Skip to content

Plugin Development

stud0709 edited this page Jul 5, 2026 · 2 revisions

Plugin Development & Extensibility

The sap-dev AI Skill supports dynamic, on-demand extensibility through Standalone Plugins. Plugins are project-local scripts (Node.js, Python, Bash, etc.) residing directly in your workspace. They allow the agent to execute complex multi-step routines, custom function modules, or OData integrations on the target SAP backend under a secure execution context.


1. System Integration: How it Works

Unlike built-in MCP tools, plugins execute in their own isolated OS child processes. The sap-bridge daemon manages their execution life cycle and exposes secure loopback endpoints that the plugin script can use to call back into the active SAP connection.

Directory Structure

Plugins live under the .agents/skills/ directory in your active workspace:

your-workspace/
├── .sap_credentials.json     <-- Secured project vault (contains workspace signing key)
└── .agents/
    └── skills/
        └── sap-echo/         <-- Plugin directory
            ├── sap-dev-plugin.json  <-- Metadata & description
            ├── SKILL.md             <-- End-agent execution instructions
            ├── echo_call.js         <-- Script entrypoint
            └── .sap-dev.sig         <-- Cryptographic verification signature

Secured Loopback Mechanism

  1. Runner Invocation: The AI Agent invokes the plugin script using the sap_execute_plugin MCP tool.
  2. Ephemeral Context Injection: The daemon generates a short-lived execution token (SAP_BRIDGE_TOKEN) and injects it (along with the daemon base URL and System ID) into the script's environment.
  3. Loopback Requests: The script uses standard HTTP calls to query the daemon's loopback endpoints (/api/guarded/rpc, /api/guarded/request, or /api/guarded/sql), authenticating requests using the Bearer token.
  4. Guard Evaluation: The daemon validates the Bearer token, automatically resolves the associated workspace, system connection, and enforces security policies (API and Object Guards) before forwarding the request to the SAP backend.

2. Secure Data Flow

The following Mermaid diagram maps out the communication flow between the agent, the bridge daemon, the executed plugin process, and the SAP backend:

sequenceDiagram
    autonumber
    actor Agent as AI Agent
    participant Daemon as sap-bridge Daemon
    participant Script as Plugin Process (Node/Python)
    participant SAP as SAP Backend

    Agent->>Daemon: Call sap_execute_plugin (Plugin: sap-echo)
    Note over Daemon: Verify signature (.sap-dev.sig)<br/>OR check Developer Mode
    
    rect rgba(0, 150, 255, 0.05)
        Note over Daemon: Generate ephemeral SAP_BRIDGE_TOKEN
        Daemon->>Script: Launch child process (Injected Tokens & Env)
        
        Script->>Daemon: POST /api/guarded/rpc (Bearer Token + Payload)
        Note over Daemon: Validate token & workspace context<br/>Enforce API & Object Guards
        
        Daemon->>SAP: Execute RFC/ADT Request via active connection
        SAP-->>Daemon: Return raw SAP response
        
        Daemon-->>Script: Return JSON response
        Script->>Script: Format output
        Script-->>Daemon: Exit process (write stdout JSON)
    end
    
    Daemon-->>Agent: Return execution result
Loading

3. Extensibility Dashboard & Security

For details on enabling plugins, calculating HMAC-SHA256 signatures (.sap-dev.sig), toggling Developer Mode, and auditing script file access scopes, please refer to the high-level Extensibility portal page.


4. Reference Case Study: "SAP Echo"

The SAP Echo plugin serves as the standard reference implementation:

  • Purpose: Acts as a loopback test connectivity plugin.
  • Implementation: Reads inputs from stdin, executes the standard RFC Function Module STFC_CONNECTION via /api/guarded/rpc, and writes the echotext result back to stdout.
  • Security Profile: Declares STFC_CONNECTION in its required_permissions array, routing permission checks through the Object Guard to request approval before running.

5. Technical Specifications

For detailed developer specifications, typescript schemas, reference implementation code blocks, and backend extension redefinitions (ZCL_SAP_DEV_RPC_EXT), please refer to the agent-centric developer manual:

👉 PLUGIN_GUIDE.md inside the skill references directory.

Clone this wiki locally