arc-1 0.9.13 → 0.9.14

package/dist/handlers/intent.js

@@ -916,9 +916,10 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
     return requestContext.run({ requestId: reqId, user, tool: toolName }, async () => {
         try {
             let result;
+            const cacheSecurity = buildCacheSecurityContext(authInfo, isPerUserClient);
             switch (toolName) {
                 case 'SAPRead':
-                    result = await handleSAPRead(client, args, cachingLayer);
+                    result = await handleSAPRead(client, args, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPSearch':
                     result = await handleSAPSearch(client, args);
@@ -927,10 +928,10 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
                     result = await handleSAPQuery(client, args);
                     break;
                 case 'SAPWrite':
-                    result = await handleSAPWrite(client, args, config, cachingLayer);
+                    result = await handleSAPWrite(client, args, config, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPActivate':
-                    result = await handleSAPActivate(client, args, cachingLayer);
+                    result = await handleSAPActivate(client, args, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPNavigate':
                     result = await handleSAPNavigate(client, args);
@@ -948,7 +949,7 @@ export async function handleToolCall(client, config, toolName, args, authInfo, _
                     result = await handleSAPGit(client, args, authInfo);
                     break;
                 case 'SAPContext':
-                    result = await handleSAPContext(client, args, cachingLayer);
+                    result = await handleSAPContext(client, args, cachingLayer, cacheSecurity);
                     break;
                 case 'SAPManage':
                     result = await handleSAPManage(client, config, args, cachingLayer, isPerUserClient);
@@ -1065,7 +1066,47 @@ const VERSIONED_SOURCE_READ_TYPES = new Set([
 function inactiveTypeMatches(readType, inactiveType) {
     return (inactiveType.split('/')[0] ?? inactiveType).toUpperCase() === readType.toUpperCase();
 }
-async function resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion) {
+function nonEmptyString(value) {
+    return typeof value === 'string' && value.trim().length > 0 ? value.trim() : undefined;
+}
+function resolveCacheUserKey(authInfo) {
+    if (!authInfo)
+        return undefined;
+    const extra = (authInfo.extra ?? {});
+    const issuerOrClient = nonEmptyString(extra.iss) ?? nonEmptyString(authInfo.clientId) ?? 'unknown-auth-source';
+    const namespace = issuerOrClient.toLowerCase();
+    const userName = nonEmptyString(extra.userName);
+    if (userName)
+        return `${namespace}:userName:${userName.toUpperCase()}`;
+    const email = nonEmptyString(extra.email);
+    if (email)
+        return `${namespace}:email:${email.toLowerCase()}`;
+    const sub = nonEmptyString(extra.sub);
+    if (sub)
+        return `${namespace}:sub:${sub}`;
+    const preferredUsername = nonEmptyString(extra.preferred_username);
+    if (preferredUsername)
+        return `${namespace}:preferred_username:${preferredUsername.toLowerCase()}`;
+    return undefined;
+}
+function buildCacheSecurityContext(authInfo, isPerUserClient) {
+    if (!isPerUserClient)
+        return { isPerUserClient: false };
+    return {
+        isPerUserClient: true,
+        userKey: resolveCacheUserKey(authInfo),
+    };
+}
+function inactiveListUserKey(client, cacheSecurity) {
+    return cacheSecurity?.isPerUserClient ? cacheSecurity.userKey : client.username;
+}
+function invalidateInactiveList(cachingLayer, client, cacheSecurity) {
+    cachingLayer?.inactiveLists.invalidate(inactiveListUserKey(client, cacheSecurity));
+}
+function contextCacheForDependencyPayloads(cachingLayer, cacheSecurity) {
+    return cacheSecurity?.isPerUserClient ? undefined : cachingLayer;
+}
+async function resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion, cacheSecurity) {
     if (!VERSIONED_SOURCE_READ_TYPES.has(type)) {
         return { effectiveVersion: requestedVersion === 'auto' ? 'active' : requestedVersion };
     }
@@ -1073,7 +1114,7 @@ async function resolveVersionAndDraftInfo(client, cachingLayer, type, name, requ
     if (cachingLayer || requestedVersion !== 'active') {
         try {
             const inactiveObjects = cachingLayer
-                ? await cachingLayer.inactiveLists.getOrFetch(client)
+                ? await cachingLayer.inactiveLists.getOrFetch(client, inactiveListUserKey(client, cacheSecurity))
                 : await client.getInactiveObjects();
             const upperName = name.toUpperCase();
             draft = inactiveObjects.find((object) => inactiveTypeMatches(type, object.type) && object.name.toUpperCase() === upperName);
@@ -1103,7 +1144,7 @@ function sourceVersionWarning(effectiveVersion, draft) {
     }
     return undefined;
 }
-async function handleSAPRead(client, args, cachingLayer) {
+async function handleSAPRead(client, args, cachingLayer, cacheSecurity) {
     const type = normalizeObjectType(String(args.type ?? ''));
     const name = String(args.name ?? '');
     const requestedVersion = (args.version ?? 'active');
@@ -1126,10 +1167,10 @@ async function handleSAPRead(client, args, cachingLayer) {
         return textResult(JSON.stringify(sdo, null, 2));
     }
     if (args.force_refresh === true && cachingLayer && VERSIONED_SOURCE_READ_TYPES.has(type)) {
-        cachingLayer.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
         cachingLayer.invalidate(type, name, 'all');
     }
-    const { effectiveVersion, draft } = await resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion);
+    const { effectiveVersion, draft } = await resolveVersionAndDraftInfo(client, cachingLayer, type, name, requestedVersion, cacheSecurity);
     const versionWarning = sourceVersionWarning(effectiveVersion, draft);
     // Helper: get source with cache support, returns cache hit status
     const cachedGet = async (objType, objName, version, fetcher) => {
@@ -2580,6 +2621,13 @@ export function buildCreateXml(type, name, pkg, description, properties, languag
                 description,
                 package: pkg,
                 messages: messages.length > 0 ? messages : undefined,
+                // Thread the configured language into the body (same spirit as #343).
+                // Live-verified on a4h 7.58: the MSAG handler keys T100.SPRSL by the
+                // BODY adtcore:language — without it the messages are stored under a
+                // BLANK language key (texts never resolve at runtime; ATC/SLIN flags
+                // every number as missing). The sap-language URL param alone does NOT
+                // prevent this.
+                language: masterLanguage,
             };
             return buildMessageClassXml(params);
         }
@@ -3148,7 +3196,7 @@ async function enforceAllowedPackageForObjectUrl(client, objectUrl, label, accep
  * PUT; ABAP-specific pre-write steps (lint, RAP preflight, CDS guard) do not apply. Create leaves the
  * object inactive — callers follow with SAPActivate (never auto-activated).
  */
-async function handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer) {
+async function handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer, cacheSecurity) {
     // Discovery gate — mirror handleSAPRead's server-driven branch.
     if (supportsServerDrivenObject(client.http, type) === false) {
         return errorResult(`SAPWrite type=${type} (server-driven object) requires SAP_BASIS 8.16+ (ABAP Platform 2025 / S/4HANA 2025). ` +
@@ -3159,7 +3207,7 @@ async function handleServerDrivenObjectWrite(client, action, type, name, args, c
     const blueAccept = serverDrivenBlueContentType(type);
     const invalidate = () => {
         cachingLayer?.invalidate(type, name, 'all');
-        cachingLayer?.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
     };
     // SDO source is AFF JSON (not ABAP) — validate it parses before any PUT.
     const validateSource = () => {
@@ -3222,7 +3270,7 @@ async function handleServerDrivenObjectWrite(client, action, type, name, args, c
                 'Supported: create, update, delete (source is AFF JSON) — then SAPActivate to activate.');
     }
 }
-async function handleSAPWrite(client, args, config, cachingLayer) {
+async function handleSAPWrite(client, args, config, cachingLayer, cacheSecurity) {
     const action = String(args.action ?? '');
     const type = normalizeWriteObjectType(String(args.type ?? ''));
     const name = String(args.name ?? '');
@@ -3262,7 +3310,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
     // objectBasePath(<sdo>) throws, so this MUST come before the objectUrl computation. Mirrors the
     // server-driven branch in handleSAPRead.
     if (isServerDrivenObjectType(type)) {
-        return handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer);
+        return handleServerDrivenObjectWrite(client, action, type, name, args, cachingLayer, cacheSecurity);
     }
     // For TABL update/delete/edit_method, the existing object may live at /tables/
     // (transparent) or /structures/ (DDIC structure). Resolve once via the client's
@@ -3333,7 +3381,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
     const invalidateWrittenObject = (objType = type, objName = name) => {
         // Source cache is keyed by canonical type (SAPRead collapses TABL/DT, TABL/DS).
         cachingLayer?.invalidate(canonicalTablType(objType), objName, 'all');
-        cachingLayer?.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
     };
     // Helper: enforce allowedPackages for existing objects (update/delete/edit_method/scaffold_rap_handlers).
     // Only fetches metadata when package restrictions are configured — no extra HTTP call otherwise.
@@ -3351,7 +3399,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
     // surgery call on a draft would splice active-version line ranges into inactive
     // source and silently corrupt the draft.
     async function fetchClassStructureAndMain(clsName) {
-        const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', clsName, 'auto');
+        const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', clsName, 'auto', cacheSecurity);
         const structure = await client.getClassStructure(clsName, effectiveVersion);
         const main = cachingLayer
             ? (await cachingLayer.getSource('CLAS', clsName, (ifNoneMatch) => client.getClass(clsName, undefined, { ifNoneMatch, version: effectiveVersion }), { version: effectiveVersion })).source
@@ -3740,7 +3788,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
                 // splice against stale content (and frequently "method not found").
                 // Use the standard inactive-list lookup to pick the right version —
                 // same auto-resolution semantics SAPRead exposes via `version='auto'`.
-                const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', name, 'auto');
+                const { effectiveVersion } = await resolveVersionAndDraftInfo(client, cachingLayer, 'CLAS', name, 'auto', cacheSecurity);
                 const fetched = await client.getClass(name, resolvedInclude, { version: effectiveVersion });
                 currentSource = stripIncludeHeader(fetched.source);
                 // If the include itself has no draft (only MAIN does), SAP returns the
@@ -4604,7 +4652,7 @@ async function handleSAPWrite(client, args, config, cachingLayer) {
                     for (const o of writtenObjects) {
                         cachingLayer?.invalidate(o.type, o.name, 'all');
                     }
-                    cachingLayer?.inactiveLists.invalidate(client.username);
+                    invalidateInactiveList(cachingLayer, client, cacheSecurity);
                 }
                 else {
                     // Flip every written-but-not-yet-activated entry to 'failed', preserving the
@@ -4824,7 +4872,7 @@ async function runPreWriteSyntaxCheck(client, type, source, objectUrl, config, p
     }
 }
 // ─── SAPActivate Handler ─────────────────────────────────────────────
-async function handleSAPActivate(client, args, cachingLayer) {
+async function handleSAPActivate(client, args, cachingLayer, cacheSecurity) {
     const action = String(args.action ?? 'activate');
     const name = String(args.name ?? '');
     const version = String(args.version ?? '0001');
@@ -4850,6 +4898,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
         if (!name) {
             return errorResult('Missing required "name" parameter for publish_srvb action.');
         }
+        await enforceAllowedPackageForObjectUrl(client, objectUrlForType('SRVB', name), `Publish of service binding '${name}'`, SERVICEBINDING_V2_CONTENT_TYPE);
         const serviceType = await resolveServiceType();
         const result = await publishServiceBinding(client.http, client.safety, name, version, serviceType);
         if (result.severity === 'ERROR') {
@@ -4885,6 +4934,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
         if (!name) {
             return errorResult('Missing required "name" parameter for unpublish_srvb action.');
         }
+        await enforceAllowedPackageForObjectUrl(client, objectUrlForType('SRVB', name), `Unpublish of service binding '${name}'`, SERVICEBINDING_V2_CONTENT_TYPE);
         const serviceType = await resolveServiceType();
         const result = await unpublishServiceBinding(client.http, client.safety, name, version, serviceType);
         if (result.severity === 'ERROR') {
@@ -4971,7 +5021,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
             for (const object of objects) {
                 cachingLayer?.invalidate(object.type, object.name, 'all');
             }
-            cachingLayer?.inactiveLists.invalidate(client.username);
+            invalidateInactiveList(cachingLayer, client, cacheSecurity);
             return textResult(`Successfully activated ${objects.length} objects: ${names}.${statusDetails}`);
         }
         // On batch failure enrich with per-object inactive-version syntax errors —
@@ -5037,7 +5087,7 @@ async function handleSAPActivate(client, args, cachingLayer) {
     const result = await activate(client.http, client.safety, objectUrl, { ...activateOpts, name });
     if (result.success) {
         cachingLayer?.invalidate(type, name, 'all');
-        cachingLayer?.inactiveLists.invalidate(client.username);
+        invalidateInactiveList(cachingLayer, client, cacheSecurity);
         return textResult(`Successfully activated ${type} ${name}.${formatActivationMessages(result)}`);
     }
     // On failure, try to enrich with the actual compiler errors from the inactive version —
@@ -6082,7 +6132,7 @@ function parseSiblingMaxCandidates(value) {
     const rounded = Math.trunc(parsed);
     return Math.min(Math.max(rounded, 1), HARD_MAX_SIBLING_MAX_CANDIDATES);
 }
-async function handleSAPContext(client, args, cachingLayer) {
+async function handleSAPContext(client, args, cachingLayer, cacheSecurity) {
     const action = String(args.action ?? '');
     // action="impact" is DDLS-only on the server side — default the type so LLMs
     // don't have to supply it redundantly (and don't get a validation retry when
@@ -6099,6 +6149,10 @@ async function handleSAPContext(client, args, cachingLayer) {
     if (action === 'usages') {
         if (!name)
             return errorResult('"name" is required for usages action.');
+        if (cacheSecurity?.isPerUserClient) {
+            return errorResult('SAPContext(action="usages") is disabled under principal propagation because it reads the shared warmup index. ' +
+                `Use SAPNavigate(action="references", type="${type || 'CLAS'}", name="${name}") for a live SAP-authorized lookup.`);
+        }
         if (!cachingLayer) {
             return errorResult('Reverse dependency lookup requires object caching. Cache is disabled (ARC1_CACHE=none). ' +
                 'Enable caching and run cache warmup to use this feature.');
@@ -6314,7 +6368,7 @@ async function handleSAPContext(client, args, cachingLayer) {
             }
             case 'DDLS': {
                 const ddlSource = await cachedGet('DDLS', name, (ifNoneMatch) => client.getDdls(name, { ifNoneMatch }));
-                const cdsResult = await compressCdsContext(client, ddlSource, name, maxDeps, depth, cachingLayer);
+                const cdsResult = await compressCdsContext(client, ddlSource, name, maxDeps, depth, contextCacheForDependencyPayloads(cachingLayer, cacheSecurity));
                 return textResult(cdsResult.output);
             }
             default:
@@ -6322,8 +6376,9 @@ async function handleSAPContext(client, args, cachingLayer) {
         }
     }
     // Check dep graph cache — if source hash matches, return cached contracts
-    if (cachingLayer) {
-        const cachedGraph = cachingLayer.getCachedDepGraph(source);
+    const dependencyPayloadCache = contextCacheForDependencyPayloads(cachingLayer, cacheSecurity);
+    if (dependencyPayloadCache) {
+        const cachedGraph = dependencyPayloadCache.getCachedDepGraph(source);
         if (cachedGraph) {
             const successful = cachedGraph.contracts.filter((c) => c.success);
             const failed = cachedGraph.contracts.filter((c) => !c.success);
@@ -6353,7 +6408,7 @@ async function handleSAPContext(client, args, cachingLayer) {
     const abaplintVersion = cachedFeatures?.abapRelease
         ? mapSapReleaseToAbaplintVersion(cachedFeatures.abapRelease)
         : undefined;
-    const result = await compressContext(client, source, name, type, maxDeps, depth, abaplintVersion, cachingLayer);
+    const result = await compressContext(client, source, name, type, maxDeps, depth, abaplintVersion, dependencyPayloadCache);
     return textResult(result.output);
 }
 function buildCdsUpstream(deps) {