sap-adt-mcp 0.8.1 → 0.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -159,6 +159,29 @@ Recommended: set `readOnly: true` for QAS and PRD profiles. Keep DEV writable.
159
159
  Many internal SAP systems use self-signed certs. `"rejectUnauthorized": false`
160
160
  disables TLS validation for that profile only. Don't set this on PRD.
161
161
 
162
+ ### Audit log
163
+
164
+ Every **write** the server performs against SAP (POST/PUT/DELETE/PATCH — locks,
165
+ source updates, activations, transport operations) is appended to a local JSONL
166
+ file, including which MCP tool triggered it and, for blocked attempts in
167
+ read-only mode, the violation itself. Reads and read-only queries are not
168
+ logged. Nothing leaves your machine — this is your local answer to "what exactly
169
+ did the AI change?".
170
+
171
+ Default location: `~/.sap-adt-mcp/audit.log`. One JSON object per line:
172
+
173
+ ```json
174
+ {"ts":"2026-06-11T12:00:00.000Z","tool":"adt_set_source","host":"https://...","sapUser":"DEVELOPER","method":"PUT","path":"/sap/bc/adt/programs/programs/ztest/source/main","status":200,"ok":true,"transport":"E4DK900123"}
175
+ ```
176
+
177
+ Configure or disable:
178
+
179
+ ```json
180
+ { "audit": { "enabled": false, "path": "/var/log/sap-adt-mcp/audit.log" } }
181
+ ```
182
+
183
+ …or set `SAP_ADT_MCP_AUDIT=0` (also accepts `false`/`no`/`off`).
184
+
162
185
  ### Automatic error reporting
163
186
 
164
187
  The server sends small, **redacted** reports to the maintainer so defects get
@@ -331,6 +354,31 @@ Friendly aliases (any of either column work):
331
354
  | behaviordef / bdef | BDEF |
332
355
  | messageclass / msag | MSAG |
333
356
 
357
+ ## Skills (packaged workflows)
358
+
359
+ The raw tools are building blocks; [`skills/`](skills/) ships ready-made
360
+ workflows for Claude Code that orchestrate them. Each SKILL.md lists its own
361
+ prerequisites (minimum NetWeaver release, required authorizations, read-only
362
+ compatibility).
363
+
364
+ | Skill | What it does | Read-only OK? | Min. system |
365
+ | --- | --- | --- | --- |
366
+ | [`transport-release-gate`](skills/transport-release-gate/SKILL.md) | Pre-release quality gate over a TR: inactive objects, locks, syntax, ATC, unit tests → go/no-go report. Release stays a human decision. | Mostly (unit tests + release need write) | NW 7.50+, ATC configured |
367
+ | [`dump-triage`](skills/dump-triage/SKILL.md) | ST22 triage: group dumps into families, deep-read top offenders, root cause + fix per family. | Yes — safe on PRD | NW 7.50+ (dumps feed) |
368
+ | [`legacy-code-doc`](skills/legacy-code-doc/SKILL.md) | Reverse-document legacy Z code: structure, DB touchpoints, callers, risks, S/4 migration notes. | Yes — safe on PRD | NW 7.4x+ (data samples 7.55+) |
369
+ | [`abap-clean-core`](skills/abap-clean-core/SKILL.md) | SAP Clean Core framework knowledge: levels, decision framework, governance. | Yes (knowledge-only) | none |
370
+
371
+ To use one, copy its folder into your project's `.claude/skills/` (or
372
+ `~/.claude/skills/` for all projects):
373
+
374
+ ```bash
375
+ cp -r node_modules/sap-adt-mcp/skills/dump-triage .claude/skills/
376
+ # or from a clone: cp -r sap-adt-mcp/skills/dump-triage .claude/skills/
377
+ ```
378
+
379
+ Claude Code picks them up automatically; they trigger when the conversation
380
+ matches (e.g. "is E4DK900123 safe to release?" → transport-release-gate).
381
+
334
382
  ## Clean Core: prompts + reference
335
383
 
336
384
  The server ships an opt-in **Clean Core** layer for SAP S/4HANA work.
@@ -8,6 +8,9 @@
8
8
  "adtErrors": true,
9
9
  "allowManual": true
10
10
  },
11
+ "audit": {
12
+ "enabled": true
13
+ },
11
14
  "systems": {
12
15
  "DEV": {
13
16
  "host": "https://sap-dev.example.com:44300",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "sap-adt-mcp",
3
- "version": "0.8.1",
3
+ "version": "0.8.3",
4
4
  "description": "MCP server giving Claude live access to SAP systems via ADT (ABAP Development Tools) REST. Read source, search, run syntax checks, and edit ABAP objects from any MCP-compatible client.",
5
5
  "type": "module",
6
6
  "main": "src/server.js",
@@ -10,6 +10,7 @@
10
10
  },
11
11
  "files": [
12
12
  "src",
13
+ "skills",
13
14
  "config.example.json",
14
15
  "README.md",
15
16
  "LICENSE"
@@ -19,7 +20,7 @@
19
20
  },
20
21
  "scripts": {
21
22
  "start": "node src/server.js",
22
- "test": "node --test test/adt-error.test.js test/atc-bulk.test.js test/cds.test.js test/data-preview.test.js test/diff.test.js test/dump-feed.test.js test/grep-source.test.js test/jobs.test.js test/lifecycle-activate.test.js test/lock.test.js test/mcp-bug-fixes.test.js test/node-structure.test.js test/notes.test.js test/object-create.test.js test/object-references.test.js test/object-uris.test.js test/prompts.test.js test/provenance.test.js test/rap-scaffold.test.js test/reporter.test.js test/security.test.js test/source-chunked.test.js test/source-guard.test.js test/source-pagination.test.js test/syntax-context.test.js test/tools-shape.test.js test/versions.test.js test/worklist.test.js",
23
+ "test": "node --test test/adt-error.test.js test/atc-bulk.test.js test/audit.test.js test/cds.test.js test/data-preview.test.js test/diff.test.js test/dump-feed.test.js test/grep-source.test.js test/jobs.test.js test/lifecycle-activate.test.js test/lock.test.js test/mcp-bug-fixes.test.js test/node-structure.test.js test/notes.test.js test/object-create.test.js test/object-references.test.js test/object-uris.test.js test/prompts.test.js test/provenance.test.js test/rap-scaffold.test.js test/reporter.test.js test/security.test.js test/source-chunked.test.js test/source-guard.test.js test/source-pagination.test.js test/syntax-context.test.js test/tools-shape.test.js test/versions.test.js test/worklist.test.js",
23
24
  "lint": "eslint src test"
24
25
  },
25
26
  "keywords": [
@@ -0,0 +1,285 @@
1
+ ---
2
+ name: abap-clean-core
3
+ description: Apply SAP Clean Core extensibility principles whenever the user writes, reviews, refactors, or designs ABAP code for SAP S/4HANA — any deployment (Public Cloud, Private Cloud, on-premise). Use this skill any time the conversation involves ABAP extensions, custom Z-code, BAdIs, BAPIs, user exits, CDS views, RAP services, custom fields or business objects, modifications, enhancements, ATC findings, the Cloudification Repository, ABAP Cloud vs classic ABAP, on-stack vs side-by-side architecture, RISE/GROW with SAP, BTP extensions, or migrating legacy ABAP toward ABAP Cloud. Trigger generously — even when the user just mentions terms like "modification," "user exit," "enhancement spot," "implicit enhancement," "Z-program," "Z-table," "released API," "internal SAP object," "upgrade-safe," "S/4HANA migration," "clean core," "fit-to-standard," "BTP first," or "technical debt in ABAP," this skill is almost certainly relevant. Better to load it and stay quiet than to miss the context.
4
+ ---
5
+
6
+ # ABAP Clean Core
7
+
8
+ This skill encodes SAP's official Clean Core extensibility framework. Apply it when guiding the user through ABAP development, code review, refactoring, or architecture decisions for SAP S/4HANA.
9
+
10
+ ## Prerequisites
11
+
12
+ None — this is a knowledge skill: it needs no SAP connection and works in any
13
+ ABAP conversation. When sap-adt-mcp **is** connected it gets sharper:
14
+ `adt_run_atc` / `adt_run_atc_package` verify findings against the system's real
15
+ check variant, `adt_list_released_apis` confirms what is actually released on
16
+ that release level, and `adt_where_used` measures the blast radius of a Level
17
+ C/D dependency before recommending a replacement. Cloud-readiness ATC checks
18
+ require an S/4HANA system (or a recent ATC content update on NW 7.5x).
19
+
20
+ ## Why Clean Core matters
21
+
22
+ Every extension that touches SAP-internal objects, modifies standard code, or relies on undocumented APIs becomes a maintenance liability. It blocks upgrades, breaks unpredictably, and accumulates as technical debt that compounds over years.
23
+
24
+ Clean Core is the discipline of building extensions that survive SAP upgrades automatically — by isolating custom code from the standard through stable, released interfaces. It's not theoretical: SAP's entire cloud strategy (RISE, GROW, S/4HANA Cloud) assumes customer extensions are decoupled. Code that ignores Clean Core is code that will eventually be rewritten.
25
+
26
+ Clean Core spans **five principles** — Processes, Data, Integration, Operations, and Extensibility. This skill focuses on Extensibility (the code and architecture side), but be aware: when a user asks about "clean core data" or "clean core integration," they're asking about the other four principles, not about extensions.
27
+
28
+ When you help with ABAP, your job is to nudge the user toward extensions that will still work after the next upgrade — without lecturing, without refusing classic-ABAP work when it's needed, but always making the trade-off visible.
29
+
30
+ ## Two strategic tracks: Stay Clean & Get Clean
31
+
32
+ All clean core work falls into one of two efforts. Naming which one the user is in helps frame the advice.
33
+
34
+ ### Stay Clean — preventing new technical debt
35
+
36
+ Applies to **new development**. The goal is zero unnecessary debt: every new extension at the highest achievable level, governed by a process that catches violations before they ship. When the user is writing or designing something new, you're in Stay Clean mode — enforcement-heavy, with quality gates blocking transport on Level 1–2 ATC findings.
37
+
38
+ ### Get Clean — reducing existing technical debt
39
+
40
+ Applies to **existing custom code**. Realistic, prioritized reduction over years — eliminate Level D first ("Level D zero" is a year-one goal), then chip away at C and B. When the user is reviewing legacy or planning remediation, you're in Get Clean mode — prioritization-heavy, with tactics like the boy scout principle (every developer leaves code cleaner than they found it), the lighthouse approach (clean during major rework anyway), and a 10% annual reduction target.
41
+
42
+ For the full Stay Clean / Get Clean playbook, KPI calculations, and exemption process, see `references/governance.md`.
43
+
44
+ ## The four cleanliness levels
45
+
46
+ Every ABAP extension sits in exactly one of four "cleanliness levels." Identifying the level — and pushing it upward when possible — is the entire framework.
47
+
48
+ ### Level A — Released APIs (the goal)
49
+ - Uses publicly released APIs with formal stability contracts
50
+ - ABAP Cloud development model on-stack, or SAP Build / CAP / ABAP Cloud on BTP side-by-side
51
+ - ATC behavior: no finding
52
+ - Upgrade-safe by SAP guarantee
53
+
54
+ **Examples:** released CDS views, business object interfaces, released BAdIs, RAP services, OData APIs documented in the SAP Business Accelerator Hub, custom fields via the Custom Fields app or extension framework.
55
+
56
+ ### Level B — Classic APIs (acceptable when needed)
57
+ - Documented, historically stable APIs without a formal stability contract
58
+ - Examples: BAPIs (e.g., `BAPI_PO_CREATE1`), released user exits, classic ALV grid (`CL_GUI_ALV_GRID`), traditional Web Dynpro
59
+ - ATC behavior: priority 3 (informational)
60
+
61
+ Use Level B when no Level A equivalent exists. Whenever possible, **wrap Level B calls in a Level A ABAP Cloud wrapper** so the rest of the codebase stays clean.
62
+
63
+ ### Level C — Internal SAP objects (risky, mitigate)
64
+ - Reading internal tables, calling non-released function modules or classes
65
+ - The *default* state of any SAP object not explicitly released — internal until proven otherwise
66
+ - ATC behavior: priority 2 (warning)
67
+ - Reclassification risk: SAP can move internal objects to `classic` (better) or `noAPI` (worse) at any release
68
+
69
+ When unavoidable, mitigate by:
70
+ - Enabling **Changelog for SAP Objects** in ATC, which proactively detects upcoming incompatible changes
71
+ - Encapsulating the access in a small, well-named wrapper class
72
+ - Tracking it in the team's technical-debt log with a planned refactor window
73
+
74
+ ### Level D — Modifications & noAPI (eliminate)
75
+ - Modifications to SAP standard code (changes via modification key)
76
+ - Direct write access to SAP core tables (UPDATE/INSERT/MODIFY on `MARA`, `VBAK`, `BSEG`, etc.)
77
+ - Implicit enhancements that intercept SAP method behavior
78
+ - Objects flagged as `noAPI` in the Cloudification Repository
79
+ - ATC behavior: priority 1 (error)
80
+
81
+ **Level D is the top refactoring priority.** Treat any new Level D code in code review as something that needs explicit, time-bound justification.
82
+
83
+ For deep-dive on Cloudification Repository state values (`released`, `classic`, `internal`, `noAPI`, `internalAPI` with successor), released local vs remote APIs, reclassification dynamics, and per-anti-pattern remediation, see `references/levels-detailed.md`.
84
+
85
+ ## Decision framework
86
+
87
+ Two layers: fit-to-standard first, then the SAP Application Extension Methodology if extension is justified.
88
+
89
+ ### Fit-to-standard ordering
90
+
91
+ Before deciding *how* to extend, decide whether to extend *at all*:
92
+
93
+ 1. **SAP standard** — does the standard cover it?
94
+ 2. **Certified add-on** — does an SAP-validated partner solution cover it? Look for "SAP-certified for clean core" designation.
95
+ 3. **Configuration** — can configuration achieve it (SPRO, business configuration)?
96
+ 4. **Custom extension** — only when 1–3 don't cover it and the requirement is genuinely differentiating.
97
+
98
+ Many "we need an extension" conversations should pause here. Building custom code for something the standard already does is the most common form of unnecessary technical debt.
99
+
100
+ ### SAP Application Extension Methodology (3 phases)
101
+
102
+ Once an extension is justified, the official methodology structures the technology choice:
103
+
104
+ - **Phase 1 — Assess Use Case.** What's the business need, what SAP data and processes does it touch, is transactional consistency required, what's the data volume, who consumes the output?
105
+ - **Phase 2 — Assess Technology.** Map the use case to extension styles (on-stack / side-by-side / hybrid), tasks (UI, business logic, integration), and the available technologies for each, with their clean core levels.
106
+ - **Phase 3 — Define Target Solution.** Pick the highest-Level combination that satisfies the use case. Document why anything below Level A was chosen.
107
+
108
+ ### "BTP first"
109
+
110
+ Default to **side-by-side**. Choose on-stack only when one of these is true:
111
+ - Transactional consistency with SAP core data is required (writing custom + standard tables in one LUW)
112
+ - High-volume reads with complex joins on SAP standard tables
113
+ - Frequent reads/writes to SAP standard data (latency would dominate)
114
+ - Extension of core SAP UI / data model / business object behavior with tight coupling
115
+
116
+ If neither applies clearly, side-by-side is the right answer. If both apply, you have a hybrid candidate (on-stack ABAP service exposing a released remote API, consumed by a side-by-side BTP UI/orchestration layer).
117
+
118
+ For the full decision matrix, on-stack vs side-by-side criteria, hybrid deployment patterns, and worked scenarios, see `references/decision-framework.md`.
119
+
120
+ ## Code-level guidance
121
+
122
+ ### When writing new ABAP
123
+
124
+ Default to ABAP Cloud syntax and patterns:
125
+
126
+ - Use **CDS views** for data modeling, never raw `SELECT` chains on SAP standard tables
127
+ - Use the **ABAP RESTful Application Programming Model (RAP)** for stateful business services — behaviors, validations, determinations
128
+ - Use **released business object interfaces** rather than directly writing to SAP standard tables
129
+ - Use modern ABAP language (7.40+): inline declarations, constructor expressions (`NEW`, `VALUE`, `FOR`, `REDUCE`)
130
+ - For UI, use **SAP Fiori / SAPUI5**, not SE38 reports
131
+ - For custom fields on SAP entities, prefer the **Custom Fields app** (key user extensibility) over ABAP-level append structures
132
+ - **Avoid** Dynpro, Web Dynpro, classic ALV reports — they are not cloud-ready
133
+
134
+ ABAP Cloud is enforced at the compiler level — code that violates the rules doesn't compile. There's no escape hatch. For the explicit allowed/forbidden lists, prebuilt services available without extra license (logging, change docs, number ranges, jobs, currency, UOM, factory calendar, XLSX), and core building blocks (RAP, CDS, business object interfaces, Custom Fields), see `references/abap-cloud-rules.md`.
135
+
136
+ ### When reviewing existing ABAP
137
+
138
+ Flag clearly with the level. Tone: descriptive, not judgmental.
139
+
140
+ **Likely Level D — flag as error:**
141
+ - Direct `UPDATE` / `INSERT` / `MODIFY` on SAP standard tables
142
+ - Modifications (changes via modification key)
143
+ - Implicit enhancements (`ENHANCEMENT-POINT ... INCLUDE BOUND` patterns)
144
+ - Field-symbol tricks reaching into SAP internal structures
145
+ - Hardcoded references to `noAPI` objects from the Cloudification Repository
146
+
147
+ **Likely Level C — flag as warning:**
148
+ - `SELECT` from SAP standard tables that have a released CDS view equivalent
149
+ - `CALL FUNCTION` to internal (non-released) function modules
150
+ - `TYPE REF TO` to SAP internal classes
151
+ - Use of internal types from non-released DDIC structures
152
+
153
+ **Likely Level B — flag as informational:**
154
+ - BAPI calls from new code (suggest: wrap them in a Level A class)
155
+ - Classic ALV usage (acceptable for legacy reports, not for new development)
156
+ - Web Dynpro (legacy acceptable, no new development)
157
+
158
+ ### Concrete refactoring patterns
159
+
160
+ **Pattern 1 — Wrap a classic API to expose Level A surface:**
161
+
162
+ ```abap
163
+ " Anti-pattern: BAPI called directly from cloud-namespace code
164
+ CALL FUNCTION 'BAPI_PO_CREATE1'
165
+ EXPORTING
166
+ poheader = ls_header
167
+ TABLES
168
+ poitem = lt_items
169
+ return = lt_return.
170
+
171
+ " Better: wrap in a released-style local API
172
+ CLASS zcl_po_service DEFINITION PUBLIC FINAL CREATE PUBLIC.
173
+ PUBLIC SECTION.
174
+ INTERFACES zif_po_service.
175
+ ENDCLASS.
176
+
177
+ CLASS zcl_po_service IMPLEMENTATION.
178
+ METHOD zif_po_service~create.
179
+ " BAPI call lives here, isolated.
180
+ " Callers consume only the released interface — Level A from their perspective.
181
+ ENDMETHOD.
182
+ ENDCLASS.
183
+ ```
184
+
185
+ The dependency on the BAPI (Level B) is now localized. Consumers stay at Level A. When a successor RAP-based equivalent appears, you change one file.
186
+
187
+ **Pattern 2 — Replace internal table read with released CDS view:**
188
+
189
+ ```abap
190
+ " Anti-pattern: direct SELECT on internal SAP table
191
+ SELECT matnr, mtart, ersda
192
+ FROM mara
193
+ INTO TABLE @DATA(lt_materials)
194
+ WHERE mtart = 'FERT'.
195
+
196
+ " Better: use released CDS view (lookup in Business Accelerator Hub)
197
+ SELECT material, materialtype, creationdate
198
+ FROM i_product
199
+ INTO TABLE @DATA(lt_materials)
200
+ WHERE materialtype = 'FERT'.
201
+ ```
202
+
203
+ The released view (`I_*` namespace pattern is common) carries SAP's stability contract. Field renames during upgrades become SAP's problem, not yours.
204
+
205
+ **Pattern 3 — Replace modification with extension point:**
206
+
207
+ When you find a modification of SAP standard:
208
+ 1. Identify the business behavior it changes
209
+ 2. Search for a **released BAdI**, **enhancement point**, or **business object interface** that exposes the same hook
210
+ 3. Reimplement the logic via that extension point
211
+ 4. If no released hook exists, file a SAP Customer Influence request, and as a bridge use a Level B classic user exit if available — never leave it as a Level D modification
212
+
213
+ ## "I know this is Level D, just need to ship"
214
+
215
+ Respect the constraint. Deliver the working code. But:
216
+
217
+ - State the level explicitly in your response
218
+ - Note what stops working: "this will need to be revisited at the next upgrade because direct writes to `VBAK` are not upgrade-safe"
219
+ - Sketch the Level A refactor in a few lines so it's captured for later
220
+ - Don't refuse, don't moralize, don't repeat the lecture
221
+
222
+ The user is the engineer of record. Your job is to make the trade-off visible, not to override it.
223
+
224
+ ## Measurement: how to know if we're winning
225
+
226
+ Four KPIs make clean core progress quantifiable. Reach for these when the user asks "how is the system doing?" or wants to set targets.
227
+
228
+ - **Clean Core Share** — percentage distribution of custom objects across Levels A/B/C/D. The shape of the distribution is more informative than any single number.
229
+ - **Technical Debt Score** — weighted ATC-finding total: errors × 10 + warnings × 5 + info × 1. Use to prioritize which packages to clean up next.
230
+ - **Unused Code Share** — percentage of custom objects with zero runtime calls (per ABAP Call Monitor / SCMON / SUSG). Cheapest cleanup target — no business risk to deletion.
231
+ - **Business Modifications Count** — entries in `SMODILOG`. Direct count of Level D modifications.
232
+
233
+ For calculation details, governance practices, and the exemption process, see `references/governance.md`.
234
+
235
+ ## Tooling
236
+
237
+ - **ABAP Test Cockpit (ATC)** with the **ABAP Cloud Readiness** variant — automated detection of Level B/C/D issues, integrated with transport release. Priority 1–2 findings block transport by default.
238
+ - **Cloudification Repository** — searchable catalog with state values: `released` (A), `classic` (B), `internal` (C, default), `noAPI` (D), and `internalAPI` (with successor — points you to the released replacement).
239
+ - **Changelog for SAP Objects** (ATC check) — proactively warns when a referenced internal object is scheduled for an incompatible change in an upcoming release.
240
+ - **SAP Business Accelerator Hub** — canonical source for released remote APIs (OData, REST, RFC, events) with documentation and code samples.
241
+ - **SAP Note 3578329** — framework/technology classification guide.
242
+ - **SAP Cloud ALM** — requirements management, traceability, governance for what extensions exist and why.
243
+ - **ABAP Development Tools (ADT in Eclipse)** — required for ABAP Cloud development; classic SE80 cannot drive cloud-compliant code.
244
+ - **Joule** — SAP AI copilot for code generation and classic-to-cloud migration assistance.
245
+
246
+ ## Anti-patterns to surface immediately
247
+
248
+ When you see these in code under review, name the pattern and the level:
249
+
250
+ - "Quick" modifications "we'll fix later" — Level D, never gets fixed
251
+ - Copy-pasting SAP standard code into a Z-namespace ("forking the standard") — diverges over time, double maintenance burden
252
+ - Extending SAP tables by appending custom fields directly — use the Custom Fields framework instead
253
+ - New SE38 reports for fresh requirements — use Fiori + RAP
254
+ - Implicit enhancements intercepting SAP method behavior — Level D, brittle, not allowed in ABAP Cloud at all
255
+ - Direct DB updates "because we know it's safe" — never safe across upgrades
256
+ - BAPI calls scattered through new code without wrappers — pins the codebase to Level B forever
257
+ - ABAP-level append structures for what could be a Custom Fields app — over-engineering, transfers ownership to dev team unnecessarily
258
+
259
+ ## What this skill does NOT do
260
+
261
+ - It does not refuse work on classic ABAP. Many real systems run on it; people need help. Provide the help, mark the level honestly.
262
+ - It does not require the user to refactor everything immediately. The realistic playbook is: stop adding Level D, eliminate existing Level D first, then chip away at C and B over years.
263
+ - It does not assume the user is on S/4HANA Public Cloud. Most guidance applies to Private Cloud and on-premise too; only call out edition-specific differences when they matter (e.g., on-premise still allows classic ABAP technically, but ABAP Cloud is the recommended path everywhere).
264
+
265
+ ## Quick reference card
266
+
267
+ | Symptom in code | Likely level | First-line fix |
268
+ |---|---|---|
269
+ | `MODIFY mara FROM ...` | D | Use Custom Fields framework or business object interface |
270
+ | `CALL FUNCTION 'BAPI_*'` in new code | B | Wrap in Level A class |
271
+ | `SELECT ... FROM <SAP standard table>` | C (often) | Find released CDS view in Business Accelerator Hub |
272
+ | `ENHANCEMENT-POINT ... INCLUDE BOUND` (implicit) | D | Use released BAdI / extension point |
273
+ | Modification key dialog appears | D | Stop; find an extension point |
274
+ | New SE38 report | B (classic) | Use Fiori + RAP |
275
+ | New Web Dynpro | B (classic) | Use SAPUI5 / Fiori Elements |
276
+ | `TYPE REF TO CL_<internal>` | C | Find released class or use released business object |
277
+ | Custom Z-table written from custom code | A | Fine — your own namespace |
278
+ | Custom field on SAP entity via append structure | D (often) | Use Custom Fields app (key user extensibility) |
279
+
280
+ ## When to load reference files
281
+
282
+ - Object level uncertainty, Cloudification Repository state values, released local vs remote APIs, reclassification → `references/levels-detailed.md`
283
+ - Architecture decisions, on-stack vs side-by-side, hybrid patterns, SAP Application Extension Methodology in detail, worked scenarios → `references/decision-framework.md`
284
+ - Stay Clean / Get Clean playbook, KPI calculations, ATC exemption process, key user vs developer extensibility, maturity assessment → `references/governance.md`
285
+ - ABAP Cloud allowed/forbidden lists, compiler enforcement, RAP / CDS / business object interfaces / Custom Fields, prebuilt services, classic-to-cloud migration → `references/abap-cloud-rules.md`
@@ -0,0 +1,172 @@
1
+ # ABAP Cloud Rules & Building Blocks
2
+
3
+ This file expands on what's allowed and not allowed in ABAP Cloud, and covers the core building blocks (RAP, CDS, business object interfaces, custom fields, prebuilt services). Load it when:
4
+ - The user is writing new ABAP and needs to know what's permitted
5
+ - A code review needs to check ABAP Cloud compliance specifically
6
+ - The user is asking about RAP, CDS, business object interfaces, or custom fields
7
+ - The conversation involves migrating classic ABAP to ABAP Cloud
8
+
9
+ ## Why ABAP Cloud is the new default
10
+
11
+ ABAP Cloud isn't just "ABAP with new syntax." It's a different language version with **enforced cloud-readiness and clean core compliance built into the compiler**. Code that violates the rules doesn't compile — there's no way to bypass the checks short of leaving ABAP Cloud entirely.
12
+
13
+ This is intentional. In classic ABAP, clean core was advisory; you could write Level D code and the system happily ran it. In ABAP Cloud, the language itself prevents most Level D anti-patterns at compile time. That's the point.
14
+
15
+ For SAP S/4HANA Cloud Private Edition, ABAP Cloud is **mandatory** for new on-stack development. For on-premise S/4HANA, classic ABAP still runs, but ABAP Cloud is the recommended path for everything new.
16
+
17
+ ## What's allowed in ABAP Cloud
18
+
19
+ ### Released local APIs
20
+ - **Released CDS views** — read access to SAP business data with stable field names and semantics
21
+ - **Business object interfaces** — programmatic create/read/update/delete on SAP entities, with validations and authorizations enforced by SAP standard
22
+ - **Released BAdIs and extension points** — documented hooks for plugging custom logic into standard processes
23
+ - **Released ABAP classes and interfaces** — the catalog of released `CL_*`/`IF_*` artifacts
24
+
25
+ ### Modeling and services
26
+ - **CDS** — for data models (`@AbapCatalog.sqlViewName`, projections, annotations, calculated fields)
27
+ - **RAP — ABAP RESTful Application Programming Model** — for services and business behaviors
28
+ - **Web services and OData** — exposing services for remote consumption
29
+ - **Event-based integration** via released events (raise, consume)
30
+
31
+ ### Prebuilt services (no extra license, no setup)
32
+ - **Application logging** (BAL successor in cloud-friendly form)
33
+ - **Change documents**
34
+ - **Number ranges**
35
+ - **Background jobs and scheduling**
36
+ - **Factory calendar** (working days, holidays)
37
+ - **Currency conversion** (`CL_ABAP_CURRENCY_CONV` and friends)
38
+ - **Unit of measure conversion**
39
+ - **XLSX processing** (read/write Excel files)
40
+ - **Printing**
41
+ - **Translations / internationalization** (i18n primitives)
42
+
43
+ These exist precisely so that custom code doesn't reach into internal SAP services for these common needs.
44
+
45
+ ### Custom data
46
+ - **Read/write access to your own custom tables** in your Z-namespace
47
+ - **Custom CDS views** built on top of released views or your own tables
48
+ - **Custom RAP services** exposing your own business objects
49
+
50
+ ### Modern ABAP language
51
+ - Inline declarations (`DATA(...)`)
52
+ - Constructor expressions (`NEW`, `VALUE`, `FOR`, `REDUCE`, `COND`, `SWITCH`)
53
+ - Type-safe Open SQL with strict mode
54
+ - Functional method calls and chaining
55
+ - ABAP Unit testing framework
56
+
57
+ ## What's NOT allowed in ABAP Cloud
58
+
59
+ The compiler rejects all of these:
60
+
61
+ ### Direct access to SAP standard
62
+ - **Direct write to SAP standard tables** — `UPDATE MARA`, `INSERT VBAK`, `MODIFY BSEG`, etc. Use the business object interface instead.
63
+ - **Read access to SAP-internal tables** without going through a released CDS view
64
+ - **Calls to SAP-internal function modules or classes** — anything not in the released catalog
65
+ - **Any reference to a `noAPI` object** from the Cloudification Repository
66
+
67
+ ### Non-cloud extension techniques
68
+ - **Modifications** to SAP standard objects via modification key
69
+ - **Implicit enhancements** (`ENHANCEMENT-POINT ... INCLUDE BOUND` patterns intercepting method behavior)
70
+ - **Field-symbol tricks** that reach into SAP-internal structures
71
+ - **Code copy-paste from SAP standard** with subsequent modification
72
+
73
+ ### Non-cloud-ready frameworks
74
+ - **Classic Dynpro** (SAP GUI screens) — not cloud-ready, not allowed for new code
75
+ - **Web Dynpro ABAP** — superseded by SAPUI5 / Fiori Elements
76
+ - **Classic ALV grid** with internal class references — `CL_GUI_ALV_GRID` and friends
77
+ - **SE38 reports** — use Fiori + RAP for new development
78
+
79
+ ### Untyped Open SQL
80
+ - **Native SQL** without type safety
81
+ - **Dynamic SQL** that bypasses the type system
82
+
83
+ ## Compiler enforcement is structural
84
+
85
+ The above list isn't a code review checklist — it's a compile-time check. ABAP Cloud sources are compiled in a stricter mode that fails on these patterns. There's no `#pragma` to disable the checks, no escape hatch.
86
+
87
+ This has two consequences:
88
+ - **You can't accidentally violate the rules.** Code that compiles is, by construction, free of these specific anti-patterns.
89
+ - **Migration from classic ABAP requires real work.** A classic ABAP report that uses `SELECT * FROM MARA` won't compile as ABAP Cloud — it needs to be rewritten against released CDS views.
90
+
91
+ For migration assistance, **Joule** (the SAP AI copilot) provides classic-ABAP-to-ABAP-Cloud transformation suggestions; the SAP-recommended migration path uses it as the starting point.
92
+
93
+ ## Core building blocks
94
+
95
+ ### CDS views
96
+
97
+ CDS (Core Data Services) is the modeling language for data and services. A CDS view defines:
98
+ - A logical data model (entities, fields, relationships)
99
+ - Annotations that enrich the model (UI hints, authorization, semantics)
100
+ - Optionally, projection logic over base entities
101
+
102
+ ```abap
103
+ @AccessControl.authorizationCheck: #CHECK
104
+ @EndUserText.label: 'Active products only'
105
+ define view entity ZI_ProductActive
106
+ as select from I_Product
107
+ {
108
+ key Product,
109
+ ProductType,
110
+ CreationDate,
111
+ LastChangeDate
112
+ }
113
+ where ProductIsArchived = ' ';
114
+ ```
115
+
116
+ The view consumes released entity `I_Product` (Level A) and exposes a filtered projection. No direct table access; SAP's stability contract on `I_Product` carries through.
117
+
118
+ ### RAP — RESTful Application Programming Model
119
+
120
+ RAP is the framework for stateful business services. A RAP business object has three layers:
121
+
122
+ - **Data model** (CDS views, including projection layer for the API surface)
123
+ - **Behavior definition** (which actions, validations, determinations apply)
124
+ - **Behavior implementation** (the ABAP classes implementing the behavior)
125
+
126
+ RAP enforces strict logical-unit-of-work control: the framework manages transaction boundaries, no manual `COMMIT WORK` scattered through the code. Services are stateless from the caller's perspective; state lives in the LUW.
127
+
128
+ When the user is building a new on-stack business service, RAP is the answer.
129
+
130
+ ### Business object interfaces
131
+
132
+ For consuming SAP business objects (Sales Order, Purchase Order, Material Master, Customer, etc.) programmatically, the released business object interface is the entry point. It's the Level A replacement for direct table writes and BAPI calls.
133
+
134
+ The pattern: import the released interface, call its methods. Validations, authorizations, change documents, and integration events are all triggered by the interface — no manual implementation needed.
135
+
136
+ ### Custom Fields framework
137
+
138
+ For adding fields to standard SAP entities (customer, material, sales order, etc.), the Custom Fields app is the Level A path:
139
+ - Business user adds the field through a low-code UI
140
+ - Field is automatically available in standard UIs, reports, OData services, and integration scenarios
141
+ - Lifecycle is managed by SAP — upgrades preserve the field
142
+
143
+ Reach for ABAP only when the field needs business logic that the framework doesn't cover (uncommon).
144
+
145
+ ## Migration from classic ABAP
146
+
147
+ Migration is rarely a mechanical translation. Common patterns:
148
+
149
+ - **`SELECT FROM <SAP table>` → released CDS view** — find the released equivalent in Business Accelerator Hub
150
+ - **`CALL FUNCTION 'BAPI_*'` → business object interface** — most BAPIs have a successor in the BO interface catalog
151
+ - **Modification → released BAdI / extension point** — find the documented hook
152
+ - **SE38 report → Fiori Elements analytical / list-report app** — RAP service + Fiori Elements UI
153
+ - **Web Dynpro screen → SAPUI5 / Fiori Elements** — typically a re-architecture, not a port
154
+
155
+ The realistic plan is incremental. A single classic report doesn't migrate in an afternoon — but each piece touched during normal development can move one step toward Level A.
156
+
157
+ ## Quick allowed/forbidden table
158
+
159
+ | Pattern | ABAP Cloud verdict | Replacement |
160
+ |---|---|---|
161
+ | `SELECT * FROM MARA` | Forbidden | `SELECT FROM I_Product` |
162
+ | `UPDATE VBAK SET ...` | Forbidden | Sales Order business object interface |
163
+ | `CALL FUNCTION 'BAPI_PO_CREATE1'` | Forbidden directly; allowed via wrapper from classic | Purchase Order business object interface |
164
+ | `CL_GUI_ALV_GRID` | Forbidden | Fiori Elements list-report |
165
+ | `ENHANCEMENT-POINT ... INCLUDE BOUND` | Forbidden | Released BAdI |
166
+ | Modification with key | Forbidden | Extension point or BAdI |
167
+ | `SELECT FROM Z_MY_TABLE` | Allowed | — |
168
+ | `SELECT FROM I_Product` | Allowed | — |
169
+ | Inline `DATA(lt_x) = ...` | Allowed | — |
170
+ | `NEW` / `VALUE` / `FOR` constructor expressions | Allowed | — |
171
+ | Native SQL via `EXEC SQL` | Forbidden | Use type-safe Open SQL or CDS |
172
+ | `CALL FUNCTION 'Z_*'` (custom RFC) | Allowed | — |