages: [],
-        dryRun: false,
-        enableGit: false,
-        enableTransports: false,
-        transportReadOnly: false,
+        allowWrites: false,
+        allowDataPreview: false,
+        allowFreeSQL: false,
+        allowTransportWrites: false,
+        allowGitWrites: false,
+        allowedPackages: ['$TMP'],
         allowedTransports: [],
+        denyActions: [],
     };
 }
-/** No restrictions — use with caution */
+/** No restrictions — use with caution. */
 export function unrestrictedSafetyConfig() {
     return {
-        readOnly: false,
-        blockFreeSQL: false,
-        blockData: false,
-        allowedOps: '',
-        disallowedOps: '',
+        allowWrites: true,
+        allowDataPreview: true,
+        allowFreeSQL: true,
+        allowTransportWrites: true,
+        allowGitWrites: true,
         allowedPackages: [],
-        dryRun: false,
-        enableGit: true,
-        enableTransports: false,
-        transportReadOnly: false,
         allowedTransports: [],
+        denyActions: [],
     };
 }
-/** Check if an operation type is allowed by the safety config */
+/** Check if an operation type is allowed by the safety config. */
 export function isOperationAllowed(config, op) {
-    // DryRun mode allows everything (but doesn't execute)
-    if (config.dryRun)
-        return true;
-    // ReadOnly blocks all write operations
-    if (config.readOnly && WRITE_OPS.includes(op))
-        return false;
-    // BlockFreeSQL specifically blocks free SQL queries
-    if (config.blockFreeSQL && op === OperationType.FreeSQL)
-        return false;
-    // BlockData blocks named table preview queries
-    if (config.blockData && op === OperationType.Query)
+    // Mutating ops (Create/Update/Delete/Activate/Workflow/Transport) require allowWrites
+    if (MUTATING_OPS.includes(op) && !config.allowWrites)
         return false;
-    // Transport operations require explicit opt-in
-    if (op === OperationType.Transport && !config.enableTransports)
+    // Transport mutation has an additional gate
+    if (op === OperationType.Transport && !config.allowTransportWrites)
         return false;
-    // Disallowed ops blacklist (takes precedence over allowed)
-    if (config.disallowedOps?.includes(op))
+    // Table preview
+    if (op === OperationType.Query && !config.allowDataPreview)
         return false;
-    // Allowed ops whitelist (if set, only listed ops are allowed)
-    if (config.allowedOps && !config.allowedOps.includes(op))
+    // Free SQL
+    if (op === OperationType.FreeSQL && !config.allowFreeSQL)
         return false;
+    // All other ops (Read/Search/Intelligence/Test/Lock) are always allowed at this layer.
+    // User-gating happens at the scope layer (ACTION_POLICY + hasRequiredScope).
     return true;
 }
-/** Check operation and throw AdtSafetyError if blocked */
+/** Check operation and throw AdtSafetyError if blocked. */
 export function checkOperation(config, op, opName) {
     if (!isOperationAllowed(config, op)) {
-        throw new AdtSafetyError(`Operation '${opName}' (type ${op}) is blocked by safety configuration`);
+        throw new AdtSafetyError(`Operation '${opName}' (type ${op}) is blocked by safety configuration (${explainOperationBlock(config, op)})`);
     }
 }
-/** Check if operations on a given package are allowed */
+/** Returns a human-readable reason why an operation is blocked. Assumes the op IS blocked. */
+function explainOperationBlock(config, op) {
+    if (MUTATING_OPS.includes(op) && !config.allowWrites)
+        return 'reason: allowWrites=false blocks mutations (C/D/U/A/W/X)';
+    if (op === OperationType.Transport && !config.allowTransportWrites)
+        return 'reason: allowTransportWrites=false';
+    if (op === OperationType.Query && !config.allowDataPreview)
+        return 'reason: allowDataPreview=false';
+    if (op === OperationType.FreeSQL && !config.allowFreeSQL)
+        return 'reason: allowFreeSQL=false';
+    return 'reason: unknown';
+}
+/** Check if operations on a given package are allowed (write-only check). */
 export function isPackageAllowed(config, pkg) {
+    if (listDeniesAll(config.allowedPackages))
+        return false;
     if (config.allowedPackages.length === 0)
         return true;
     const upperPkg = pkg.toUpperCase();
@@ -117,14 +135,16 @@ export function isPackageAllowed(config, pkg) {
     }
     return false;
 }
-/** Check package and throw AdtSafetyError if blocked */
+/** Check package and throw AdtSafetyError if blocked. */
 export function checkPackage(config, pkg) {
     if (!isPackageAllowed(config, pkg)) {
-        throw new AdtSafetyError(`Operations on package '${pkg}' are blocked by safety configuration (allowed: ${JSON.stringify(config.allowedPackages)})`);
+        throw new AdtSafetyError(`Operations on package '${pkg}' are blocked by safety configuration (allowed: ${displayAllowList(config.allowedPackages)})`);
     }
 }
-/** Check if a transport is in the whitelist (helper, doesn't check enableTransports) */
+/** Check if a transport is in the whitelist. */
 function isTransportInWhitelist(config, transport) {
+    if (listDeniesAll(config.allowedTransports))
+        return false;
     if (config.allowedTransports.length === 0)
         return true;
     const upperTransport = transport.toUpperCase();
@@ -140,96 +160,158 @@ function isTransportInWhitelist(config, transport) {
     }
     return false;
 }
-/** Check transport operation and throw AdtSafetyError if blocked */
+/**
+ * Check transport operation. Writes require `allowWrites && allowTransportWrites`.
+ * Reads are always allowed at this layer (scope check enforces user gating upstream).
+ */
 export function checkTransport(config, transport, opName, isWrite) {
-    // Require enableTransports for all transport operations
-    if (!config.enableTransports) {
-        throw new AdtSafetyError(`Transport operation '${opName}' is blocked: transports not enabled (use --enable-transports or SAP_ENABLE_TRANSPORTS=true)`);
-    }
-    // Check write permissions
-    if (isWrite && config.transportReadOnly) {
-        throw new AdtSafetyError(`Transport write operation '${opName}' is blocked: transport read-only mode enabled`);
+    if (isWrite) {
+        if (!config.allowWrites) {
+            throw new AdtSafetyError(`Transport write '${opName}' is blocked: allowWrites=false. Set SAP_ALLOW_WRITES=true to enable writes.`);
+        }
+        if (!config.allowTransportWrites) {
+            throw new AdtSafetyError(`Transport write '${opName}' is blocked: allowTransportWrites=false. Set SAP_ALLOW_TRANSPORT_WRITES=true to enable transport mutations.`);
+        }
     }
-    // Check transport whitelist (applies to both read and write)
+    // Transport whitelist applies to both read and write
     if (transport && transport !== '*' && config.allowedTransports.length > 0) {
         if (!isTransportInWhitelist(config, transport)) {
-            throw new AdtSafetyError(`Operation '${opName}' on transport '${transport}' is blocked by safety configuration (allowed: ${JSON.stringify(config.allowedTransports)})`);
+            throw new AdtSafetyError(`Operation '${opName}' on transport '${transport}' is blocked by safety configuration (allowed: ${displayAllowList(config.allowedTransports)})`);
         }
     }
 }
-/** Check git operation and throw AdtSafetyError if blocked */
-export function checkGit(config, operation) {
-    if (!config.enableGit) {
-        throw new AdtSafetyError(`Git operation "${operation}" is disabled. Set SAP_ENABLE_GIT=true or pass --enable-git to enable.`);
+/**
+ * Check git operation. Writes require `allowWrites && allowGitWrites`.
+ * Reads are always allowed at this layer.
+ */
+export function checkGit(config, operation, isWrite = true) {
+    if (!isWrite)
+        return;
+    if (!config.allowWrites) {
+        throw new AdtSafetyError(`Git write '${operation}' is blocked: allowWrites=false. Set SAP_ALLOW_WRITES=true to enable writes.`);
+    }
+    if (!config.allowGitWrites) {
+        throw new AdtSafetyError(`Git write '${operation}' is blocked: allowGitWrites=false. Set SAP_ALLOW_GIT_WRITES=true to enable git mutations.`);
     }
 }
 /**
- * Expand implied scopes: `write` implies `read`, `sql` implies `data`.
- * Returns a new array with implied scopes added.
+ * Derive a per-user effective safety config by merging the server ceiling with
+ * the user's JWT scopes. Scopes can only RESTRICT further, never loosen.
+ *
+ * Uses the scope expansion rules from src/authz/policy.ts (admin implies all,
+ * write implies read, sql implies data). Callers should pass the already-expanded
+ * scope list for speed; this function re-expands as a safety net.
  */
-export function expandImpliedScopes(scopes) {
+export function deriveUserSafety(serverConfig, scopes) {
+    // Inline the expansion to avoid the circular import with src/authz/policy.ts.
+    // Keep in sync with expandScopes() there.
     const expanded = new Set(scopes);
+    if (expanded.has('admin')) {
+        expanded.add('read');
+        expanded.add('write');
+        expanded.add('data');
+        expanded.add('sql');
+        expanded.add('transports');
+        expanded.add('git');
+    }
     if (expanded.has('write'))
         expanded.add('read');
     if (expanded.has('sql'))
         expanded.add('data');
-    return [...expanded];
+    const effective = {
+        ...serverConfig,
+        allowedPackages: [...serverConfig.allowedPackages],
+        allowedTransports: [...serverConfig.allowedTransports],
+        denyActions: [...serverConfig.denyActions],
+    };
+    if (!expanded.has('write'))
+        effective.allowWrites = false;
+    if (!expanded.has('data'))
+        effective.allowDataPreview = false;
+    if (!expanded.has('sql'))
+        effective.allowFreeSQL = false;
+    if (!expanded.has('transports'))
+        effective.allowTransportWrites = false;
+    if (!expanded.has('git'))
+        effective.allowGitWrites = false;
+    return effective;
 }
 /**
- * Derive a per-user safety config by merging server-level config (ceiling)
- * with JWT scopes. Scopes can only RESTRICT further, never expand beyond
- * what the server config allows.
+ * Derive a per-user effective safety by intersecting a partial SafetyConfig
+ * (from an API-key profile) with the server ceiling. Tight side wins field-by-field.
  *
- * Key principle: start with server config, only tighten booleans (false→true).
- * Never loosen (true→false).
+ * Semantics:
+ *   - Boolean fields: result is `server && profile` (both must be true for capability on).
+ *   - `allowedPackages`:
+ *       * If either side is `[]` (no restriction), use the other.
+ *       * Else intersection by prefix semantics — profile entries covered by the
+ *         server ceiling survive. If none survive, the effective list denies all
+ *         packages/transports (true intersection).
+ *   - `allowedTransports`: same as allowedPackages.
+ *   - `denyActions`: union (both the server and profile denies apply).
  */
-export function deriveUserSafety(serverConfig, scopes) {
+export function deriveUserSafetyFromProfile(serverConfig, profileSafety) {
+    const and = (a, b) => (b === undefined ? a : a && b);
+    const intersectList = (server, profile) => {
+        if (!profile)
+            return [...server];
+        if (server.length === 0 && profile.length === 0)
+            return [];
+        if (server.length === 0)
+            return [...profile];
+        if (profile.length === 0)
+            return [...server];
+        // Profile narrows server: keep profile entries that are covered by server.
+        // "Covered by" means: there exists a server entry equal to the profile entry, or a
+        // server wildcard that matches it.
+        const covers = (serverPat, profilePat) => {
+            const s = serverPat.toUpperCase();
+            const p = profilePat.toUpperCase();
+            if (s === p)
+                return true;
+            if (s.endsWith('*')) {
+                const prefix = s.slice(0, -1);
+                if (p.startsWith(prefix))
+                    return true;
+            }
+            return false;
+        };
+        const narrowed = profile.filter((p) => server.some((s) => covers(s, p)));
+        // True intersection: disjoint constraints mean no package/transport is allowed.
+        // We cannot return [] here because [] means "unrestricted" in SafetyConfig.
+        return narrowed.length > 0 ? narrowed : [DENY_ALL_LIST_ENTRY];
+    };
     const effective = {
-        ...serverConfig,
-        allowedPackages: [...serverConfig.allowedPackages],
-        allowedTransports: [...serverConfig.allowedTransports],
+        allowWrites: and(serverConfig.allowWrites, profileSafety.allowWrites),
+        allowDataPreview: and(serverConfig.allowDataPreview, profileSafety.allowDataPreview),
+        allowFreeSQL: and(serverConfig.allowFreeSQL, profileSafety.allowFreeSQL),
+        allowTransportWrites: and(serverConfig.allowTransportWrites, profileSafety.allowTransportWrites),
+        allowGitWrites: and(serverConfig.allowGitWrites, profileSafety.allowGitWrites),
+        allowedPackages: intersectList(serverConfig.allowedPackages, profileSafety.allowedPackages),
+        allowedTransports: intersectList(serverConfig.allowedTransports, profileSafety.allowedTransports),
+        denyActions: [...new Set([...serverConfig.denyActions, ...(profileSafety.denyActions ?? [])])],
     };
-    const expanded = expandImpliedScopes(scopes);
-    // No write scope → force read-only and disable transports
-    if (!expanded.includes('write')) {
-        effective.readOnly = true;
-        effective.enableGit = false;
-        effective.enableTransports = false;
-    }
-    // No data scope (and no sql, which implies data) → block table preview
-    if (!expanded.includes('data')) {
-        effective.blockData = true;
-    }
-    // No sql scope → block free SQL
-    if (!expanded.includes('sql')) {
-        effective.blockFreeSQL = true;
-    }
     return effective;
 }
-/** Human-readable description of the safety configuration */
+/** Human-readable description of the safety configuration. */
 export function describeSafety(config) {
     const parts = [];
-    if (config.readOnly)
-        parts.push('READ-ONLY');
-    if (config.blockFreeSQL)
-        parts.push('NO-FREE-SQL');
-    if (config.blockData)
-        parts.push('NO-DATA');
-    if (config.dryRun)
-        parts.push('DRY-RUN');
-    if (config.allowedOps)
-        parts.push(`AllowedOps=${config.allowedOps}`);
-    if (config.disallowedOps)
-        parts.push(`DisallowedOps=${config.disallowedOps}`);
+    if (config.allowWrites)
+        parts.push('WRITES');
+    if (config.allowDataPreview)
+        parts.push('DATA-PREVIEW');
+    if (config.allowFreeSQL)
+        parts.push('FREE-SQL');
+    if (config.allowTransportWrites)
+        parts.push('TRANSPORT-WRITES');
+    if (config.allowGitWrites)
+        parts.push('GIT-WRITES');
     if (config.allowedPackages.length > 0)
-        parts.push(`AllowedPackages=[${config.allowedPackages.join(',')}]`);
-    if (config.enableTransports) {
-        parts.push('TRANSPORTS-ENABLED');
-        if (config.transportReadOnly)
-            parts.push('TRANSPORT-READ-ONLY');
-        if (config.allowedTransports.length > 0)
-            parts.push(`AllowedTransports=[${config.allowedTransports.join(',')}]`);
-    }
-    return parts.length === 0 ? 'UNRESTRICTED' : parts.join(', ');
+        parts.push(`Packages=${displayAllowList(config.allowedPackages)}`);
+    if (config.allowedTransports.length > 0)
+        parts.push(`Transports=${displayAllowList(config.allowedTransports)}`);
+    if (config.denyActions.length > 0)
+        parts.push(`DenyActions=${config.denyActions.length}`);
+    return parts.length === 0 ? 'READ-ONLY' : parts.join(', ');
 }
 //# sourceMappingURL=safety.js.map

package/dist/adt/safety.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"safety.js","sourceRoot":"","sources":["../../src/adt/safety.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;GAaG~~;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C~~;;;;GAIG~~;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,IAAI,EAAE,GAAG;IACT,MAAM,EAAE,GAAG;IACX,KAAK,EAAE,GAAG;IACV,OAAO,EAAE,GAAG;IACZ,MAAM,EAAE,GAAG;IACX,MAAM,EAAE,GAAG;IACX,MAAM,EAAE,GAAG;IACX,QAAQ,EAAE,GAAG;IACb,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,YAAY,EAAE,GAAG;IACjB,QAAQ,EAAE,GAAG;IACb,SAAS,EAAE,GAAG;CACN,CAAC;AAIX,~~0DAA0D~~;~~AAC1D~~,MAAM,~~SAAS~~,GAAG,~~OAAO~~,CAAC;~~AAgB1B,+DAA+D;AAC/D~~,MAAM,~~UAAU~~,mBAAmB;~~IACjC~~,~~OAAO~~;~~QACL~~,QAAQ,~~EAAE~~,~~IAAI;QACd~~,~~YAAY~~,~~EAAE~~,~~IAAI~~;~~QAClB~~,SAAS,~~EAAE~~,IAAI;~~QACf~~,UAAU,~~EAAE~~,OAAO;~~QACnB~~,~~aAAa~~,EAAE,EAAE;~~QACjB~~,~~eAAe~~,EAAE,~~EAAE~~;QACnB,~~MAAM~~,EAAE,KAAK;~~QACb~~,~~SAAS~~,EAAE,KAAK;~~QAChB~~,~~gBAAgB~~,EAAE,~~KAAK~~;~~QACvB~~,iBAAiB,EAAE,~~KAAK~~;~~QACxB~~,~~iBAAiB~~,EAAE,EAAE;~~KACtB~~,CAAC;AACJ,CAAC;AAED,~~yCAAyC~~;~~AACzC~~,MAAM,UAAU,wBAAwB;IACtC,OAAO;QACL,~~QAAQ~~,EAAE,~~KAAK~~;~~QACf~~,~~YAAY~~,EAAE,~~KAAK~~;~~QACnB~~,~~SAAS~~,EAAE,~~KAAK~~;~~QAChB~~,~~UAAU~~,EAAE,~~EAAE~~;~~QACd~~,~~aAAa~~,EAAE,~~EAAE~~;~~QACjB~~,eAAe,EAAE,EAAE;QACnB,~~MAAM~~,EAAE,~~KAAK;QACb,SAAS,~~EAAE~~,IAAI~~;~~QACf~~,~~gBAAgB~~,EAAE,~~KAAK;QACvB,iBAAiB,~~EAAE~~,KAAK~~;~~QACxB~~,~~iBAAiB,EAAE,EAAE;KACtB,~~CAAC;AACJ,CAAC;AAED,~~iEAAiE~~;~~AACjE~~,MAAM,UAAU,kBAAkB,CAAC,MAAoB,EAAE,EAAqB;IAC5E,~~sDAAsD~~;~~IACtD~~,IAAI,MAAM,CAAC,~~MAAM~~;QAAE,OAAO,~~IAAI~~,CAAC;~~IAE/B~~,~~uCAAuC~~;~~IACvC~~,IAAI,~~MAAM~~,CAAC,~~QAAQ~~,IAAI,~~SAAS,~~CAAC,~~QAAQ~~,CAAC,~~EAAE,CAAC~~;QAAE,OAAO,KAAK,CAAC;~~IAE5D~~,~~oDAAoD~~;~~IACpD~~,IAAI,~~MAAM~~,CAAC,~~YAAY~~,IAAI,~~EAAE~~,~~KAAK~~,~~aAAa,~~CAAC,~~OAAO~~;QAAE,OAAO,KAAK,CAAC;~~IAEtE,+CAA+C~~;~~IAC/C~~,IAAI,~~MAAM~~,CAAC,~~SAAS~~,IAAI,~~EAAE~~,~~KAAK~~,~~aAAa,~~CAAC,~~KAAK~~;QAAE,OAAO,KAAK,CAAC;~~IAEjE,+CAA+C~~;~~IAC/C~~,IAAI,~~EAAE~~,~~KAAK~~,~~aAAa~~,CAAC,~~SAAS~~,IAAI,CAAC,~~MAAM~~,CAAC,~~gBAAgB;QAAE~~,~~OAAO~~,~~KAAK~~,CAAC~~;IAE7E~~,~~2DAA2D~~;~~IAC3D~~,IAAI,MAAM,CAAC,~~aAAa~~,EAAE,~~QAAQ~~,CAAC,~~EAAE~~,CAAC;~~QAAE~~,~~OAAO~~,~~KAAK,~~CAAC;~~IAErD~~,~~8DAA8D~~;~~IAC9D~~,~~IAAI~~,~~MAAM~~,CAAC,~~UAAU~~,IAAI,CAAC,~~MAAM~~,CAAC,~~UAAU~~,CAAC,~~QAAQ~~,CAAC,~~EAAE~~,CAAC;~~QAAE~~,OAAO,~~KAAK~~,CAAC;~~IAEvE~~,~~OAAO~~,IAAI,CAAC~~;AACd~~,CAAC~~;AAED~~,~~0DAA0D~~;~~AAC1D~~,~~MAAM~~,~~UAAU~~,~~cAAc,~~CAAC,~~MAAoB~~,EAAE,~~EAAqB~~,~~EAAE~~,~~MAAc;IACxF~~,IAAI,CAAC,~~kBAAkB~~,CAAC,~~MAAM~~,~~EAAE~~,~~EAAE~~,CAAC,EAAE,CAAC~~;QACpC~~,~~MAAM~~,IAAI,~~cAAc,~~CAAC,~~cAAc,~~MAAM,~~WAAW~~,~~EAAE~~,~~sCAAsC~~,~~CAAC~~,CAAC;~~IACpG~~,CAAC;~~AACH~~,CAAC;AAED,~~yDAAyD~~;~~AACzD~~,MAAM,UAAU,gBAAgB,CAAC,MAAoB,EAAE,GAAW;IAChE,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAEnC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3C,cAAc;QACd,IAAI,YAAY,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3C,qDAAqD;QACrD,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,~~wDAAwD~~;~~AACxD~~,MAAM,UAAU,YAAY,CAAC,MAAoB,EAAE,GAAW;IAC5D,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,cAAc,CACtB,0BAA0B,GAAG,mDAAmD,~~IAAI~~,CAAC,~~SAAS,CAAC,~~MAAM,CAAC,eAAe,CAAC,GAAG,~~CAC1H~~,CAAC;IACJ,CAAC;AACH,CAAC;AAED,~~wFAAwF~~;~~AACxF~~,SAAS,sBAAsB,CAAC,MAAoB,EAAE,SAAiB;IACrE,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvD,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IAE/C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;QAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,IAAI,YAAY,KAAK,cAAc;YAAE,OAAO,IAAI,CAAC;QACjD,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;QACrD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED~~,oEAAoE~~;~~AACpE~~,MAAM,UAAU,cAAc,CAAC,MAAoB,EAAE,SAAiB,EAAE,MAAc,EAAE,OAAgB;IACtG,~~wDAAwD~~;~~IACxD~~,IAAI,CAAC,MAAM,CAAC,~~gBAAgB~~,EAAE,CAAC;~~QAC7B~~,MAAM,IAAI,cAAc,CACtB,~~wBAAwB~~,MAAM,~~8FAA8F~~,~~CAC7H~~,CAAC;~~IACJ~~,CAAC;~~IAED~~,~~0BAA0B;IAC1B,~~IAAI,~~OAAO~~,~~IAAI,~~MAAM,CAAC,~~iBAAiB~~,EAAE,CAAC;~~QACxC~~,MAAM,IAAI,cAAc,~~CAAC~~,~~8BAA8B~~,MAAM,~~gDAAgD~~,CAAC,CAAC;~~IACjH~~,CAAC;IAED,~~6DAA6D~~;~~IAC7D~~,IAAI,SAAS,IAAI,SAAS,KAAK,GAAG,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,cAAc,CACtB,cAAc,MAAM,mBAAmB,SAAS,kDAAkD,~~IAAI~~,CAAC,~~SAAS,CAAC,~~MAAM,CAAC,iBAAiB,CAAC,GAAG,~~CAC9I~~,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED~~,8DAA8D~~;~~AAC9D~~,MAAM,UAAU,QAAQ,CAAC,MAAoB,EAAE,SAAiB;~~IAC9D~~,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;~~QACtB~~,MAAM,IAAI,cAAc,CACtB,~~kBAAkB~~,SAAS,~~wEAAwE~~,~~CACpG~~,CAAC;IACJ,CAAC;AACH,CAAC;AAED~~;;;GAGG~~;AACH,MAAM,UAAU,~~mBAAmB~~,CAAC,MAAgB;~~IAClD~~,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC;~~QAAE~~,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;~~IAChD~~,~~IAAI,~~QAAQ,CAAC,GAAG,CAAC,~~KAAK~~,CAAC;~~QAAE~~,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;~~IAC9C~~,~~OAAO~~,CAAC,GAAG,QAAQ,CAAC,CAAC;~~AACvB~~,CAAC;~~AAED;;;;;;;GAOG~~;~~AACH~~,MAAM,~~UAAU~~,~~gBAAgB~~,CAAC,~~YAA0B~~,~~EAAE~~,~~MAAgB~~;~~IAC3E~~,MAAM,SAAS,~~GAAG~~;~~QAChB~~,GAAG,YAAY;QACf,eAAe,EAAE,CAAC,GAAG,YAAY,CAAC,eAAe,CAAC;QAClD,iBAAiB,EAAE,CAAC,GAAG,YAAY,CAAC,iBAAiB,CAAC;~~KACvD~~,~~CAAC;IACF~~,~~MAAM~~,~~QAAQ~~,GAAG,~~mBAAmB~~,CAAC,~~MAAM~~,CAAC,CAAC;~~IAE7C~~,~~0DAA0D;IAC1D,~~IAAI,CAAC,QAAQ,CAAC,~~QAAQ~~,CAAC,OAAO,CAAC,~~EAAE~~,CAAC;~~QAChC~~,~~SAAS~~,CAAC,QAAQ,GAAG,~~IAAI~~,CAAC;~~QAC1B~~,SAAS,CAAC,~~SAAS~~,GAAG,KAAK,CAAC;~~QAC5B~~,~~SAAS~~,CAAC,~~gBAAgB~~,GAAG,KAAK,CAAC;~~IACrC~~,CAAC~~;IAED~~,~~uEAAuE~~;~~IACvE~~,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,~~MAAM~~,CAAC,~~EAAE~~,CAAC;~~QAC/B~~,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC;~~IAC7B~~,CAAC;~~IAED~~,~~gCAAgC~~;~~IAChC~~,IAAI,CAAC,~~QAAQ~~,CAAC,~~QAAQ~~,CAAC,KAAK,CAAC,EAAE,CAAC;~~QAC9B~~,~~SAAS~~,CAAC,~~YAAY~~,GAAG,~~IAAI~~,CAAC~~;IAChC~~,CAAC;~~IAED~~,OAAO,~~SAAS~~,CAAC;~~AACnB~~,CAAC;~~AAED~~,~~6DAA6D~~;~~AAC7D~~,MAAM,~~UAAU~~,~~cAAc~~,CAAC,~~MAAoB~~;~~IACjD~~,MAAM,~~KAAK~~,~~GAAa~~,EAAE,CAAC;~~IAE3B~~,~~IAAI,~~MAAM,CAAC,~~QAAQ~~;~~QAAE~~,KAAK,CAAC,IAAI,CAAC,~~WAAW~~,CAAC,CAAC;~~IAC7C~~,~~IAAI~~,MAAM,CAAC,~~YAAY;QAAE~~,KAAK,CAAC,~~IAAI~~,CAAC,~~aAAa~~,CAAC,CAAC;~~IACnD~~,IAAI,MAAM,CAAC,~~SAAS~~;~~QAAE~~,KAAK,CAAC,IAAI,CAAC,~~SAAS~~,CAAC,CAAC;~~IAC5C~~,~~IAAI~~,MAAM,CAAC,MAAM;~~QAAE~~,~~KAAK~~,CAAC,~~IAAI~~,CAAC,~~SAAS~~,CAAC,CAAC;~~IACzC~~,~~IAAI~~,~~MAAM~~,CAAC,~~UAAU~~;~~QAAE~~,~~KAAK~~,CAAC,~~IAAI~~,CAAC,cAAc,~~MAAM~~,CAAC,~~UAAU~~,EAAE,CAAC,CAAC;~~IACrE~~,~~IAAI~~,~~MAAM~~,CAAC,aAAa;~~QAAE~~,~~KAAK~~,CAAC,~~IAAI~~,CAAC,iBAAiB,~~MAAM~~,CAAC,aAAa,EAAE,CAAC,CAAC;~~IAC9E~~,~~IAAI~~,~~MAAM~~,CAAC,~~eAAe~~,CAAC,MAAM,~~GAAG~~,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,~~oBAAoB~~,MAAM,CAAC,~~eAAe~~,CAAC,IAAI,CAAC,~~GAAG~~,CAAC,~~GAAG~~,CAAC,CAAC;~~IAC3G~~,IAAI,MAAM,CAAC,~~gBAAgB~~,~~EAAE~~,CAAC;~~QAC5B~~,KAAK,CAAC,IAAI,CAAC,~~oBAAoB~~,CAAC,CAAC;~~QACjC~~,IAAI,MAAM,CAAC,~~iBAAiB~~;~~YAAE~~,KAAK,CAAC,IAAI,CAAC,~~qBAAqB~~,CAAC,CAAC;~~QAChE~~,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC;~~YAAE~~,KAAK,CAAC,IAAI,CAAC,~~sBAAsB~~,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,~~GAAG~~,CAAC,GAAG,CAAC,CAAC~~;IACnH~~,CAAC;~~IACD~~,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,~~cAAc~~,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;~~AAChE~~,CAAC"}
1	+ {"version":3,"file":"safety.js","sourceRoot":"","sources":["../../src/adt/safety.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C;;;GAGG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,IAAI,EAAE,GAAG;IACT,MAAM,EAAE,GAAG;IACX,KAAK,EAAE,GAAG;IACV,OAAO,EAAE,GAAG;IACZ,MAAM,EAAE,GAAG;IACX,MAAM,EAAE,GAAG;IACX,MAAM,EAAE,GAAG;IACX,QAAQ,EAAE,GAAG;IACb,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,YAAY,EAAE,GAAG;IACjB,QAAQ,EAAE,GAAG;IACb,SAAS,EAAE,GAAG;CACN,CAAC;AAIX,mEAAmE;AACnE,MAAM,YAAY,GAAG,QAAQ,CAAC;AAC9B,MAAM,mBAAmB,GAAG,mBAAmB,CAAC;AAEhD,SAAS,aAAa,CAAC,IAAc;IACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAc;IACtC,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAC5D,CAAC;AAcD;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO;QACL,WAAW,EAAE,KAAK;QAClB,gBAAgB,EAAE,KAAK;QACvB,YAAY,EAAE,KAAK;QACnB,oBAAoB,EAAE,KAAK;QAC3B,cAAc,EAAE,KAAK;QACrB,eAAe,EAAE,CAAC,MAAM,CAAC;QACzB,iBAAiB,EAAE,EAAE;QACrB,WAAW,EAAE,EAAE;KAChB,CAAC;AACJ,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,wBAAwB;IACtC,OAAO;QACL,WAAW,EAAE,IAAI;QACjB,gBAAgB,EAAE,IAAI;QACtB,YAAY,EAAE,IAAI;QAClB,oBAAoB,EAAE,IAAI;QAC1B,cAAc,EAAE,IAAI;QACpB,eAAe,EAAE,EAAE;QACnB,iBAAiB,EAAE,EAAE;QACrB,WAAW,EAAE,EAAE;KAChB,CAAC;AACJ,CAAC;AAED,kEAAkE;AAClE,MAAM,UAAU,kBAAkB,CAAC,MAAoB,EAAE,EAAqB;IAC5E,sFAAsF;IACtF,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW;QAAE,OAAO,KAAK,CAAC;IAEnE,4CAA4C;IAC5C,IAAI,EAAE,KAAK,aAAa,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,oBAAoB;QAAE,OAAO,KAAK,CAAC;IAEjF,gBAAgB;IAChB,IAAI,EAAE,KAAK,aAAa,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,gBAAgB;QAAE,OAAO,KAAK,CAAC;IAEzE,WAAW;IACX,IAAI,EAAE,KAAK,aAAa,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAEvE,uFAAuF;IACvF,6EAA6E;IAC7E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,cAAc,CAAC,MAAoB,EAAE,EAAqB,EAAE,MAAc;IACxF,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,cAAc,CACtB,cAAc,MAAM,WAAW,EAAE,yCAAyC,qBAAqB,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAC/G,CAAC;IACJ,CAAC;AACH,CAAC;AAED,8FAA8F;AAC9F,SAAS,qBAAqB,CAAC,MAAoB,EAAE,EAAqB;IACxE,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW;QAClD,OAAO,0DAA0D,CAAC;IACpE,IAAI,EAAE,KAAK,aAAa,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,oBAAoB;QAAE,OAAO,oCAAoC,CAAC;IAChH,IAAI,EAAE,KAAK,aAAa,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,gBAAgB;QAAE,OAAO,gCAAgC,CAAC;IACpG,IAAI,EAAE,KAAK,aAAa,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY;QAAE,OAAO,4BAA4B,CAAC;IAC9F,OAAO,iBAAiB,CAAC;AAC3B,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,gBAAgB,CAAC,MAAoB,EAAE,GAAW;IAChE,IAAI,aAAa,CAAC,MAAM,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAEnC,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3C,cAAc;QACd,IAAI,YAAY,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE3C,qDAAqD;QACrD,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,YAAY,CAAC,MAAoB,EAAE,GAAW;IAC5D,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,cAAc,CACtB,0BAA0B,GAAG,mDAAmD,gBAAgB,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAC5H,CAAC;IACJ,CAAC;AACH,CAAC;AAED,gDAAgD;AAChD,SAAS,sBAAsB,CAAC,MAAoB,EAAE,SAAiB;IACrE,IAAI,aAAa,CAAC,MAAM,CAAC,iBAAiB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvD,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IAE/C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;QAC/C,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,IAAI,YAAY,KAAK,cAAc;YAAE,OAAO,IAAI,CAAC;QACjD,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,cAAc,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;QACrD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,MAAoB,EAAE,SAAiB,EAAE,MAAc,EAAE,OAAgB;IACtG,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,IAAI,cAAc,CACtB,oBAAoB,MAAM,8EAA8E,CACzG,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;YACjC,MAAM,IAAI,cAAc,CACtB,oBAAoB,MAAM,8GAA8G,CACzI,CAAC;QACJ,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,SAAS,IAAI,SAAS,KAAK,GAAG,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1E,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,cAAc,CACtB,cAAc,MAAM,mBAAmB,SAAS,kDAAkD,gBAAgB,CAAC,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAChJ,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,MAAoB,EAAE,SAAiB,EAAE,OAAO,GAAG,IAAI;IAC9E,IAAI,CAAC,OAAO;QAAE,OAAO;IACrB,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,IAAI,cAAc,CACtB,cAAc,SAAS,8EAA8E,CACtG,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;QAC3B,MAAM,IAAI,cAAc,CACtB,cAAc,SAAS,4FAA4F,CACpH,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,YAA0B,EAAE,MAAgB;IAC3E,8EAA8E;IAC9E,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrB,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACtB,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrB,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACpB,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC3B,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IACD,IAAI,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE9C,MAAM,SAAS,GAAiB;QAC9B,GAAG,YAAY;QACf,eAAe,EAAE,CAAC,GAAG,YAAY,CAAC,eAAe,CAAC;QAClD,iBAAiB,EAAE,CAAC,GAAG,YAAY,CAAC,iBAAiB,CAAC;QACtD,WAAW,EAAE,CAAC,GAAG,YAAY,CAAC,WAAW,CAAC;KAC3C,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,SAAS,CAAC,WAAW,GAAG,KAAK,CAAC;IAC1D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,SAAS,CAAC,gBAAgB,GAAG,KAAK,CAAC;IAC9D,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,SAAS,CAAC,YAAY,GAAG,KAAK,CAAC;IACzD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC;QAAE,SAAS,CAAC,oBAAoB,GAAG,KAAK,CAAC;IACxE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,SAAS,CAAC,cAAc,GAAG,KAAK,CAAC;IAE3D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,2BAA2B,CACzC,YAA0B,EAC1B,aAAoC;IAEpC,MAAM,GAAG,GAAG,CAAC,CAAU,EAAE,CAAsB,EAAW,EAAE,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAE5F,MAAM,aAAa,GAAG,CAAC,MAAgB,EAAE,OAA6B,EAAY,EAAE;QAClF,IAAI,CAAC,OAAO;YAAE,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;QACjC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAC3D,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC;QAC7C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;QAC7C,2EAA2E;QAC3E,mFAAmF;QACnF,mCAAmC;QACnC,MAAM,MAAM,GAAG,CAAC,SAAiB,EAAE,UAAkB,EAAW,EAAE;YAChE,MAAM,CAAC,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;YACnC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACzB,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACpB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC9B,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC;oBAAE,OAAO,IAAI,CAAC;YACxC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC,CAAC;QACF,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,gFAAgF;QAChF,4EAA4E;QAC5E,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC;IAChE,CAAC,CAAC;IAEF,MAAM,SAAS,GAAiB;QAC9B,WAAW,EAAE,GAAG,CAAC,YAAY,CAAC,WAAW,EAAE,aAAa,CAAC,WAAW,CAAC;QACrE,gBAAgB,EAAE,GAAG,CAAC,YAAY,CAAC,gBAAgB,EAAE,aAAa,CAAC,gBAAgB,CAAC;QACpF,YAAY,EAAE,GAAG,CAAC,YAAY,CAAC,YAAY,EAAE,aAAa,CAAC,YAAY,CAAC;QACxE,oBAAoB,EAAE,GAAG,CAAC,YAAY,CAAC,oBAAoB,EAAE,aAAa,CAAC,oBAAoB,CAAC;QAChG,cAAc,EAAE,GAAG,CAAC,YAAY,CAAC,cAAc,EAAE,aAAa,CAAC,cAAc,CAAC;QAC9E,eAAe,EAAE,aAAa,CAAC,YAAY,CAAC,eAAe,EAAE,aAAa,CAAC,eAAe,CAAC;QAC3F,iBAAiB,EAAE,aAAa,CAAC,YAAY,CAAC,iBAAiB,EAAE,aAAa,CAAC,iBAAiB,CAAC;QACjG,WAAW,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,YAAY,CAAC,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;KAC/F,CAAC;IAEF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,cAAc,CAAC,MAAoB;IACjD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,MAAM,CAAC,WAAW;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,MAAM,CAAC,gBAAgB;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACxD,IAAI,MAAM,CAAC,YAAY;QAAE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAChD,IAAI,MAAM,CAAC,oBAAoB;QAAE,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAChE,IAAI,MAAM,CAAC,cAAc;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACpD,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,gBAAgB,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAC1G,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,gBAAgB,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;IAChH,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;IAC1F,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7D,CAAC"}

package/dist/adt/transport.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * CTS Transport management for SAP ADT.
  *
- * Transport operations require explicit opt-in via enableTransports flag.
+ * Transport mutations require explicit opt-in via allowWrites + allowTransportWrites.
  * Safety checks are applied at every entry point.
  */
 import type { AdtHttpClient } from './http.js';

package/dist/adt/transport.js CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * CTS Transport management for SAP ADT.
  *
- * Transport operations require explicit opt-in via enableTransports flag.
+ * Transport mutations require explicit opt-in via allowWrites + allowTransportWrites.
  * Safety checks are applied at every entry point.
  */
 import { AdtApiError } from './errors.js';
@@ -144,7 +144,7 @@ async function reassignSingle(http, transportId, newOwner) {
  * @param operation - `I` for insert/create, empty string for modify (default: `I`)
  */
 export async function getTransportInfo(http, safety, objectUrl, devclass, operation = 'I') {
-    // Transport info is a read operation — doesn't require enableTransports
+    // Transport info is a read operation — doesn't require allowTransportWrites.
     checkOperation(safety, OperationType.Read, 'TransportInfo');
     const body = `<?xml version="1.0" encoding="UTF-8"?>
 <asx:abap xmlns:asx="http://www.sap.com/abapxml" version="1.0">