-
Notifications
You must be signed in to change notification settings - Fork 1
Plugin Development
The sap-dev AI Skill supports dynamic, on-demand extensibility through Standalone Plugins. Plugins are project-local scripts (Node.js, Python, Bash, etc.) residing directly in your workspace. They allow the agent to execute complex multi-step routines, custom function modules, or OData integrations on the target SAP backend under a secure execution context.
Unlike built-in MCP tools, plugins execute in their own isolated OS child processes. The sap-bridge daemon manages their execution life cycle and exposes secure loopback endpoints that the plugin script can use to call back into the active SAP connection.
Plugins live under the .agents/skills/ directory in your active workspace:
your-workspace/
├── .sap_credentials.json <-- Secured project vault (contains workspace signing key)
└── .agents/
└── skills/
└── sap-echo/ <-- Plugin directory
├── sap-dev-plugin.json <-- Metadata & description
├── SKILL.md <-- End-agent execution instructions
├── echo_call.js <-- Script entrypoint
└── .sap-dev.sig <-- Cryptographic verification signature
-
Runner Invocation: The AI Agent invokes the plugin script using the
sap_execute_pluginMCP tool. -
Ephemeral Context Injection: The daemon generates a short-lived execution token (
SAP_BRIDGE_TOKEN) and injects it (along with the daemon base URL and System ID) into the script's environment. -
Loopback Requests: The script uses standard HTTP calls to query the daemon's loopback endpoints (
/api/guarded/rpc,/api/guarded/request, or/api/guarded/sql), authenticating requests using the Bearer token. - Guard Evaluation: The daemon validates the Bearer token, automatically resolves the associated workspace, system connection, and enforces security policies (API and Object Guards) before forwarding the request to the SAP backend.
The following Mermaid diagram maps out the communication flow between the agent, the bridge daemon, the executed plugin process, and the SAP backend:
sequenceDiagram
autonumber
actor Agent as AI Agent
participant Daemon as sap-bridge Daemon
participant Script as Plugin Process (Node/Python)
participant SAP as SAP Backend
Agent->>Daemon: Call sap_execute_plugin (Plugin: sap-echo)
Note over Daemon: Verify signature (.sap-dev.sig)<br/>OR check Developer Mode
rect rgba(0, 150, 255, 0.05)
Note over Daemon: Generate ephemeral SAP_BRIDGE_TOKEN
Daemon->>Script: Launch child process (Injected Tokens & Env)
Script->>Daemon: POST /api/guarded/rpc (Bearer Token + Payload)
Note over Daemon: Validate token & workspace context<br/>Enforce API & Object Guards
Daemon->>SAP: Execute RFC/ADT Request via active connection
SAP-->>Daemon: Return raw SAP response
Daemon-->>Script: Return JSON response
Script->>Script: Format output
Script-->>Daemon: Exit process (write stdout JSON)
end
Daemon-->>Agent: Return execution result
For details on enabling plugins, calculating HMAC-SHA256 signatures (.sap-dev.sig), toggling Developer Mode, and auditing script file access scopes, please refer to the high-level Extensibility portal page.
The SAP Echo plugin serves as the standard reference implementation:
- Purpose: Acts as a loopback test connectivity plugin.
-
Implementation: Reads inputs from
stdin, executes the standard RFC Function ModuleSTFC_CONNECTIONvia/api/guarded/rpc, and writes the echotext result back to stdout. -
Security Profile: Declares
STFC_CONNECTIONin itsrequired_permissionsarray, routing permission checks through the Object Guard to request approval before running.
For detailed developer specifications, typescript schemas, reference implementation code blocks, and backend extension redefinitions (ZCL_SAP_DEV_RPC_EXT), please refer to the agent-centric developer manual:
👉 PLUGIN_GUIDE.md inside the skill references directory.