@mcp-abap-adt/connection 1.8.0 → 1.9.0

package/dist/auth/FileCertificateMaterialLoader.d.ts

@@ -0,0 +1,5 @@
+import type { ICertificateMaterial, ICertificateMaterialLoader, ISapConfig } from '@mcp-abap-adt/interfaces';
+export declare class FileCertificateMaterialLoader implements ICertificateMaterialLoader {
+    load(config: ISapConfig): Promise<ICertificateMaterial>;
+}
+//# sourceMappingURL=FileCertificateMaterialLoader.d.ts.map

package/dist/auth/FileCertificateMaterialLoader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"FileCertificateMaterialLoader.d.ts","sourceRoot":"","sources":["../../src/auth/FileCertificateMaterialLoader.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,oBAAoB,EACpB,0BAA0B,EAC1B,UAAU,EACX,MAAM,0BAA0B,CAAC;AAElC,qBAAa,6BACX,YAAW,0BAA0B;IAE/B,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAyB9D"}

package/dist/auth/FileCertificateMaterialLoader.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileCertificateMaterialLoader = void 0;
+const promises_1 = require("node:fs/promises");
+class FileCertificateMaterialLoader {
+    async load(config) {
+        const hasPem = !!(config.certPath || config.certKeyPath); // any PEM-style field present
+        const hasPfx = !!config.certPfxPath;
+        if (hasPem && hasPfx) {
+            throw new Error('Certificate auth: provide either PEM (certPath+certKeyPath) OR certPfxPath, not both.');
+        }
+        if (hasPfx) {
+            return {
+                pfx: await (0, promises_1.readFile)(config.certPfxPath),
+                passphrase: config.certPassphrase,
+            };
+        }
+        if (config.certPath && config.certKeyPath) {
+            return {
+                cert: await (0, promises_1.readFile)(config.certPath),
+                key: await (0, promises_1.readFile)(config.certKeyPath),
+                passphrase: config.certPassphrase,
+            };
+        }
+        throw new Error('Certificate auth requires certPfxPath OR (certPath AND certKeyPath).');
+    }
+}
+exports.FileCertificateMaterialLoader = FileCertificateMaterialLoader;

package/dist/auth/kerberosSpnego.d.ts

@@ -0,0 +1,3 @@
+/** Thin, lazily-loaded wrapper over the optional `kerberos` native package. */
+export declare function generateSpnegoToken(spn: string): Promise<string>;
+//# sourceMappingURL=kerberosSpnego.d.ts.map

package/dist/auth/kerberosSpnego.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kerberosSpnego.d.ts","sourceRoot":"","sources":["../../src/auth/kerberosSpnego.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBtE"}

package/dist/auth/kerberosSpnego.js

@@ -0,0 +1,56 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSpnegoToken = generateSpnegoToken;
+/** Thin, lazily-loaded wrapper over the optional `kerberos` native package. */
+async function generateSpnegoToken(spn) {
+    // optional peer dep; typed as any because the module/types may be absent
+    let kerberos;
+    try {
+        // @ts-expect-error optional peer dependency — module may be absent at build time (TS2307)
+        kerberos = await Promise.resolve().then(() => __importStar(require('kerberos')));
+    }
+    catch {
+        throw new Error('Kerberos authentication requires the optional "kerberos" package. ' +
+            'Install it (needs GSSAPI dev libs on Linux / build tools on Windows): npm i kerberos');
+    }
+    const client = await kerberos.initializeClient(spn, {});
+    await client.step('');
+    const token = client.response;
+    if (!token) {
+        throw new Error('Kerberos: no SPNEGO token produced (no TGT? run kinit, or check SPN).');
+    }
+    return token;
+}

package/dist/config/sapConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sapConfig.d.ts","sourceRoot":"","sources":["../../src/config/sapConfig.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACX,iBAAiB,EAClB,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,CAAC;AAC/C,MAAM,MAAM,SAAS,GAAG,UAAU,CAAC;AAEnC,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAuB7D"}
+{"version":3,"file":"sapConfig.d.ts","sourceRoot":"","sources":["../../src/config/sapConfig.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,UAAU,EACV,WAAW,EACX,iBAAiB,EAClB,MAAM,0BAA0B,CAAC;AAGlC,YAAY,EAAE,WAAW,EAAE,iBAAiB,EAAE,CAAC;AAC/C,MAAM,MAAM,SAAS,GAAG,UAAU,CAAC;AAEnC,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CA4B7D"}

package/dist/config/sapConfig.js

@@ -22,5 +22,10 @@ function sapConfigSignature(config) {
         jwtToken: jwtTokenPreview,
         refreshToken: refreshTokenPreview,
         sessionCookies: sessionCookiesPreview,
+        certPath: config.certPath ?? null,
+        certKeyPath: config.certKeyPath ?? null,
+        certPfxPath: config.certPfxPath ?? null,
+        certPassphrase: config.certPassphrase ? 'set' : null,
+        kerberosSpn: config.kerberosSpn ?? null,
     });
 }

package/dist/connection/AbstractAbapConnection.d.ts

@@ -81,8 +81,21 @@ declare abstract class AbstractAbapConnection implements AbapConnection {
     protected getCookies(): string | null;
     protected setInitialCookies(cookies: string): void;
     private updateCookiesFromResponse;
+    /**
+     * Subclasses override to inject extra https.Agent options (e.g. mTLS cert/key/pfx).
+     * The returned options are merged with the base options (rejectUnauthorized).
+     */
+    protected getHttpsAgentOptions(): import('node:https').AgentOptions;
     private getAxiosInstance;
     private ensureFreshCsrfToken;
+    /**
+     * Clear SAP-side session state when SAP rejects the cached CSRF token + session
+     * cookies (HTTP 401 on a mutation while a cached token exists). This forces the
+     * next request path to fetch a fresh token and a fresh SAP_SESSIONID cookie.
+     *
+     * Distinct from reset(): this leaves the axios instance and interceptors in place.
+     */
+    private invalidateSession;
     private shouldRetryCsrf;
 }
 export { AbstractAbapConnection };

package/dist/connection/AbstractAbapConnection.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AbstractAbapConnection.d.ts","sourceRoot":"","sources":["../../src/connection/AbstractAbapConnection.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,YAAY,EAAkB,MAAM,0BAA0B,CAAC;AAM7E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAG9E,uBAAe,sBAAuB,YAAW,cAAc;IAW3D,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI;IAX3C,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,OAAO,CAAuB;IACtC,OAAO,CAAC,WAAW,CAAkC;IACrD,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,WAAW,CAAyC;IAC5D,OAAO,CAAC,eAAe,CAAU;IAEjC,SAAS,aACU,MAAM,EAAE,SAAS,EACf,MAAM,EAAE,OAAO,GAAG,IAAI,EACzC,SAAS,CAAC,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAE;IAqBzC;;;;;;;;;;;OAWG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,WAAW,GAAG,IAAI;IAUpD;;OAEG;IACH,cAAc,IAAI,WAAW,GAAG,UAAU;IAI1C;;;OAGG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAKrC;;OAEG;IACH,YAAY,IAAI,MAAM,GAAG,IAAI;IAI7B,SAAS,IAAI,SAAS;IAItB,KAAK,IAAI,IAAI;IAYP,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAI7B,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAevD;;;;;;;;OAQG;IACH,QAAQ,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAE3B,cAAc,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,GAAG,EACnC,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IA4P9B,SAAS,CAAC,QAAQ,CAAC,wBAAwB,IAAI,MAAM;IAErD;;;OAGG;cACa,cAAc,CAC5B,GAAG,EAAE,MAAM,EACX,UAAU,GAAE,MAAgC,EAC5C,UAAU,GAAE,MAAgC,GAC3C,OAAO,CAAC,MAAM,CAAC;IA2ClB;;OAEG;YACW,0BAA0B;IAsKxC;;OAEG;IACH,SAAS,CAAC,YAAY,IAAI,MAAM,GAAG,IAAI;IAIvC;;OAEG;IACH,SAAS,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAIlD;;OAEG;IACH,SAAS,CAAC,UAAU,IAAI,MAAM,GAAG,IAAI;IAIrC,SAAS,CAAC,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAIlD,OAAO,CAAC,yBAAyB;IAkEjC,OAAO,CAAC,gBAAgB;YAqBV,oBAAoB;IAiClC,OAAO,CAAC,eAAe;CA+BxB;AAGD,OAAO,EAAE,sBAAsB,EAAE,CAAC"}
+{"version":3,"file":"AbstractAbapConnection.d.ts","sourceRoot":"","sources":["../../src/connection/AbstractAbapConnection.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,YAAY,EAAkB,MAAM,0BAA0B,CAAC;AAM7E,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,OAAO,KAAK,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAG9E,uBAAe,sBAAuB,YAAW,cAAc;IAW3D,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI;IAX3C,OAAO,CAAC,aAAa,CAA8B;IACnD,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,OAAO,CAAuB;IACtC,OAAO,CAAC,WAAW,CAAkC;IACrD,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,WAAW,CAAyC;IAC5D,OAAO,CAAC,eAAe,CAAU;IAEjC,SAAS,aACU,MAAM,EAAE,SAAS,EACf,MAAM,EAAE,OAAO,GAAG,IAAI,EACzC,SAAS,CAAC,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAE;IAqBzC;;;;;;;;;;;OAWG;IACH,cAAc,CAAC,IAAI,EAAE,UAAU,GAAG,WAAW,GAAG,IAAI;IAUpD;;OAEG;IACH,cAAc,IAAI,WAAW,GAAG,UAAU;IAI1C;;;OAGG;IACH,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAKrC;;OAEG;IACH,YAAY,IAAI,MAAM,GAAG,IAAI;IAI7B,SAAS,IAAI,SAAS;IAItB,KAAK,IAAI,IAAI;IAYP,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAI7B,cAAc,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAevD;;;;;;;;OAQG;IACH,QAAQ,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAE3B,cAAc,CAAC,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,GAAG,EACnC,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IA+R9B,SAAS,CAAC,QAAQ,CAAC,wBAAwB,IAAI,MAAM;IAErD;;;OAGG;cACa,cAAc,CAC5B,GAAG,EAAE,MAAM,EACX,UAAU,GAAE,MAAgC,EAC5C,UAAU,GAAE,MAAgC,GAC3C,OAAO,CAAC,MAAM,CAAC;IA2ClB;;OAEG;YACW,0BAA0B;IAsKxC;;OAEG;IACH,SAAS,CAAC,YAAY,IAAI,MAAM,GAAG,IAAI;IAIvC;;OAEG;IACH,SAAS,CAAC,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAIlD;;OAEG;IACH,SAAS,CAAC,UAAU,IAAI,MAAM,GAAG,IAAI;IAIrC,SAAS,CAAC,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAIlD,OAAO,CAAC,yBAAyB;IAkEjC;;;OAGG;IACH,SAAS,CAAC,oBAAoB,IAAI,OAAO,YAAY,EAAE,YAAY;IAInE,OAAO,CAAC,gBAAgB;YAsBV,oBAAoB;IAiClC;;;;;;OAMG;IACH,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,eAAe;CA+BxB;AAGD,OAAO,EAAE,sBAAsB,EAAE,CAAC"}

package/dist/connection/AbstractAbapConnection.js

@@ -263,22 +263,51 @@ class AbstractAbapConnection {
             else {
                 this.logger?.error(errorDetails.message, errorDetails);
             }
-            // Retry logic for CSRF token errors (403 with CSRF message)
-            if (this.shouldRetryCsrf(error)) {
-                this.logger?.debug('CSRF token validation failed, fetching new token and retrying request', {
+            // Detect the "login-form 401" pattern: SAP returned 401 for a mutation while
+            // we have a cached CSRF token. The token and its bound SAP session must be
+            // discarded before the retry. Basic auth only — JWT/SAML lifecycles are
+            // managed elsewhere.
+            const isCachedTokenStale = error instanceof axios_1.AxiosError &&
+                this.config.authType === 'basic' &&
+                (normalizedMethod === 'POST' ||
+                    normalizedMethod === 'PUT' ||
+                    normalizedMethod === 'DELETE') &&
+                error.response?.status === 401 &&
+                this.getCsrfToken() !== null;
+            // Retry logic for CSRF token errors (403 with CSRF message) and the
+            // login-form 401 pattern.
+            if (this.shouldRetryCsrf(error) || isCachedTokenStale) {
+                this.logger?.debug(isCachedTokenStale
+                    ? 'Stale CSRF token / SAP session — invalidating and retrying'
+                    : 'CSRF token validation failed, fetching new token and retrying request', {
                     url: requestUrl,
                     method: normalizedMethod,
                 });
-                this.csrfToken = await this.fetchCsrfToken(requestUrl, 5, 2000);
-                if (this.csrfToken) {
-                    requestHeaders['x-csrf-token'] = this.csrfToken;
+                if (isCachedTokenStale) {
+                    this.invalidateSession();
+                    delete requestHeaders.Cookie;
+                    delete requestHeaders.cookie;
                 }
-                if (this.cookies) {
-                    requestHeaders.Cookie = this.cookies;
+                try {
+                    this.setCsrfToken(await this.fetchCsrfToken(requestUrl, 5, 2000));
+                    const refreshedToken = this.getCsrfToken();
+                    if (refreshedToken) {
+                        requestHeaders['x-csrf-token'] = refreshedToken;
+                    }
+                    const refreshedCookies = this.getCookies();
+                    if (refreshedCookies) {
+                        requestHeaders.Cookie = refreshedCookies;
+                    }
+                    const retryResponse = await this.getAxiosInstance()(requestConfig);
+                    this.updateCookiesFromResponse(retryResponse.headers);
+                    return retryResponse;
+                }
+                catch (retryError) {
+                    this.logger?.debug(`CSRF retry failed; rethrowing original error: ${retryError instanceof Error
+                        ? retryError.message
+                        : String(retryError)}`);
+                    throw error;
                 }
-                const retryResponse = await this.getAxiosInstance()(requestConfig);
-                this.updateCookiesFromResponse(retryResponse.headers);
-                return retryResponse;
             }
             // Retry logic for 401 errors on GET requests (authentication issue - need cookies)
             // Only for basic auth - JWT auth will be handled by refresh logic below
@@ -548,6 +577,13 @@ class AbstractAbapConnection {
         this.cookies = combined;
         this.logger?.debug(`[DEBUG] BaseAbapConnection - Updated cookies from response (first 100 chars): ${this.cookies.substring(0, 100)}...`);
     }
+    /**
+     * Subclasses override to inject extra https.Agent options (e.g. mTLS cert/key/pfx).
+     * The returned options are merged with the base options (rejectUnauthorized).
+     */
+    getHttpsAgentOptions() {
+        return {};
+    }
     getAxiosInstance() {
         if (!this.axiosInstance) {
             const rejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED === '1' ||
@@ -557,6 +593,7 @@ class AbstractAbapConnection {
             this.axiosInstance = axios_1.default.create({
                 httpsAgent: new node_https_1.Agent({
                     rejectUnauthorized,
+                    ...this.getHttpsAgentOptions(),
                 }),
             });
         }
@@ -585,6 +622,18 @@ class AbstractAbapConnection {
             throw error;
         }
     }
+    /**
+     * Clear SAP-side session state when SAP rejects the cached CSRF token + session
+     * cookies (HTTP 401 on a mutation while a cached token exists). This forces the
+     * next request path to fetch a fresh token and a fresh SAP_SESSIONID cookie.
+     *
+     * Distinct from reset(): this leaves the axios instance and interceptors in place.
+     */
+    invalidateSession() {
+        this.setCsrfToken(null);
+        this.cookies = null;
+        this.cookieStore.clear();
+    }
     shouldRetryCsrf(error) {
         if (!(error instanceof axios_1.AxiosError)) {
             return false;

package/dist/connection/CertificateAbapConnection.d.ts

@@ -0,0 +1,21 @@
+import type { AgentOptions } from 'node:https';
+import type { ICertificateMaterialLoader } from '@mcp-abap-adt/interfaces';
+import type { SapConfig } from '../config/sapConfig.js';
+import type { ILogger } from '../logger.js';
+import { AbstractAbapConnection } from './AbstractAbapConnection.js';
+/** Client-certificate (mTLS) authentication. Credential lives on the TLS agent. */
+export declare class CertificateAbapConnection extends AbstractAbapConnection {
+    private loader;
+    private material;
+    constructor(config: SapConfig, logger?: ILogger | null, sessionId?: string, loader?: ICertificateMaterialLoader);
+    private static validateConfig;
+    protected ensureMaterial(): Promise<void>;
+    /**
+     * Loads certificate material and primes the session. MUST be called before the first
+     * request — the TLS agent is built lazily and needs the client cert present.
+     */
+    connect(): Promise<void>;
+    protected getHttpsAgentOptions(): AgentOptions;
+    protected buildAuthorizationHeader(): string;
+}
+//# sourceMappingURL=CertificateAbapConnection.d.ts.map

package/dist/connection/CertificateAbapConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CertificateAbapConnection.d.ts","sourceRoot":"","sources":["../../src/connection/CertificateAbapConnection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAEV,0BAA0B,EAC3B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,mFAAmF;AACnF,qBAAa,yBAA0B,SAAQ,sBAAsB;IACnE,OAAO,CAAC,MAAM,CAA6B;IAC3C,OAAO,CAAC,QAAQ,CAAqC;gBAGnD,MAAM,EAAE,SAAS,EACjB,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,EACvB,SAAS,CAAC,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,0BAA0B;IAOrC,OAAO,CAAC,MAAM,CAAC,cAAc;cAyBb,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;IAM/C;;;OAGG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAsB9B,SAAS,CAAC,oBAAoB,IAAI,YAAY;IAU9C,SAAS,CAAC,wBAAwB,IAAI,MAAM;CAG7C"}

package/dist/connection/CertificateAbapConnection.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CertificateAbapConnection = void 0;
+const axios_1 = require("axios");
+const FileCertificateMaterialLoader_js_1 = require("../auth/FileCertificateMaterialLoader.js");
+const AbstractAbapConnection_js_1 = require("./AbstractAbapConnection.js");
+/** Client-certificate (mTLS) authentication. Credential lives on the TLS agent. */
+class CertificateAbapConnection extends AbstractAbapConnection_js_1.AbstractAbapConnection {
+    loader;
+    material = null;
+    constructor(config, logger, sessionId, loader) {
+        CertificateAbapConnection.validateConfig(config);
+        super(config, logger || null, sessionId);
+        this.loader = loader ?? new FileCertificateMaterialLoader_js_1.FileCertificateMaterialLoader();
+    }
+    static validateConfig(config) {
+        if (config.authType !== 'certificate') {
+            throw new Error(`Certificate connection expects authType "certificate", got "${config.authType}"`);
+        }
+        if (config.connectionType === 'rfc') {
+            throw new Error('Certificate auth is not supported with connectionType "rfc".');
+        }
+        const hasPem = !!(config.certPath && config.certKeyPath); // complete PEM pair present
+        const hasPfx = !!config.certPfxPath;
+        if (!hasPem && !hasPfx) {
+            throw new Error('Certificate auth requires certPfxPath OR (certPath AND certKeyPath).');
+        }
+        if ((config.certPath || config.certKeyPath) && config.certPfxPath) {
+            throw new Error('Certificate auth: provide either PEM pair OR PFX, not both.');
+        }
+    }
+    async ensureMaterial() {
+        if (!this.material) {
+            this.material = await this.loader.load(this.getConfig());
+        }
+    }
+    /**
+     * Loads certificate material and primes the session. MUST be called before the first
+     * request — the TLS agent is built lazily and needs the client cert present.
+     */
+    async connect() {
+        await this.ensureMaterial();
+        const baseUrl = await this.getBaseUrl();
+        const discoveryUrl = `${baseUrl}/sap/bc/adt/discovery`;
+        try {
+            const token = await this.fetchCsrfToken(discoveryUrl, 3, 1000);
+            this.setCsrfToken(token);
+        }
+        catch (error) {
+            this.logger?.warn(`[WARN] CertificateAbapConnection - connect deferred: ${error instanceof Error ? error.message : String(error)}`);
+            if (error instanceof axios_1.AxiosError && error.response?.headers) {
+                if (this.getCookies()) {
+                    this.logger?.debug(`[DEBUG] CertificateAbapConnection - Cookies extracted from error response during connect (first 100 chars): ${this.getCookies()?.substring(0, 100)}...`);
+                }
+            }
+        }
+    }
+    getHttpsAgentOptions() {
+        if (!this.material) {
+            throw new Error('CertificateAbapConnection: certificate material not loaded. Call connect() before making requests.');
+        }
+        const { cert, key, pfx, passphrase } = this.material;
+        return { cert, key, pfx, passphrase };
+    }
+    buildAuthorizationHeader() {
+        return '';
+    }
+}
+exports.CertificateAbapConnection = CertificateAbapConnection;

package/dist/connection/KerberosAbapConnection.d.ts

@@ -0,0 +1,20 @@
+import type { SapConfig } from '../config/sapConfig.js';
+import type { ILogger } from '../logger.js';
+import { AbstractAbapConnection } from './AbstractAbapConnection.js';
+/** Kerberos / SPNEGO single-leg auth: send Negotiate token, reuse the resulting SAP session cookie. */
+export declare class KerberosAbapConnection extends AbstractAbapConnection {
+    private spn;
+    private currentToken;
+    constructor(config: SapConfig, logger?: ILogger | null, sessionId?: string);
+    private static validateConfig;
+    /** Generate the SPNEGO token once (single-leg). */
+    protected ensureToken(): Promise<void>;
+    /**
+     * Generates the SPNEGO token and primes the session. MUST be called before the first
+     * request — the first request carries the Negotiate header; SAP then issues a session
+     * cookie which is reused for subsequent requests.
+     */
+    connect(): Promise<void>;
+    protected buildAuthorizationHeader(): string;
+}
+//# sourceMappingURL=KerberosAbapConnection.d.ts.map

package/dist/connection/KerberosAbapConnection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KerberosAbapConnection.d.ts","sourceRoot":"","sources":["../../src/connection/KerberosAbapConnection.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,uGAAuG;AACvG,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE,OAAO,CAAC,GAAG,CAAS;IACpB,OAAO,CAAC,YAAY,CAAM;gBAEd,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,EAAE,SAAS,CAAC,EAAE,MAAM;IAQ1E,OAAO,CAAC,MAAM,CAAC,cAAc;IAa7B,mDAAmD;cACnC,WAAW,IAAI,OAAO,CAAC,IAAI,CAAC;IAK5C;;;;OAIG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IA0B9B,SAAS,CAAC,wBAAwB,IAAI,MAAM;CAS7C"}

package/dist/connection/KerberosAbapConnection.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KerberosAbapConnection = void 0;
+const axios_1 = require("axios");
+const kerberosSpnego_js_1 = require("../auth/kerberosSpnego.js");
+const AbstractAbapConnection_js_1 = require("./AbstractAbapConnection.js");
+/** Kerberos / SPNEGO single-leg auth: send Negotiate token, reuse the resulting SAP session cookie. */
+class KerberosAbapConnection extends AbstractAbapConnection_js_1.AbstractAbapConnection {
+    spn;
+    currentToken = '';
+    constructor(config, logger, sessionId) {
+        KerberosAbapConnection.validateConfig(config);
+        super(config, logger || null, sessionId);
+        this.spn =
+            config.kerberosSpn ??
+                `${config.kerberosService ?? 'HTTP'}@${new URL(config.url).hostname}`;
+    }
+    static validateConfig(config) {
+        if (config.authType !== 'kerberos') {
+            throw new Error(`Kerberos connection expects authType "kerberos", got "${config.authType}"`);
+        }
+        if (config.connectionType === 'rfc') {
+            throw new Error('Kerberos auth is not supported with connectionType "rfc".');
+        }
+    }
+    /** Generate the SPNEGO token once (single-leg). */
+    async ensureToken() {
+        if (!this.currentToken)
+            this.currentToken = await (0, kerberosSpnego_js_1.generateSpnegoToken)(this.spn);
+    }
+    /**
+     * Generates the SPNEGO token and primes the session. MUST be called before the first
+     * request — the first request carries the Negotiate header; SAP then issues a session
+     * cookie which is reused for subsequent requests.
+     */
+    async connect() {
+        await this.ensureToken();
+        const baseUrl = await this.getBaseUrl();
+        const discoveryUrl = `${baseUrl}/sap/bc/adt/discovery`;
+        this.logger?.debug(`[DEBUG] KerberosAbapConnection - Connecting to SAP system: ${discoveryUrl}`);
+        try {
+            const token = await this.fetchCsrfToken(discoveryUrl, 3, 1000);
+            this.setCsrfToken(token);
+        }
+        catch (error) {
+            this.logger?.warn(`[WARN] KerberosAbapConnection - connect deferred: ${error instanceof Error ? error.message : String(error)}`);
+            if (error instanceof axios_1.AxiosError &&
+                error.response?.headers &&
+                this.getCookies()) {
+                this.logger?.debug('[DEBUG] KerberosAbapConnection - cookies captured from error response during connect');
+            }
+        }
+    }
+    buildAuthorizationHeader() {
+        if (this.getCookies())
+            return ''; // cookie carries auth after first round-trip
+        if (!this.currentToken) {
+            throw new Error('KerberosAbapConnection: SPNEGO token not yet available. Call connect() before making requests.');
+        }
+        return `Negotiate ${this.currentToken}`;
+    }
+}
+exports.KerberosAbapConnection = KerberosAbapConnection;

package/dist/connection/connectionFactory.d.ts

@@ -1,8 +1,9 @@
-import type { ITokenRefresher } from '@mcp-abap-adt/interfaces';
+import type { ICertificateMaterialLoader, ITokenRefresher } from '@mcp-abap-adt/interfaces';
 import type { SapConfig } from '../config/sapConfig.js';
 import type { ILogger } from '../logger.js';
 import type { AbapConnection } from './AbapConnection.js';
 export declare function createAbapConnection(config: SapConfig, logger?: ILogger | null, sessionId?: string, tokenRefresher?: ITokenRefresher, options?: {
     skipSessionType?: boolean;
+    certLoader?: ICertificateMaterialLoader;
 }): AbapConnection;
 //# sourceMappingURL=connectionFactory.d.ts.map

package/dist/connection/connectionFactory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"connectionFactory.d.ts","sourceRoot":"","sources":["../../src/connection/connectionFactory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAM1D,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,SAAS,EACjB,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,EACvB,SAAS,CAAC,EAAE,MAAM,EAClB,cAAc,CAAC,EAAE,eAAe,EAChC,OAAO,CAAC,EAAE;IAAE,eAAe,CAAC,EAAE,OAAO,CAAA;CAAE,GACtC,cAAc,CAkBhB"}
+{"version":3,"file":"connectionFactory.d.ts","sourceRoot":"","sources":["../../src/connection/connectionFactory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,0BAA0B,EAC1B,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAQ1D,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,SAAS,EACjB,MAAM,CAAC,EAAE,OAAO,GAAG,IAAI,EACvB,SAAS,CAAC,EAAE,MAAM,EAClB,cAAc,CAAC,EAAE,eAAe,EAChC,OAAO,CAAC,EAAE;IACR,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,UAAU,CAAC,EAAE,0BAA0B,CAAC;CACzC,GACA,cAAc,CAgChB"}

package/dist/connection/connectionFactory.js

@@ -2,12 +2,17 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createAbapConnection = createAbapConnection;
 const BaseAbapConnection_js_1 = require("./BaseAbapConnection.js");
+const CertificateAbapConnection_js_1 = require("./CertificateAbapConnection.js");
 const JwtAbapConnection_js_1 = require("./JwtAbapConnection.js");
+const KerberosAbapConnection_js_1 = require("./KerberosAbapConnection.js");
 const RfcAbapConnection_js_1 = require("./RfcAbapConnection.js");
 const SamlAbapConnection_js_1 = require("./SamlAbapConnection.js");
 function createAbapConnection(config, logger, sessionId, tokenRefresher, options) {
     // RFC connection type takes priority over auth type
     if (config.connectionType === 'rfc') {
+        if (config.authType === 'certificate' || config.authType === 'kerberos') {
+            throw new Error(`authType "${config.authType}" is not supported with connectionType "rfc".`);
+        }
         return new RfcAbapConnection_js_1.RfcAbapConnection(config, logger);
     }
     switch (config.authType) {
@@ -17,6 +22,10 @@ function createAbapConnection(config, logger, sessionId, tokenRefresher, options
             return new JwtAbapConnection_js_1.JwtAbapConnection(config, logger, sessionId, tokenRefresher);
         case 'saml':
             return new SamlAbapConnection_js_1.SamlAbapConnection(config, logger, sessionId, options);
+        case 'certificate':
+            return new CertificateAbapConnection_js_1.CertificateAbapConnection(config, logger, sessionId, options?.certLoader);
+        case 'kerberos':
+            return new KerberosAbapConnection_js_1.KerberosAbapConnection(config, logger, sessionId);
         default:
             throw new Error(`Unsupported SAP authentication type: ${config.authType}`);
     }

package/dist/index.d.ts

@@ -1,12 +1,15 @@
 export type { IWebSocketCloseInfo, IWebSocketConnectOptions, IWebSocketMessageEnvelope, IWebSocketMessageHandler, IWebSocketTransport, } from '@mcp-abap-adt/interfaces';
+export { FileCertificateMaterialLoader } from './auth/FileCertificateMaterialLoader.js';
 export type { SapAuthType, SapConfig, SapConnectionType, } from './config/sapConfig.js';
 export { sapConfigSignature } from './config/sapConfig.js';
 export type { AbapConnection, AbapRequestOptions, } from './connection/AbapConnection.js';
 export { BaseAbapConnection, BaseAbapConnection as OnPremAbapConnection, } from './connection/BaseAbapConnection.js';
+export { CertificateAbapConnection } from './connection/CertificateAbapConnection.js';
 export { createAbapConnection } from './connection/connectionFactory.js';
 export { CSRF_CONFIG, CSRF_ERROR_MESSAGES } from './connection/csrfConfig.js';
 export { GenericWebSocketTransport, type IWebSocketFactory, type IWebSocketLike, } from './connection/GenericWebSocketTransport.js';
 export { JwtAbapConnection, JwtAbapConnection as CloudAbapConnection, } from './connection/JwtAbapConnection.js';
+export { KerberosAbapConnection } from './connection/KerberosAbapConnection.js';
 export { RfcAbapConnection } from './connection/RfcAbapConnection.js';
 export { SamlAbapConnection } from './connection/SamlAbapConnection.js';
 export type { ILogger } from './logger.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,YAAY,EACV,mBAAmB,EACnB,wBAAwB,EACxB,yBAAyB,EACzB,wBAAwB,EACxB,mBAAmB,GACpB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,WAAW,EACX,SAAS,EACT,iBAAiB,GAClB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAE3D,YAAY,EACV,cAAc,EACd,kBAAkB,GACnB,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EACL,kBAAkB,EAClB,kBAAkB,IAAI,oBAAoB,GAC3C,MAAM,oCAAoC,CAAC;AAE5C,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAEzE,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EACL,yBAAyB,EACzB,KAAK,iBAAiB,EACtB,KAAK,cAAc,GACpB,MAAM,2CAA2C,CAAC;AACnD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,IAAI,mBAAmB,GACzC,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACxE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,YAAY,EACV,mBAAmB,EACnB,wBAAwB,EACxB,yBAAyB,EACzB,wBAAwB,EACxB,mBAAmB,GACpB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,6BAA6B,EAAE,MAAM,yCAAyC,CAAC;AACxF,YAAY,EACV,WAAW,EACX,SAAS,EACT,iBAAiB,GAClB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAE3D,YAAY,EACV,cAAc,EACd,kBAAkB,GACnB,MAAM,gCAAgC,CAAC;AAGxC,OAAO,EACL,kBAAkB,EAClB,kBAAkB,IAAI,oBAAoB,GAC3C,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,yBAAyB,EAAE,MAAM,2CAA2C,CAAC;AAEtF,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAC;AAEzE,OAAO,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EACL,yBAAyB,EACzB,KAAK,iBAAiB,EACtB,KAAK,cAAc,GACpB,MAAM,2CAA2C,CAAC;AACnD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,IAAI,mBAAmB,GACzC,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,sBAAsB,EAAE,MAAM,wCAAwC,CAAC;AAChF,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AACxE,YAAY,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EACL,UAAU,EACV,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,qBAAqB,CAAC"}

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
 // Types - re-exported from interfaces package with backward compatibility aliases
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getTimeoutConfig = exports.getTimeout = exports.SamlAbapConnection = exports.RfcAbapConnection = exports.CloudAbapConnection = exports.JwtAbapConnection = exports.GenericWebSocketTransport = exports.CSRF_ERROR_MESSAGES = exports.CSRF_CONFIG = exports.createAbapConnection = exports.OnPremAbapConnection = exports.BaseAbapConnection = exports.sapConfigSignature = void 0;
+exports.getTimeoutConfig = exports.getTimeout = exports.SamlAbapConnection = exports.RfcAbapConnection = exports.KerberosAbapConnection = exports.CloudAbapConnection = exports.JwtAbapConnection = exports.GenericWebSocketTransport = exports.CSRF_ERROR_MESSAGES = exports.CSRF_CONFIG = exports.createAbapConnection = exports.CertificateAbapConnection = exports.OnPremAbapConnection = exports.BaseAbapConnection = exports.sapConfigSignature = exports.FileCertificateMaterialLoader = void 0;
+var FileCertificateMaterialLoader_js_1 = require("./auth/FileCertificateMaterialLoader.js");
+Object.defineProperty(exports, "FileCertificateMaterialLoader", { enumerable: true, get: function () { return FileCertificateMaterialLoader_js_1.FileCertificateMaterialLoader; } });
 // Config utilities
 var sapConfig_js_1 = require("./config/sapConfig.js");
 Object.defineProperty(exports, "sapConfigSignature", { enumerable: true, get: function () { return sapConfig_js_1.sapConfigSignature; } });
@@ -10,6 +12,8 @@ Object.defineProperty(exports, "sapConfigSignature", { enumerable: true, get: fu
 var BaseAbapConnection_js_1 = require("./connection/BaseAbapConnection.js");
 Object.defineProperty(exports, "BaseAbapConnection", { enumerable: true, get: function () { return BaseAbapConnection_js_1.BaseAbapConnection; } });
 Object.defineProperty(exports, "OnPremAbapConnection", { enumerable: true, get: function () { return BaseAbapConnection_js_1.BaseAbapConnection; } });
+var CertificateAbapConnection_js_1 = require("./connection/CertificateAbapConnection.js");
+Object.defineProperty(exports, "CertificateAbapConnection", { enumerable: true, get: function () { return CertificateAbapConnection_js_1.CertificateAbapConnection; } });
 // Factory
 var connectionFactory_js_1 = require("./connection/connectionFactory.js");
 Object.defineProperty(exports, "createAbapConnection", { enumerable: true, get: function () { return connectionFactory_js_1.createAbapConnection; } });
@@ -22,6 +26,8 @@ Object.defineProperty(exports, "GenericWebSocketTransport", { enumerable: true,
 var JwtAbapConnection_js_1 = require("./connection/JwtAbapConnection.js");
 Object.defineProperty(exports, "JwtAbapConnection", { enumerable: true, get: function () { return JwtAbapConnection_js_1.JwtAbapConnection; } });
 Object.defineProperty(exports, "CloudAbapConnection", { enumerable: true, get: function () { return JwtAbapConnection_js_1.JwtAbapConnection; } });
+var KerberosAbapConnection_js_1 = require("./connection/KerberosAbapConnection.js");
+Object.defineProperty(exports, "KerberosAbapConnection", { enumerable: true, get: function () { return KerberosAbapConnection_js_1.KerberosAbapConnection; } });
 var RfcAbapConnection_js_1 = require("./connection/RfcAbapConnection.js");
 Object.defineProperty(exports, "RfcAbapConnection", { enumerable: true, get: function () { return RfcAbapConnection_js_1.RfcAbapConnection; } });
 var SamlAbapConnection_js_1 = require("./connection/SamlAbapConnection.js");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mcp-abap-adt/connection",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "description": "ABAP connection layer for MCP ABAP ADT server",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -46,14 +46,15 @@
     "node": ">=18.0.0"
   },
   "dependencies": {
-    "@mcp-abap-adt/interfaces": "^7.0.0",
+    "@mcp-abap-adt/interfaces": "^7.2.0",
     "axios": "^1.13.5",
     "commander": "^14.0.3",
     "express": "^5.1.0",
     "open": "^11.0.0"
   },
   "optionalDependencies": {
-    "@mcp-abap-adt/sap-rfc-lite": "^0.1.0"
+    "@mcp-abap-adt/sap-rfc-lite": "^0.1.0",
+    "kerberos": "^2.1.0"
   },
   "devDependencies": {
     "@biomejs/biome": "^2.3.14",