```

[ThePlenkov]

User description

fix(ci): update Vault field names to match ADT_* convention

• Change Vault field names from generic (host, username, password, client) to ADT_* prefixed
• Fix typo: ADT_USERNMAE -> ADT_USERNAME (note: typo still present in diff)
• Update AGENTS.md to document complete-plan workflow
• Update abapify submodule (dirty state)

___

### **PR Type**
Enhancement, Tests


___

### **Description**
- Add file-based object targeting with `--from-file` option to ATC command for running checks on objects listed in a file

- Implement resolver plugin support (built-in `abapgit` and external resolvers) for ATC findings

- Add global `--config <path>` CLI option to specify custom config file path

- Enhance config caching with `configPath` parameter support from CLI context for proper cache invalidation

- Remove unused commands: `outlineCommand`, `createTestLogCommand`, `createTestAdtCommand`, `createResearchSessionsCommand`, `createUnlockCommand`, `createLockCommand`

- Add new `lsCommand` import for listing repository objects

- Update plugin loader to accept optional `configPath` parameter

- Extensive code formatting and style consistency improvements across multiple packages (prettier formatting, line wrapping, indentation standardization)

- Change `_text` property to `$value` in `InferSimpleContentExtension` for consistency with XML parser output

- Improve error messages in base model and transport operations

- Update test descriptions and assertions to match implementation changes


___

### Diagram Walkthrough


```mermaid
flowchart LR
  CLI["CLI with --config option"]
  ATCCmd["ATC Command"]
  FileTarget["File-based targeting<br/>--from-file"]
  Resolvers["Resolver Plugins<br/>abapgit + external"]
  ConfigCache["Config Caching<br/>with configPath"]
  
  CLI -- "passes configPath" --> ConfigCache
  ATCCmd -- "supports" --> FileTarget
  ATCCmd -- "uses" --> Resolvers
  ConfigCache -- "invalidates on<br/>configPath change" --> CLI

File Walkthrough

	Relevant files
Formatting	18 files generate-contracts.ts Code formatting and style consistency improvements              packages/adt-codegen/src/plugins/generate-contracts.ts Extensive code formatting and line-breaking improvements for better readability and consistency Multi-line function signatures and type definitions reformatted to follow consistent style String concatenation operations split across multiple lines for improved maintainability Arrow function parameters wrapped in parentheses for consistency Comment formatting standardized (trailing whitespace removed) +402/-180 infer.ts Type definition formatting and simpleContent property naming packages/ts-xsd/src/infer/infer.ts Reformatted complex type definitions and conditional types with improved line breaks Multi-line type parameter lists and conditional type chains split for readability Changed _text property to $value in InferSimpleContentExtension for consistency with XML parser output Standardized comment formatting and removed trailing whitespace +328/-261 xml-build.test.ts Test formatting and assertion message improvements              packages/ts-xsd/tests/unit/xml-build.test.ts Reformatted test function calls with multi-line parameter lists Improved readability of complex test data structures with consistent indentation Standardized assertion message formatting and line breaks Updated test description from _text to $value to match implementation change +336/-163 interface-generator.test.ts Test formatting and schema definition improvements              packages/ts-xsd/tests/unit/interface-generator.test.ts Reformatted test function calls and schema definitions with improved line breaks Standardized indentation and spacing in complex nested object structures Updated test description from _text to $value for simpleContent handling Improved readability of assertion messages and test data +222/-112 model.ts Code formatting and error handling improvements                    packages/adk/src/base/model.ts Reformatted code for consistent indentation and line length (prettier formatting) Removed deprecated BaseModel export alias Improved error messages for lock operations (removed raw SAP response exposure) Enhanced error handling with better isNotFoundError() check for upsert fallback Split long lines and improved code readability throughout +179/-144 transport.ts Transport module formatting and readability improvements  packages/adk/src/objects/cts/transport/transport.ts Applied consistent code formatting with improved indentation Reformatted long lines for better readability Enhanced error messages in transport operations Improved XML escaping function formatting Better structured method signatures and parameter alignment +197/-116 transportmanagment.types.ts Schema type definitions indentation standardization            packages/adt-schemas/src/schemas/generated/types/sap/transportmanagment.types.ts Reformatted entire TypeScript type definition with consistent indentation Changed from 4-space to 2-space indentation for nested properties Improved readability of complex nested type structures No functional changes to the schema types +489/-489 index.ts Schema walker module formatting standardization                    packages/ts-xsd/src/walker/index.ts Applied consistent code formatting throughout the file Improved import statement formatting with proper line breaks Enhanced function signature formatting for better readability Reformatted long conditional statements and function calls Removed extra blank lines for consistency +144/-82 walker.test.ts Walker test suite formatting improvements                                packages/ts-xsd/tests/unit/walker.test.ts Applied consistent test code formatting Improved array and object literal formatting Enhanced readability of test assertions and expectations Reformatted arrow functions and method calls for consistency +132/-110 transport-import.test.ts Transport import test formatting standardization                  packages/adk/tests/transport-import.test.ts Reformatted test file with consistent indentation Improved mock object structure formatting Enhanced test assertion readability Better aligned test setup and expectations +100/-100 validation.ts Package validation module comment cleanup                                packages/adt-contracts/src/generated/adt/sap/bc/adt/packages/validation.ts Minor formatting adjustments to JSDoc comments Removed trailing whitespace from comment lines +2/-2      xml-cross-schema.test.ts Code formatting and style consistency improvements              packages/ts-xsd/tests/unit/xml-cross-schema.test.ts Reformatted test file with consistent code style: removed trailing whitespace, collapsed multi-line array/object literals to single lines where appropriate Reformatted long assertion statements to multi-line format for improved readability Fixed line continuations in complex type definitions and test assertions +170/-120 runner.ts Code formatting and import organization improvements          packages/ts-xsd/src/codegen/runner.ts Reformatted imports to multi-line format for better readability Fixed trailing whitespace and blank line consistency throughout file Reformatted long function signatures and conditional expressions to multi-line format Improved line wrapping for function calls and object literals +159/-93 build.ts Code formatting and style consistency improvements              packages/ts-xsd/src/xml/build.ts Reformatted function signatures and type annotations to multi-line format Fixed trailing whitespace and blank line consistency Improved line wrapping for complex conditional expressions and function calls Enhanced readability of nested object/array construction +154/-64 base.ts Code formatting and type definition improvements                  packages/adt-plugin-abapgit/src/lib/handlers/base.ts Reformatted type definitions and function signatures to multi-line format Fixed trailing whitespace and improved blank line consistency Enhanced readability of complex generic type parameters Improved line wrapping for long JSDoc comments and function parameters +148/-81 crud.ts Code formatting and style consistency improvements              packages/adt-contracts/src/helpers/crud.ts Reformatted function signatures and type definitions to multi-line format Fixed trailing whitespace and blank line consistency throughout file Improved line wrapping for complex conditional expressions and object spreads Enhanced readability of long JSDoc comments and parameter lists +169/-86 infer-element.test.ts Code formatting and type test improvements                              packages/ts-xsd/tests/unit/infer-element.test.ts Reformatted type test definitions to multi-line format for improved readability Fixed trailing whitespace and blank line consistency Improved line wrapping for complex type assertions and conditional types Enhanced formatting of nested schema definitions +109/-38 registry.ts Minor whitespace cleanup                                                                  packages/adt-fixtures/src/fixtures/registry.ts Fixed trailing whitespace in JSDoc comment +1/-1
Enhancement	3 files destinations.ts Config caching with configPath support from CLI context    packages/adt-cli/src/lib/utils/destinations.ts Added configPath parameter support from CLI context for config caching Implemented cache invalidation logic when configPath changes between calls Updated getConfig() to pass configPath to loadConfig() function Enhanced clearConfigCache() to also reset cachedConfigPath variable Added import for getCliContext from shared utilities +16/-3    atc.ts Add file-based object targeting and resolver plugin support packages/adt-atc/src/commands/atc.ts Added new --from-file option to run ATC on objects listed in a file (one URI per line) Refactored target handling to support multiple URIs instead of single target Added support for finding resolver plugins (built-in abapgit and external resolvers) Updated validation logic to include --from-file as a valid target option Reformatted code with improved line wrapping and consistent style +183/-61 cli.ts Remove unused commands and add config file option                packages/adt-cli/src/lib/cli.ts Removed unused command imports: outlineCommand, createTestLogCommand, createTestAdtCommand, createResearchSessionsCommand, createUnlockCommand, createLockCommand Added new lsCommand import for listing repository objects Added --config global option to specify custom config file path Updated plugin loader to accept optional configPath parameter Reformatted code with improved line wrapping and consistent style Updated comments to reflect command organization changes +22/-34
Additional files	101 files ci.yml +6/-4      export-architecture.md +34/-31  package.json +2/-14    adt.ts +12/-9    index.ts +6/-1      object-set.ts +84/-79  registry.ts +19/-18  factory.ts +77/-61  index.ts +33/-22  transport-import.ts +83/-55  transport.types.ts +16/-10  clas.model.ts +68/-48  index.ts +3/-3      devc.model.ts +53/-42  index.ts +3/-3      index.ts +1/-1      intf.model.ts +41/-29  README.md +15/-13  gitlab.ts +122/-44 sarif.ts +9/-9      index.ts +9/-3      abapgit.ts +150/-0  types.ts +48/-1    tsdown.config.ts +1/-5      package.json +1/-0      project.json +21/-0    auth-manager.ts +41/-18  index.ts +4/-8      basic.ts +5/-3      types.ts +8/-31    tsconfig.json +3/-8      tsconfig.lib.json +16/-0    tsdown.config.ts +6/-1      login.ts +27/-10  logout.ts +6/-5      status.ts +20/-16  search.ts +27/-11  create.ts +40/-21  index.ts +3/-4      list.ts +15/-6    release.ts +29/-13  set.ts +18/-8    config-set.ts +66/-27  config.ts +80/-34  discovery.ts +2/-2      get.ts +30/-12  package.ts +38/-8    transport.ts +86/-8    index.ts +1/-4      info.ts +33/-15  lock.ts +0/-26    ls.ts +243/-0  outline.ts +0/-16    get.ts +3/-2      index.ts +10/-4    research-sessions-cmd.ts +0/-26    research-sessions.ts +0/-34    search.ts +25/-10  test-adt.ts +0/-28    test-log.ts +0/-44    index.ts +0/-33    TreeConfigEditor.tsx +125/-90 auth.ts +5/-5      validation.ts +17/-10  plugin-loader.ts +68/-33  errors.ts +5/-5      mock-e2e.test.ts +8/-8      plugin-manager.ts +15/-12  registry.ts +3/-3      service.ts +118/-52 adt-client.ts +2/-0      class.ts +56/-29  discovery.ts +51/-33  interface.ts +32/-18  package.ts +31/-18  format-loader.ts +12/-6    logger-config.ts +1/-1      tsconfig.lib.json +1/-1      adapter.ts +103/-39 client.ts +11/-4    errors.ts +34/-15  index.ts +6/-12    index.ts +2/-2      transports.ts +42/-31  types.ts +0/-7      codegen.ts +13/-11  contracts.ts +44/-28  framework.ts +4/-4      index.ts +2/-2      discovery-parser.ts +69/-52  endpoint-config.ts +47/-30  extract-collections.ts +1/-1      generate-types.ts +3/-3      tsdown.config.ts +6/-1      config-loader.ts +50/-16  index.ts +9/-9      types.ts +10/-13  AGENTS.md +39/-36  content-type-mapping.ts +28/-26  enabled-endpoints.ts +7/-7      Additional files not shown

---

[qodo-code-review]

PR Compliance Guide 🔍

(Compliance updated until commit 529c192)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	No custom compliance provided Follow the guide to enable custom compliance check.

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

---

Previous compliance checks

Compliance check up to commit e2a3978

Security Compliance
⚪	Path traversal write Description: dirPath is derived directly from coll.href (discovery XML input) and then used to build outputPath = join(outputDir, dirPath + '.ts'), which can enable path traversal (e.g., a crafted href containing ../ or absolute-path-like segments) to write generated files outside outputDir. generate-contracts.ts [1013-1055] Referred Code // Generate relative path from href (e.g., /sap/bc/adt/atc/worklists -> sap/bc/adt/atc/worklists) const dirPath = coll.href.replace(/^\//, ''); const contractName = dirPath.split('/').pop() || 'contract'; // Get endpoint config to check for CRUD mode const endpointConfig = getEndpointConfig(coll.href); const imports = importResolver(dirPath, outputDir); let code: string; let methodCount: number; if (endpointConfig?.crud) { // Generate CRUD contract using crud() helper code = generateCrudContractFile( collJson, dirPath, imports, endpointConfig, ); methodCount = 4; // get, post, put, delete console.log(' + ' + dirPath + '.ts (CRUD: get, post, put, delete)'); ... (clipped 22 lines)
	Codegen injection Description: Multiple code-generation strings embed untrusted discovery/config fields (e.g., coll.title, coll.href, coll.category.term, schema, accept, and template-derived path) into generated TypeScript without escaping, which can allow code injection into the generated .ts output if the input data contains quotes/backticks/newlines (potentially leading to execution when the generated code is compiled/run). generate-contracts.ts [336-487] Referred Code function generateMethodCode(method: EndpointMethod, indent: string): string { const { name, httpMethod, path, pathParams, queryParams, accept, contentType, requestSchema, responseSchema, description, } = method; const params: string[] = []; for (const param of pathParams) { params.push(param + ': string'); } if (queryParams.length > 0) { const queryType = queryParams.map((p) => p + '?: string').join('; '); params.push('params?: { ' + queryType + ' }'); ... (clipped 131 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Raw error output: New code prints the caught err object directly to the console which can expose stack traces or sensitive internal details to end users. Referred Code } catch (err) { console.error(' Error: ' + jsonFile + ':', err); } Learn more about managing compliance generic rules or creating your own custom rules
⚪

[qodo-code-review]

PR Code Suggestions ✨

Latest suggestions up to 529c192

Category	Suggestion	Impact
Possible issue	Restore context after recursion In traverseSchema, save the current context (currentSchema, source, depth) before making recursive calls and restore it afterward to prevent state corruption during traversal. packages/ts-xsd/src/xsd/traverser.ts [170-190] private traverseSchema( schema: Schema, source: NodeSource, depth: number, ): void { if (this.visited.has(schema)) return; if (depth > this.options.maxDepth) return; + + const prevSchema = this.currentSchema; + const prevSource = this.source; + const prevDepth = this.depth; this.visited.add(schema); this.currentSchema = schema; this.source = source; this.depth = depth; this.onEnterSchema(schema); this.traverseSchemaChildren(schema); this.traverseRedefines(schema); this.traverseOverrides(schema); this.traverseIncludes(schema, depth); this.traverseImports(schema, depth); + + // Ensure leave callbacks observe the correct context for `schema` + this.currentSchema = schema; + this.source = source; + this.depth = depth; this.onLeaveSchema(schema); + + this.currentSchema = prevSchema; + this.source = prevSource; + this.depth = prevDepth; } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a critical bug in the recursive traversal logic where the context (this.currentSchema, this.source, this.depth) is overwritten by nested calls, leading to incorrect state in the onLeaveSchema callback and for subsequent processing in the parent schema.	High
	Reset state between traversals In the traverse method, reset the visited set at the beginning of each run to ensure that reusing the same traverser instance does not lead to incorrect, state-contaminated results. packages/ts-xsd/src/xsd/traverser.ts [103-110] traverse(schema: Schema, options: TraverseOptions = {}): this { this.rootSchema = schema; this.currentSchema = schema; this.source = 'direct'; this.depth = 0; this.options = { includeImports: options.includeImports ?? true, includeIncludes: options.includeIncludes ?? true, maxDepth: options.maxDepth ?? Infinity, }; + + // Reset per-run state so instances can be reused safely + this.visited.clear(); this.traverseSchema(schema, 'direct', 0); return this; } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies a critical flaw where the SchemaTraverser instance is not reset, causing state from previous runs to leak into subsequent traversals. Adding this.visited.clear() is essential for ensuring the traverser can be reused correctly.	High
	Prevent false failure on empty output Normalize the interfaces variable to an empty string if it is undefined to prevent the test from failing on legitimate empty output from generateInterfaces(). packages/ts-xsd/tests/integration/abapgit-doma.test.ts [512-538] -const { code: interfaces } = generateInterfaces(linkedSchema, { +const { code } = generateInterfaces(linkedSchema, { addJsDoc: true, }); +const interfaces = code ?? ''; ... writeFileSync( join(linkedInterfacesDir, 'interfaces.ts'), interfaces || '// No interfaces generated', ); console.log(`Written to: ${join(linkedInterfacesDir, 'interfaces.ts')}`); ... assert.ok(typeof interfaces === 'string', 'Should return a string'); [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies a flaw in the test logic where an expected undefined return value would cause a test failure, and the proposed fix makes the test more robust.	Low
General	Avoid false positives in import check Replace the !content.includes('import ') check with a more specific regex, !/^import\s+/m.test(content), to avoid false failures from matching "import " in non-import contexts. packages/ts-xsd/tests/integration/abapgit-doma.test.ts [259-262] assert.ok( - !content.includes('import '), + !/^import\s+/m.test(content), 'RESOLVED should NOT have TypeScript imports', ); [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 5 __ Why: The suggestion correctly points out a potential for false positives in the test assertion and provides a more precise regex to make the test more reliable.	Low
	Reduce excessive test logging Gate the console.log(content) statement behind an environment variable like DEBUG_XSD_TESTS to prevent bloating CI logs with large file contents. packages/ts-xsd/tests/integration/abapgit-doma.test.ts [247-248] console.log('\n=== RESOLVED doma.ts content ==='); -console.log(content); +if (process.env.DEBUG_XSD_TESTS) { + console.log(content); +} else { + console.log(`[content omitted; ${content.length} chars]`); +} [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 4 __ Why: This is a good practice for maintaining clean and efficient CI logs by making verbose debugging output conditional, which improves test suite maintainability.	Low
More

---

Previous suggestions

Suggestions up to commit e2a3978

Category	Suggestion	Impact
Security	Sanitize resolver name to prevent path traversal Add validation to the name variable from the --resolver argument before using it in a dynamic import() to prevent a path traversal security vulnerability. packages/adt-atc/src/commands/atc.ts [419-434] try { + // Security: Prevent path traversal attacks. Only allow valid package names. + if (name.includes('.') || name.includes('/')) { + throw new Error('Invalid resolver name. Must be a valid package name.'); + } ctx.logger.info(`📂 Loading external resolver: ${name}`); const mod = await import(name); if (typeof mod.createFindingResolver === 'function') { resolver = mod.createFindingResolver(); } else { ctx.logger.warn( `⚠️ Module ${name} does not export createFindingResolver()`, ); } } catch (e) { ctx.logger.warn( `⚠️ Failed to load resolver "${name}": ${e instanceof Error ? e.message : e}`, ); } Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies and fixes a critical path traversal security vulnerability in the newly added --resolver feature, preventing potential arbitrary code execution.	High
Possible issue	Prevent returning incorrect task data Improve task data retrieval by throwing an error if a task with a matching number is not found, instead of incorrectly falling back to the first task in the array. packages/adk/src/objects/cts/transport/transport.ts [611-620] protected get itemData(): TransportRequestData { // For a task, the data is in the 'task' array, not the root 'request' const rootTask = this.response.task; if (rootTask) { const taskArr = Array.isArray(rootTask) ? rootTask : [rootTask]; - const found = taskArr.find((t) => t.number === this.name) || taskArr[0]; - if (found) return found as unknown as TransportRequestData; + const found = taskArr.find((t) => t.number === this.name); + if (found) { + return found as unknown as TransportRequestData; + } + // If the task is not found by its number, it's a data inconsistency. + // Falling back to the first task would be incorrect. + throw new Error(`Task data for '${this.name}' not found in the response.`); } return this.response.request || ({} as TransportRequestData); } Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a potential bug where the code could return data for the wrong task, and proposes a robust fix by throwing an error instead of silently failing.	Medium
	Add error handling around file read Add a try/catch block around the readFileSync call to gracefully handle potential file read errors for the --from-file option. packages/adt-atc/src/commands/atc.ts [304-309] -const { readFileSync } = await import('fs'); -const fileContent = readFileSync(options.fromFile, 'utf-8'); -const targetUris = fileContent - .split('\n') - .map((line) => line.trim()) - .filter((line) => line && !line.startsWith('#')); // Skip empty lines and comments +let targetUris: string[]; +try { + const { readFileSync } = await import('fs'); + const fileContent = readFileSync(options.fromFile, 'utf-8'); + targetUris = fileContent + .split('\n') + .map((line) => line.trim()) + .filter((line) => line && !line.startsWith('#')); // Skip empty lines and comments +} catch (err) { + ctx.logger.error( + `❌ Failed to read file ${options.fromFile}: ${err instanceof Error ? err.message : err}`, + ); + process.exit(1); +} Suggestion importance[1-10]: 7 __ Why: The suggestion correctly adds necessary error handling for file I/O, which prevents the application from crashing and improves robustness for the new --from-file feature.	Medium

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 529c192

Command	Status	Duration	Result
nx affected -t lint test build e2e-ci --verbose...	✅ Succeeded	1m 25s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-02-27 14:28:30 UTC