# ERPforgeAI — SAP Extractor Programs (read-only, MIT)

Tiny, **read-only** ABAP reports (and one Oracle SQL script) that a customer's
own SAP developer runs to produce a **metadata** export for an ERPforgeAI audit.
You install nothing permanent, grant ERPforgeAI no system access, and nothing
leaves your system unless **you** export it.

> **Structure, never contents.** These programs read SAP *metadata* — table and
> field *definitions*, function-module signatures, class interfaces, release/SP
> levels, object existence, table *sizes*. They never read table rows, master
> data, documents, or any business / personal data.

## What each program does

| Program | Reads (metadata only) | Audit path | Lines |
|---|---|---|---|
| `Z_ERPFORGE_00_QUICKSCAN.txt` | Release/kernel/SP + repository-size triage, ABAP feature support (CVERS) | First contact (all) | ~467 |
| `Z_ERPFORGE_01_STECKBRIEF.txt` | Release, kernel, SP, 14 ABAP language features (SYNTAX-CHECK), CVERS, table existence (DD02L), FM availability (TFDIR) | First contact (all) | ~555 |
| `Z_ERPFORGE_02_EXPORT.txt` | Repository metadata: table/structure/field defs, FM signatures, BAPIs, class interfaces, transactions, packages, where-used (DDIC + TADIR) | Custom-Code | ~778 |
| `Z_ERPFORGE_03_FORMS_INVENTORY.txt` | Form inventory: SAPscript/SmartForms/Adobe/NACE names, types, package, element counts (TADIR + form dictionaries) | Forms | ~398 |
| `Z_ERPFORGE_04_TABLE_INVENTORY.txt` | Per-table size metadata via ADBC (row counts, storage) + table names (DD02L) | DB-Volume | ~185 |
| `Z_ERPFORGE_04_DD_DUMP.txt` | Pre-flight DDIC metadata for code generation: DD03L/DD04T field defs, TADIR object-type counts | Code-gen pre-flight | ~591 |
| `oracle_table_inventory.sql` | Per-table row counts + storage from Oracle dictionary views (SELECT only) | DB-Volume (Oracle) | ~93 |

## What they do NOT do (verified, applies to every program)

- **No** `UPDATE` / `INSERT` / `MODIFY` / `DELETE` on database tables — read-only.
- **No** RFC, **no** `DESTINATION`, **no** network or internet call.
- **No** server-side file write, **no** `OPEN DATASET` / `TRANSFER`, **no** `SUBMIT`,
  **no** `CALL TRANSACTION`, **no** `COMMIT WORK`.
- **No** business data / table rows / master data / PII is read.
- Output is **metadata only**, shown on screen for the developer to review and
  download. The program is transient — delete it after extraction.

## Verify before you run (under a minute)

1. Open the `.txt` — the governance header at the top states exactly what it
   reads and what it does not do.
2. Check the checksum against [`CHECKSUMS.sha256`](./CHECKSUMS.sha256):
   - Linux/macOS: `sha256sum -c CHECKSUMS.sha256`
   - Windows PowerShell: `Get-FileHash Z_ERPFORGE_00_QUICKSCAN.txt -Algorithm SHA256`
3. If a hash does not match, **do not run it** — re-download and report to
   `security@erpforgeai.de`.

## For your change/compliance team

A ready-to-attach one-page memo is in
[`./GOVERNANCE-MEMO.md`](./GOVERNANCE-MEMO.md): "transient read-only
analysis utility, no business-data access, source + checksum published, delete
after extraction."

## License

MIT — see [`LICENSE`](./LICENSE). Use, read, audit, and modify freely.