fix(sap_s4hana): scope CSRF metadata fetch and isolate token cache by secret

- buildOdataUrl skips request query params when called with an internal
  pathOverride so the /$metadata CSRF probe never carries user OData
  options ($filter, $top, $select), which were causing write operations
  through the generic odata_query tool to fail.
- tokenCacheKey now mixes a sha256 hash of clientSecret into the cache
  key so two tenants sharing the same tokenUrl + clientId but different
  secrets get isolated entries (no cross-tenant token leak).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/tools/sap_s4hana/proxy/route.ts

@@ -1,3 +1,4 @@
+import { createHash } from 'node:crypto'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
@@ -277,7 +278,10 @@ function resolveTokenUrl(req: ProxyRequest): string {
 }
 
 function tokenCacheKey(req: ProxyRequest): string {
-  return `${resolveTokenUrl(req)}::${req.clientId ?? ''}`
+  const secretHash = req.clientSecret
+    ? createHash('sha256').update(req.clientSecret).digest('hex').slice(0, 16)
+    : ''
+  return `${resolveTokenUrl(req)}::${req.clientId ?? ''}::${secretHash}`
 }
 
 function rememberToken(key: string, token: CachedToken): void {
@@ -402,6 +406,9 @@ function buildOdataUrl(req: ProxyRequest, pathOverride?: string): string {
   const normalized = subPath.startsWith('/') ? subPath : `/${subPath}`
   const base = `${host}${servicePath}${normalized}`
 
+  if (pathOverride !== undefined) {
+    return base
+  }
   if (!req.query || Object.keys(req.query).length === 0) {
     return base
   }