Skip to content

Jiandong Pei

Independent SAP BTP Architect — Boundary Model

AI-Generated Extensions on SAP BTP

#A004 — 2025-12-15

TL;DR

SAP Build Code and its AI copilot Joule can generate a full CAP-based S/4HANA extension in minutes.

But success in production is not about how fast code is generated —
it is about whether boundaries hold.

Key points this article makes:

  • Identity, integration, data, lifecycle, and runtime are tenant-scoped by design on BTP.
  • Joule improves safety and DX by calling tested builder APIs — not by inventing YAML.
  • MTA artifacts produced inside Build Code are generated through the audited Project API I helped build.
  • External models may create working code, but they don’t carry platform context, governance, or risk awareness.
  • AI must be constrained; only then can it accelerate safely.

If you assume otherwise, you will build something that runs —
until you try to scale it, audit it, upgrade it, or onboard a new tenant.

0. Why I Look at BTP Through an Extension Builder’s Boundary Model

When implementing Joule integration inside Build Code, our team realized early:

The value of AI in an enterprise platform is not model IQ.
It is context literacy + governance surface + tested workers.

Unlike generic assistants, Joule runs inside the project space, parsing real project structure, runtime semantics, identity bindings, and destination contracts, then calling the Project API / Agent workers to generate artifacts.

This is not theory.
This is simply how it works — and why it was engineered this way.

1. The Six Boundaries of a Clean Core Extension

A clean-core S/4 extension on BTP must respect:

1. Runtime Boundary

CF, Kyma, Work Zone, AppRouter, HDI:
separate runtimes, separate responsibilities, no interchangeability assumptions.

2. Identity Boundary

IAS → XSUAA → AppRouter → CAP → S/4:
tenant-scoped JWT propagation, role checks, principal propagation, no generic service user shortcuts.

3. Tenant Boundary

Subaccount / subdomain is the tenant substrate:
routing, onboarding, entitlements, quotas, identity scope: tenant-strict even if you only have one customer today.

4. Data Boundary

S/4 is system of record:
CAP / HDI store extension data only. Replication is a contract, not a replacement for truth.

5. Integration Boundary

Destination-first, API-released, broker-managed:
integration is encrypted, abstracted, auditable, and environment-resilient.

6. Lifecycle Boundary

Deploy → subscribe → migrate → rollback → deprovision:
lifecycle must hold. Generation is the beginning, not the end.

2. The Missing Part SAP Docs Don’t Talk About

AI-Generated Code Fails at Boundaries, Not Syntax

Ask any architect doing real BTP reviews:

Projects don’t fail because CDS was invalid, or UI5 wouldn’t compile.

They fail because someone crossed the line and no one noticed early enough:

  • shadow DB copy
  • missing token context
  • direct core DB write
  • ungoverned endpoint calls
  • unaudited credentials

AI copilots can magnify these risks, because they optimize for:

“give me code that works now”

not:

“give me an extension that survives 10 years of upgrades, legal isolation, and tenant scale-out.”

You don’t fix these by asking for a better model.
You fix these by reinforcing boundaries explicitly.

3. Why Joule Is a Different Kind of Copilot

It Calls Whitelisted, Tested, Audited Builder Workers

This is the part that most developers outside SAP simply can’t observe.

3.1 MTA Is Generated on BTP Through Tested Project APIs

Not invented by AI.
Injected by builder APIs.

When generating MTA extensions inside SAP Build Code, Joule does not directly produce YAML arbitrarily.

It calls the Project API / Agent workers embedded inside Build Code:

  • CAP project scaffolding
  • Destination wiring
  • HDI isolation descriptors
  • Subscription onboarding workers
  • Deployment descriptor generation
  • MTA lifecycle workers

The Project API used to generate mta.yaml is the same subsystem my team implemented inside Build Code.

These artifacts have been:

  • tested against real Global Accounts
  • run through security scans
  • audited in architectural reviews
  • executed in countless test–deploy–subscribe cycles
  • refined to avoid shadow DB and direct table writes
  • enforced at the proxy / runtime level to prefer released APIs

Claude / GPT / Codex might produce YAML that looks correct sometimes, but:

  • they cannot parse your real BTP runtime or bindings
  • they cannot whitelist released APIs from your import
  • they cannot call into Project API / Agents
  • they cannot reason about tenant onboarding lifecycle
  • they cannot guarantee non-destructive or upgrade-compliant generation

Generic models produce code.
SAP builder APIs produce extensions’ lifecycle substrates.

Joule calls the latter, not the former.

That difference matters in a clean-core landscape.

3.2 Identity Propagation Isn’t an AI Feature

It’s a Tenant-Scoped Trust Contract

AI must forward it, but humans must design it.

Joule can accelerate identity-respecting code when the project already contains:

  • XSUAA service binding
  • Trust configuration
  • Tenant-aware AppRouter
  • Destinations referencing released S/4 service users with minimal scopes
  • Principal propagation libraries or token forwarding middleware
  • @requires role annotations at CAP service level

But if the boundary model is not explicit in prompts, AI may still propose:

  • “just use a technical user and password”
  • “call this URL directly to simplify”
  • “store customer master data locally for convenience”
  • “give the backend admin-like privileges so 403 goes away”

None of that is a model failure.
That is a boundary overstep.

And the only fix is governance.

4. Work Zone: The Most Misunderstood Boundary

It Is Not the ERP Launchpad

It Is the Tenant-Aware Front-End Runtime

Architects sometimes overlook this:

  • Work Zone tiles are tenant-scoped
  • Navigation and routing are mediated through AppRouter
  • Site permissions require role collection mapping
  • Identity propagation begins at subdomain

If an extension integrates with Work Zone, it must be multitenant — even if it has only one consuming S/4 customer today.

There is no “Work Zone single tenant mode.”

This is not complexity.
This is consistency.

5. Governance, Auditability, and the Future Battlefield of Enterprise AI on BTP

Two facts architects must accept at the same time:

  1. Yes, generative AI will define the future of SAP extension development.
  2. No, it will not define the architecture. Boundaries will.

What will matter 5–10 years from now is not:

  • who generated the longest YAML
  • who created the most complex CDS schema
  • who glued together 10 services in a single project

It will be:

  • who generated upgrade-safe, tenant-isolated, auditable, least-privilege, rollback-safe extensions
  • who enforced identity and connectivity indirection layers
  • who treated tenant as the atomic architectural unit
  • who ensured AI cannot overstep even when developers don’t know what to ask

In the far future, SAP will certainly invest more in:

  • compliance-aware generation surfaces
  • identity-strict propagation defaults
  • intelligent audit alerts for generated artifacts
  • stricter runtime barriers for connectivity leakage
  • lifecycle workers extended to AI-assisted planning
  • AI auditing agents

But even then, the rules will be the same:

Enterprise platforms can deploy slower.
They cannot fail at boundaries.

This is where SAP Joule will continue to evolve —
as the contract-covered, audit-visible, tenant-literate, builder-API-driven AI entry surface for extension development.

Not the smartest model.
The model with the clearest red lines.

6. Final Takeaways for Modern BTP Architects

  • Do not ask AI to “generate a system” — ask AI to generate an extension inside approved boundaries.
  • Let the platform produce lifecycle artifacts — do not let the model freestyle them.
  • Never trade identity context for early functional success.
  • Never trade encrypted integration surfaces for faster prototypes.
  • Never trade tenant isolation for developer convenience.
  • Choose CAP unless the use case forces you not to — it is the only model aligned to tenant scale-out and audit-aware lifecycle.
  • AI is an accelerator. Boundaries are the architecture.

If this article helps teams understand that difference,
then it has done the job no official documentation will ever proudly do on its own.

— Jiandong

Source

LinkedIn : https://www.linkedin.com/pulse/ai-generated-extensions-sap-btp-why-architecture-matters-jiandong-pei-qqb5c/

Next