arc-1 0.9.12 → 0.9.14

package/dist/handlers/intent.js

@@ -9,7 +9,7 @@
  * responses. Internal details (stack traces, SAP XML) are NOT
  * leaked to the LLM — only user-friendly error messages.
  */
-import { checkRepo as abapGitCheckRepo, createBranch as abapGitCreateBranch, createRepo as abapGitCreateRepo, getExternalInfo as abapGitGetExternalInfo, listRepos as abapGitListRepos, pullRepo as abapGitPullRepo, pushRepo as abapGitPushRepo, stageRepo as abapGitStageRepo, switchBranch as abapGitSwitchBranch, unlinkRepo as abapGitUnlinkRepo, } from '../adt/abapgit.js';
+import { checkRepo as abapGitCheckRepo, createBranch as abapGitCreateBranch, createRepo as abapGitCreateRepo, enforceRepoPackageAllowed as abapGitEnforceRepoPackage, getExternalInfo as abapGitGetExternalInfo, listRepos as abapGitListRepos, pullRepo as abapGitPullRepo, pushRepo as abapGitPushRepo, stageRepo as abapGitStageRepo, switchBranch as abapGitSwitchBranch, unlinkRepo as abapGitUnlinkRepo, } from '../adt/abapgit.js';
 import { buildSiblingExtensionFinding, classifyCdsImpact, deriveSiblingStem, isSiblingNameMatch, } from '../adt/cds-impact.js';
 import { diffMethodSets, extractMethodNameFromClause, findSectionAnchor, insertMethodPair, moveMethodDefinition, removeMethodPair, spliceClassDefinition, spliceMethodSignature, } from '../adt/class-structure.js';
 import { findDefinition, findInterfaceImplementersViaSeoMetaRel, findReferences, findWhereUsed, getCompletion, getWhereUsedScope, } from '../adt/codeintel.js';
@@ -916,9 +916,10 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
     return requestContext.run({ requestId: reqId, user, tool: toolName }, async () => {
         try {
             let result;
+            const cacheSecurity = buildCacheSecurityContext(authInfo, isPerUserClient);
             switch (toolName) {
                 case 'SAPRead':
-                    result = await handleSAPRead(client, args, cachingLayer);
+                    result = await handleSAPRead(client, args, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPSearch':
                     result = await handleSAPSearch(client, args);
@@ -927,10 +928,10 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
                     result = await handleSAPQuery(client, args);
                     break;
                 case 'SAPWrite':
-                    result = await handleSAPWrite(client, args, config, cachingLayer);
+                    result = await handleSAPWrite(client, args, config, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPActivate':
-                    result = await handleSAPActivate(client, args, cachingLayer);
+                    result = await handleSAPActivate(client, args, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPNavigate':
                     result = await handleSAPNavigate(client, args);
@@ -948,7 +949,7 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
                     result = await handleSAPGit(client, args, authInfo);
                     break;
                 case 'SAPContext':
-                    result = await handleSAPContext(client, args, cachingLayer);
+                    result = await handleSAPContext(client, args, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPManage':
                     result = await handleSAPManage(client, config, args, cachingLayer, isPerUserClient);
@@ -1065,7 +1066,47 @@ const VERSIONED_SOURCE_READ_TYPES = new Set([
 function inactiveTypeMatches(readType, inactiveType) {
     return (inactiveType.split('/')[0] ?? inactiveType).toUpperCase() === readType.toUpperCase();
 }
-async function resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion) {
+function nonEmptyString(value) {
+    return typeof value === 'string' && value.trim().length > 0 ? value.trim() : undefined;
+}
+function resolveCacheUserKey(authInfo) {
+    if (!authInfo)
+        return undefined;
+    const extra = (authInfo.extra ?? {});
+    const issuerOrClient = nonEmptyString(extra.iss) ?? nonEmptyString(authInfo.clientId) ?? 'unknown-auth-source';
+    const namespace = issuerOrClient.toLowerCase();
+    const userName = nonEmptyString(extra.userName);
+    if (userName)
+        return `${namespace}:userName:${userName.toUpperCase()}`;
+    const email = nonEmptyString(extra.email);
+    if (email)
+        return `${namespace}:email:${email.toLowerCase()}`;
+    const sub = nonEmptyString(extra.sub);
+    if (sub)
+        return `${namespace}:sub:${sub}`;
+    const preferredUsername = nonEmptyString(extra.preferred_username);
+    if (preferredUsername)
+        return `${namespace}:preferred_username:${preferredUsername.toLowerCase()}`;
+    return undefined;
+}
+function buildCacheSecurityContext(authInfo, isPerUserClient) {
+    if (!isPerUserClient)
+        return { isPerUserClient: false };
+    return {
+        isPerUserClient: true,
+        userKey: resolveCacheUserKey(authInfo),
+    };
+}
+function inactiveListUserKey(client, cacheSecurity) {
+    return cacheSecurity?.isPerUserClient ? cacheSecurity.userKey : client.username;
+}
+function invalidateInactiveList(cachingLayer, client, cacheSecurity) {
+    cachingLayer?.inactiveLists.invalidate(inactiveListUserKey(client, cacheSecurity));
+}
+function contextCacheForDependencyPayloads(cachingLayer, cacheSecurity) {
+    return cacheSecurity?.isPerUserClient ? undefined : cachingLayer;
+}
+async function resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion, cacheSecurity) {
     if (!VERSIONED_SOURCE_READ_TYPES.has(type)) {
         return { effectiveVersion: requestedVersion === 'auto' ? 'active' : requestedVersion };
     }
@@ -1073,7 +1114,7 @@ async function resolveVersionAndDraftInfo(client, cachingLayer, type, name, requ
     if (cachingLayer || requestedVersion !== 'active') {
         try {
             const inactiveObjects = cachingLayer
-                ? await cachingLayer.inactiveLists.getOrFetch(client)
+                ? await cachingLayer.inactiveLists.getOrFetch(client, inactiveListUserKey(client, cacheSecurity))
                 : await client.getInactiveObjects();
             const upperName = name.toUpperCase();
             draft = inactiveObjects.find((object) => inactiveTypeMatches(type, object.type) && object.name.toUpperCase() === upperName);
@@ -1103,7 +1144,7 @@ function sourceVersionWarning(effectiveVersion, draft) {
     }
     return undefined;
 }
-async function handleSAPRead(client, args, cachingLayer) {
+async function handleSAPRead(client, args, cachingLayer, cacheSecurity) {
     const type = normalizeObjectType(String(args.type ?? ''));
     const name = String(args.name ?? '');
     const requestedVersion = (args.version ?? 'active');
@@ -1126,10 +1167,10 @@ async function handleSAPRead(client, args, cachingLayer) {
         return textResult(JSON.stringify(sdo, null, 2));
     }
     if (args.force_refresh === true && cachingLayer && VERSIONED_SOURCE_READ_TYPES.has(type)) {
-        cachingLayer.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
         cachingLayer.invalidate(type, name, 'all');
     }
-    const { effectiveVersion, draft } = await resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion);
+    const { effectiveVersion, draft } = await resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion, cacheSecurity);
     const versionWarning = sourceVersionWarning(effectiveVersion, draft);
     // Helper: get source with cache support, returns cache hit status
     const cachedGet = async (objType, objName, version, fetcher) => {
@@ -2580,6 +2621,13 @@ export function buildCreateXml(type, name, pkg, description, properties, languag
                 description,
                 package: pkg,
                 messages: messages.length > 0 ? messages : undefined,
+                // Thread the configured language into the body (same spirit as #343).
+                // Live-verified on a4h 7.58: the MSAG handler keys T100.SPRSL by the
+                // BODY adtcore:language — without it the messages are stored under a
+                // BLANK language key (texts never resolve at runtime; ATC/SLIN flags
+                // every number as missing). The sap-language URL param alone does NOT
+                // prevent this.
+                language: masterLanguage,
             };
             return buildMessageClassXml(params);
         }
@@ -3148,7 +3196,7 @@ async function enforceAllowedPackageForObjectUrl(client, objectUrl, label, accep
  * PUT; ABAP-specific pre-write steps (lint, RAP preflight, CDS guard) do not apply. Create leaves the
  * object inactive — callers follow with SAPActivate (never auto-activated).
  */
-async function handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer) {
+async function handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer, cacheSecurity) {
     // Discovery gate — mirror handleSAPRead's server-driven branch.
     if (supportsServerDrivenObject(client.http, type) === false) {
         return errorResult(`SAPWrite type=${type} (server-driven object) requires SAP_BASIS 8.16+ (ABAP Platform 2025 / S/4HANA 2025). ` +
@@ -3159,7 +3207,7 @@ async function handleServerDrivenObjectWrite(client, action, type, name, args, c
     const blueAccept = serverDrivenBlueContentType(type);
     const invalidate = () => {
         cachingLayer?.invalidate(type, name, 'all');
-        cachingLayer?.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
     };
     // SDO source is AFF JSON (not ABAP) — validate it parses before any PUT.
     const validateSource = () => {
@@ -3222,7 +3270,7 @@ async function handleServerDrivenObjectWrite(client, action, type, name, args, c
                 'Supported: create, update, delete (source is AFF JSON) — then SAPActivate to activate.');
     }
 }
-async function handleSAPWrite(client, args, config, cachingLayer) {
+async function handleSAPWrite(client, args, config, cachingLayer, cacheSecurity) {
     const action = String(args.action ?? '');
     const type = normalizeWriteObjectType(String(args.type ?? ''));
     const name = String(args.name ?? '');
@@ -3262,7 +3310,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
     // objectBasePath(<sdo>) throws, so this MUST come before the objectUrl computation. Mirrors the
     // server-driven branch in handleSAPRead.
     if (isServerDrivenObjectType(type)) {
-        return handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer);
+        return handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer, cacheSecurity);
     }
     // For TABL update/delete/edit_method, the existing object may live at /tables/
     // (transparent) or /structures/ (DDIC structure). Resolve once via the client's
@@ -3333,7 +3381,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
     const invalidateWrittenObject = (objType = type, objName = name) => {
         // Source cache is keyed by canonical type (SAPRead collapses TABL/DT, TABL/DS).
         cachingLayer?.invalidate(canonicalTablType(objType), objName, 'all');
-        cachingLayer?.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
     };
     // Helper: enforce allowedPackages for existing objects (update/delete/edit_method/scaffold_rap_handlers).
     // Only fetches metadata when package restrictions are configured — no extra HTTP call otherwise.
@@ -3351,7 +3399,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
     // surgery call on a draft would splice active-version line ranges into inactive
     // source and silently corrupt the draft.
     async function fetchClassStructureAndMain(clsName) {
-        const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', clsName, 'auto');
+        const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', clsName, 'auto', cacheSecurity);
         const structure = await client.getClassStructure(clsName, effectiveVersion);
         const main = cachingLayer
             ? (await cachingLayer.getSource('CLAS', clsName, (ifNoneMatch) => client.getClass(clsName, undefined, { ifNoneMatch, version: effectiveVersion }), { version: effectiveVersion })).source
@@ -3740,7 +3788,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
                 // splice against stale content (and frequently "method not found").
                 // Use the standard inactive-list lookup to pick the right version —
                 // same auto-resolution semantics SAPRead exposes via `version='auto'`.
-                const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', name, 'auto');
+                const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', name, 'auto', cacheSecurity);
                 const fetched = await client.getClass(name, resolvedInclude, { version: effectiveVersion });
                 currentSource = stripIncludeHeader(fetched.source);
                 // If the include itself has no draft (only MAIN does), SAP returns the
@@ -4604,7 +4652,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
                     for (const o of writtenObjects) {
                         cachingLayer?.invalidate(o.type, o.name, 'all');
                     }
-                    cachingLayer?.inactiveLists.invalidate(client.username);
+                    invalidateInactiveList(cachingLayer, client, cacheSecurity);
                 }
                 else {
                     // Flip every written-but-not-yet-activated entry to 'failed', preserving the
@@ -4824,7 +4872,7 @@ async function runPreWriteSyntaxCheck(client, type, source, objectUrl, config, p
     }
 }
 // ─── SAPActivate Handler ─────────────────────────────────────────────
-async function handleSAPActivate(client, args, cachingLayer) {
+async function handleSAPActivate(client, args, cachingLayer, cacheSecurity) {
     const action = String(args.action ?? 'activate');
     const name = String(args.name ?? '');
     const version = String(args.version ?? '0001');
@@ -4850,6 +4898,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
         if (!name) {
             return errorResult('Missing required "name" parameter for publish_srvb action.');
         }
+        await enforceAllowedPackageForObjectUrl(client, objectUrlForType('SRVB', name), `Publish of service binding '${name}'`, SERVICEBINDING_V2_CONTENT_TYPE);
         const serviceType = await resolveServiceType();
         const result = await publishServiceBinding(client.http, client.safety, name, version, serviceType);
         if (result.severity === 'ERROR') {
@@ -4885,6 +4934,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
         if (!name) {
             return errorResult('Missing required "name" parameter for unpublish_srvb action.');
         }
+        await enforceAllowedPackageForObjectUrl(client, objectUrlForType('SRVB', name), `Unpublish of service binding '${name}'`, SERVICEBINDING_V2_CONTENT_TYPE);
         const serviceType = await resolveServiceType();
         const result = await unpublishServiceBinding(client.http, client.safety, name, version, serviceType);
         if (result.severity === 'ERROR') {
@@ -4971,7 +5021,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
             for (const object of objects) {
                 cachingLayer?.invalidate(object.type, object.name, 'all');
             }
-            cachingLayer?.inactiveLists.invalidate(client.username);
+            invalidateInactiveList(cachingLayer, client, cacheSecurity);
             return textResult(`Successfully activated ${objects.length} objects: ${names}.${statusDetails}`);
         }
         // On batch failure enrich with per-object inactive-version syntax errors —
@@ -5037,7 +5087,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
     const result = await activate(client.http, client.safety, objectUrl, { ...activateOpts, name });
     if (result.success) {
         cachingLayer?.invalidate(type, name, 'all');
-        cachingLayer?.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
         return textResult(`Successfully activated ${type} ${name}.${formatActivationMessages(result)}`);
     }
     // On failure, try to enrich with the actual compiler errors from the inactive version —
@@ -5720,6 +5770,11 @@ async function handleSAPGit(client, args, _authInfo) {
                 result = await gctsPullRepo(client.http, client.safety, repoId, String(args.commit ?? '').trim() || undefined);
             }
             else {
+                // R9: a pull deserializes remote content into the repo's server-bound package, which is
+                // NOT the caller-supplied `package` (abapGit ignores that for an existing repo). Gate the
+                // real binding against the allowlist before writing.
+                const repo = await loadAbapGitRepo(client, repoId);
+                await abapGitEnforceRepoPackage(client.safety, repo.package, client.getPackageHierarchyResolver(), 'SAPGit(action="pull")');
                 result = await abapGitPullRepo(client.http, client.safety, repoId, {
                     ...(packageName ? { package: packageName } : {}),
                     ...(url ? { url } : {}),
@@ -5734,6 +5789,9 @@ async function handleSAPGit(client, args, _authInfo) {
             if (!repoId)
                 return errorResult('SAPGit(action="push") requires repoId.');
             const repo = await loadAbapGitRepo(client, repoId);
+            // R9: push exports the repo's bound-package source to a remote git; gate that package
+            // against the allowlist (the read-side mirror of the pull gate above).
+            await abapGitEnforceRepoPackage(client.safety, repo.package, client.getPackageHierarchyResolver(), 'SAPGit(action="push")');
             const staging = Array.isArray(args.objects) && args.objects.length > 0
                 ? { repoKey: repo.key, branchName: repo.branchName, objects: args.objects }
                 : await abapGitStageRepo(client.http, client.safety, repo);
@@ -5958,8 +6016,24 @@ async function handleSAPTransport(client, args) {
             if (!id)
                 return errorResult('Transport ID is required for "delete" action.');
             const recursive = Boolean(args.recursive ?? false);
-            await deleteTransport(client.http, client.safety, id, recursive);
-            return textResult(`Deleted transport request: ${id}${recursive ? ' (recursive)' : ''}`);
+            const removeLockedObjects = Boolean(args.removeLockedObjects ?? false);
+            try {
+                await deleteTransport(client.http, client.safety, id, recursive, removeLockedObjects);
+            }
+            catch (e) {
+                // ADT refuses to delete a request/task that still holds locked objects (e.g. a deleted
+                // object's lingering record). Point the caller at removeLockedObjects instead of a raw [?/009].
+                if (!removeLockedObjects && e instanceof Error && /locked objects/i.test(e.message)) {
+                    return errorResult(`${e.message}\n\nThe request still holds locked object(s). ` +
+                        `Retry with removeLockedObjects=true to strip them first:\n` +
+                        `  SAPTransport(action="delete", id="${id}", removeLockedObjects=true)`);
+                }
+                throw e;
+            }
+            const extras = [recursive ? 'recursive' : '', removeLockedObjects ? 'removed locked objects' : '']
+                .filter(Boolean)
+                .join(', ');
+            return textResult(`Deleted transport request: ${id}${extras ? ` (${extras})` : ''}`);
         }
         case 'reassign': {
             const id = String(args.id ?? '');
@@ -6058,7 +6132,7 @@ function parseSiblingMaxCandidates(value) {
     const rounded = Math.trunc(parsed);
     return Math.min(Math.max(rounded, 1), HARD_MAX_SIBLING_MAX_CANDIDATES);
 }
-async function handleSAPContext(client, args, cachingLayer) {
+async function handleSAPContext(client, args, cachingLayer, cacheSecurity) {
     const action = String(args.action ?? '');
     // action="impact" is DDLS-only on the server side — default the type so LLMs
     // don't have to supply it redundantly (and don't get a validation retry when
@@ -6066,12 +6140,19 @@ async function handleSAPContext(client, args, cachingLayer) {
     const rawType = String(args.type ?? '');
     const type = normalizeObjectType(rawType || (action === 'impact' ? 'DDLS' : ''));
     const name = String(args.name ?? '');
-    const maxDeps = Number(args.maxDeps ?? 20);
+    // Bound dependency fan-out: a huge maxDeps would fan out unbounded SAP fetches per level
+    // (depth is already capped at 3). Clamp to [1, 100]; non-finite/<1 falls back to the default 20.
+    const rawMaxDeps = Number(args.maxDeps ?? 20);
+    const maxDeps = Number.isFinite(rawMaxDeps) && rawMaxDeps >= 1 ? Math.min(Math.floor(rawMaxDeps), 100) : 20;
     const depth = Math.min(Math.max(Number(args.depth ?? 1), 1), 3);
     // ─── Reverse dep lookup (pre-warmer only) ─────────────────────────
     if (action === 'usages') {
         if (!name)
             return errorResult('"name" is required for usages action.');
+        if (cacheSecurity?.isPerUserClient) {
+            return errorResult('SAPContext(action="usages") is disabled under principal propagation because it reads the shared warmup index. ' +
+                `Use SAPNavigate(action="references", type="${type || 'CLAS'}", name="${name}") for a live SAP-authorized lookup.`);
+        }
         if (!cachingLayer) {
             return errorResult('Reverse dependency lookup requires object caching. Cache is disabled (ARC1_CACHE=none). ' +
                 'Enable caching and run cache warmup to use this feature.');
@@ -6287,7 +6368,7 @@ async function handleSAPContext(client, args, cachingLayer) {
             }
             case 'DDLS': {
                 const ddlSource = await cachedGet('DDLS', name, (ifNoneMatch) => client.getDdls(name, { ifNoneMatch }));
-                const cdsResult = await compressCdsContext(client, ddlSource, name, maxDeps, depth, cachingLayer);
+                const cdsResult = await compressCdsContext(client, ddlSource, name, maxDeps, depth, contextCacheForDependencyPayloads(cachingLayer, cacheSecurity));
                 return textResult(cdsResult.output);
             }
             default:
@@ -6295,8 +6376,9 @@ async function handleSAPContext(client, args, cachingLayer) {
         }
     }
     // Check dep graph cache — if source hash matches, return cached contracts
-    if (cachingLayer) {
-        const cachedGraph = cachingLayer.getCachedDepGraph(source);
+    const dependencyPayloadCache = contextCacheForDependencyPayloads(cachingLayer, cacheSecurity);
+    if (dependencyPayloadCache) {
+        const cachedGraph = dependencyPayloadCache.getCachedDepGraph(source);
         if (cachedGraph) {
             const successful = cachedGraph.contracts.filter((c) => c.success);
             const failed = cachedGraph.contracts.filter((c) => !c.success);
@@ -6326,7 +6408,7 @@ async function handleSAPContext(client, args, cachingLayer) {
     const abaplintVersion = cachedFeatures?.abapRelease
         ? mapSapReleaseToAbaplintVersion(cachedFeatures.abapRelease)
         : undefined;
-    const result = await compressContext(client, source, name, type, maxDeps, depth, abaplintVersion, cachingLayer);
+    const result = await compressContext(client, source, name, type, maxDeps, depth, abaplintVersion, dependencyPayloadCache);
     return textResult(result.output);
 }
 function buildCdsUpstream(deps) {