npm - @mcp-abap-adt/core - Versions diffs - 6.9.0 → 6.9.2 - Mend

@mcp-abap-adt/core 6.9.0 → 6.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +10 -0
package/README.md +1 -0
package/package.json +2 -2
package/docs/superpowers/plans/2026-05-23-cert-kerberos-auth.md +0 -652
package/docs/superpowers/specs/2026-05-23-cert-kerberos-auth-design.md +0 -149

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,16 @@
 ## [Unreleased]
+## [6.9.2] - 2026-05-24
+### Documentation
+- README: document the NTLM hard-reject behavior in the Kerberos auth section (carries the connection `1.9.1` change to the published package).
+## [6.9.1] - 2026-05-24
+### Changed
+- Bump `@mcp-abap-adt/connection` to `^1.9.1`, which adds **NTLM hard-reject** for Kerberos auth: a Kerberos connection now fails with a clear error if the SAP system offers NTLM (instead of silently swallowing the 401). Only Kerberos/SPNEGO is accepted.
 ## [6.9.0] - 2026-05-24
 ### Added

package/README.md CHANGED Viewed

@@ -336,6 +336,7 @@ SAP_AUTH_TYPE=kerberos
 - The optional [`kerberos`](https://www.npmjs.com/package/kerberos) npm package must be installed (needs GSSAPI dev libs on Linux / build tools on Windows): `npm i kerberos`.
 - No `SAP_USERNAME` / `SAP_PASSWORD` required — identity comes from the TGT.
 - Both auth types bypass the auth-broker; use `.env` directly.
+- **NTLM is hard-rejected:** if the SAP system offers NTLM instead of Kerberos/SPNEGO, the connection fails with a clear error rather than silently downgrading. Ensure the system accepts Kerberos (SPNEGO) for your user.
 > **⚠️ Help wanted — not yet validated on a live system.** Certificate and Kerberos auth pass full unit coverage but have not been tested against a real SAP system. If you have on-prem **client-certificate** or **Kerberos/SPNEGO** SSO, please try it and [open an issue](https://github.com/fr0ster/mcp-abap-adt/issues) with results — especially whether Kerberos succeeds with a single-leg Negotiate token or your system needs mutual-auth continuation.

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@mcp-abap-adt/core",
   "mcpName": "io.github.fr0ster/mcp-abap-adt",
-  "version": "6.9.0",
+  "version": "6.9.2",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "exports": {
@@ -140,7 +140,7 @@
     "@mcp-abap-adt/auth-broker": "^1.0.5",
     "@mcp-abap-adt/auth-providers": "^1.0.5",
     "@mcp-abap-adt/auth-stores": "^1.0.4",
-    "@mcp-abap-adt/connection": "^1.9.0",
+    "@mcp-abap-adt/connection": "^1.9.1",
     "@mcp-abap-adt/header-validator": "^0.1.8",
     "@mcp-abap-adt/interfaces": "^7.2.0",
     "@mcp-abap-adt/logger": "^0.1.4",

package/docs/superpowers/plans/2026-05-23-cert-kerberos-auth.md DELETED Viewed

@@ -1,652 +0,0 @@
-# Certificate (mTLS) + Kerberos Auth — Implementation Plan
-> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
-**Goal:** Add `certificate` (file-based mTLS) and `kerberos` (SPNEGO/Negotiate, single-leg) authentication to the ADT connection stack, cross-platform, on-prem HTTP only.
-**Architecture:** **Both new types bypass `auth-broker` and `auth-providers`** (the broker is only for OAuth + browser-callback auth; cert/kerberos are non-interactive, connection-level). Certificate = `CertificateAbapConnection` injecting mTLS material into the axios `httpsAgent` via a new `getHttpsAgentOptions()` hook, with file I/O behind an injectable `ICertificateMaterialLoader`. Kerberos = `KerberosAbapConnection` that generates the Negotiate token **locally** via a lazy/optional `kerberos` npm wrapper living in the connection package, sends it on the first request, then reuses the SAP session cookie. No `ITokenRefresher`, no `BaseTokenProvider`.
-**Tech Stack:** TypeScript, axios, `node:https` Agent, optional native `kerberos` npm. **Three repos**, bottom-up: `interfaces` → `connection` → `mcp-abap-adt` (server).
-**Spec:** `docs/superpowers/specs/2026-05-23-cert-kerberos-auth-design.md` (this repo).
-**Decisions locked:** PEM **and** PFX both supported. Single-leg Negotiate only. cert+kerberos bypass broker/providers.
-**Worktree discipline:** Each phase runs in its own repo, on branch `feat/cert-kerberos-auth` (`git worktree add .worktrees/cert-kerberos-auth -b feat/cert-kerberos-auth`; `.worktrees/` gitignored). Never commit to `master`/`main` directly.
-**PUBLISH GATE (critical):** The agent **NEVER runs `npm publish`** — the **user publishes**. Packages depend via **published npm imports, not local links**, so a consumer cannot be tested/bumped against unpublished changes. Each phase ends: implement → commit → PR/merge → **hand off to user to publish; wait for the confirmed version** → bump consumer → next phase.
----
-## Phase 1 — `@mcp-abap-adt/interfaces` — ✅ DONE
-Implemented, reviewed (spec + quality), committed on `feat/cert-kerberos-auth` in `~/prj/mcp-abap-adt-interfaces`:
-- `SapAuthType` union → `'basic' | 'jwt' | 'saml' | 'certificate' | 'kerberos'`.
-- `ISapConfig` + `certPath?`, `certKeyPath?`, `certPfxPath?`, `certPassphrase?`, `kerberosSpn?`, `kerberosService?`.
-- New `src/auth/ICertificateMaterialLoader.ts` (`ICertificateMaterial`, `ICertificateMaterialLoader`), exported from `src/index.ts`.
-- `IConnectionConfig.authType` **left as `'basic'|'jwt'|'saml'`** (NOT widened) — it is the broker's auth surface and cert/kerberos bypass the broker.
-- Build plumbing: `tsconfig.build.json` excludes the compile-only `src/__typechecks__/` from `dist`.
-**Remaining: publish gate** — user publishes `interfaces`; note the version `<IFACE_VER>` for Phases 2–3.
----
-## Phase 2 — `@mcp-abap-adt/connection` (`~/prj/mcp-abap-connection`)
-First: in the worktree, `npm i @mcp-abap-adt/interfaces@<IFACE_VER>` (the user-published version from Phase 1). Confirm baseline tests pass before starting.
-Repo paths below are relative to `~/prj/mcp-abap-connection`. Test runner: this repo HAS a test runner (check `package.json` `scripts.test` — jest per `jest.config.js`). Use it.
-### Task 2.1: `getHttpsAgentOptions()` hook on `AbstractAbapConnection`
-**Files:**
-- Modify: `src/connection/AbstractAbapConnection.ts` — `getAxiosInstance()` (~line 743) + add a protected hook.
-- Test: `src/__tests__/connection/httpsAgentHook.test.ts`
-- [ ] **Step 1: Write the failing test** (concrete subclass overriding the hook; assert options reach the Agent):
-```ts
-import { Agent } from 'node:https';
-import { AbstractAbapConnection } from '../../connection/AbstractAbapConnection';
-class TestConn extends (AbstractAbapConnection as any) {
-  protected getHttpsAgentOptions() { return { cert: 'C', key: 'K' }; }
-  async connect() {}
-  protected buildAuthorizationHeader() { return ''; }
-  getAgent(): Agent { return (this as any).getAxiosInstance().defaults.httpsAgent; }
-}
-test('getHttpsAgentOptions merges into the https.Agent', () => {
-  const c = new TestConn({ url: 'https://h:44300', authType: 'basic' } as any, null);
-  const agent = c.getAgent();
-  expect((agent as any).options.cert).toBe('C');
-  expect((agent as any).options.key).toBe('K');
-});
-```
-- [ ] **Step 2: Run, verify FAIL** (hook missing). Run the repo's test command targeting this file.
-- [ ] **Step 3: Implement.** Add the hook method near other protected methods:
-```ts
-  /** Subclasses override to inject extra https.Agent options (e.g. mTLS cert/key/pfx). */
-  protected getHttpsAgentOptions(): import('node:https').AgentOptions {
-    return {};
-  }
-```
-Change `getAxiosInstance()` to merge them:
-```ts
-      this.axiosInstance = axios.create({
-        httpsAgent: new Agent({
-          rejectUnauthorized,
-          ...this.getHttpsAgentOptions(),
-        }),
-      });
-```
-- [ ] **Step 4: Run, verify PASS.**
-- [ ] **Step 5: Commit** `feat(connection): add getHttpsAgentOptions hook to AbstractAbapConnection`.
-### Task 2.2: `FileCertificateMaterialLoader`
-**Files:**
-- Create: `src/auth/FileCertificateMaterialLoader.ts`
-- Test: `src/__tests__/auth/FileCertificateMaterialLoader.test.ts`
-- [ ] **Step 1: Write the failing test** (temp dir for PEM/PFX):
-```ts
-import { mkdtempSync, writeFileSync, rmSync } from 'node:fs';
-import { join } from 'node:path';
-import { tmpdir } from 'node:os';
-import { FileCertificateMaterialLoader } from '../../auth/FileCertificateMaterialLoader';
-let dir: string;
-beforeAll(() => {
-  dir = mkdtempSync(join(tmpdir(), 'certtest-'));
-  writeFileSync(join(dir, 'c.crt'), 'CERT');
-  writeFileSync(join(dir, 'c.key'), 'KEY');
-  writeFileSync(join(dir, 'c.pfx'), Buffer.from([1, 2, 3]));
-});
-afterAll(() => rmSync(dir, { recursive: true, force: true }));
-const loader = new FileCertificateMaterialLoader();
-test('loads PEM cert+key', async () => {
-  const m = await loader.load({ url: 'https://h', authType: 'certificate',
-    certPath: join(dir, 'c.crt'), certKeyPath: join(dir, 'c.key') } as any);
-  expect(m.cert?.toString()).toBe('CERT');
-  expect(m.key?.toString()).toBe('KEY');
-});
-test('loads PFX with passphrase', async () => {
-  const m = await loader.load({ url: 'https://h', authType: 'certificate',
-    certPfxPath: join(dir, 'c.pfx'), certPassphrase: 'pw' } as any);
-  expect(m.pfx).toBeInstanceOf(Buffer);
-  expect(m.passphrase).toBe('pw');
-});
-test('throws when both PEM and PFX given', async () => {
-  await expect(loader.load({ url: 'https://h', authType: 'certificate',
-    certPath: join(dir, 'c.crt'), certPfxPath: join(dir, 'c.pfx') } as any)).rejects.toThrow();
-});
-```
-- [ ] **Step 2: Run, verify FAIL.**
-- [ ] **Step 3: Implement** `src/auth/FileCertificateMaterialLoader.ts`:
-```ts
-import { readFile } from 'node:fs/promises';
-import type {
-  ICertificateMaterial,
-  ICertificateMaterialLoader,
-  ISapConfig,
-} from '@mcp-abap-adt/interfaces';
-export class FileCertificateMaterialLoader implements ICertificateMaterialLoader {
-  async load(config: ISapConfig): Promise<ICertificateMaterial> {
-    const hasPem = !!(config.certPath || config.certKeyPath);
-    const hasPfx = !!config.certPfxPath;
-    if (hasPem && hasPfx) {
-      throw new Error('Certificate auth: provide either PEM (certPath+certKeyPath) OR certPfxPath, not both.');
-    }
-    if (hasPfx) {
-      return { pfx: await readFile(config.certPfxPath as string), passphrase: config.certPassphrase };
-    }
-    if (config.certPath && config.certKeyPath) {
-      return {
-        cert: await readFile(config.certPath),
-        key: await readFile(config.certKeyPath),
-        passphrase: config.certPassphrase,
-      };
-    }
-    throw new Error('Certificate auth requires certPfxPath OR (certPath AND certKeyPath).');
-  }
-}
-```
-- [ ] **Step 4: Run, verify PASS.**
-- [ ] **Step 5: Commit** `feat(connection): file-based certificate material loader`.
-### Task 2.3: `CertificateAbapConnection`
-**Files:**
-- Create: `src/connection/CertificateAbapConnection.ts`
-- Test: `src/__tests__/connection/CertificateAbapConnection.test.ts`
-- [ ] **Step 1: Write the failing test** (inject fake loader; check agent options + empty header + rfc guard):
-```ts
-import { CertificateAbapConnection } from '../../connection/CertificateAbapConnection';
-import type { ICertificateMaterialLoader } from '@mcp-abap-adt/interfaces';
-const fakeLoader: ICertificateMaterialLoader = {
-  load: async () => ({ cert: 'C', key: 'K', passphrase: 'pw' }),
-};
-const cfg = { url: 'https://h:44300', authType: 'certificate', client: '100',
-  certPath: '/x.crt', certKeyPath: '/x.key' } as any;
-test('no Authorization header (mTLS identifies user)', () => {
-  const c = new CertificateAbapConnection(cfg, null, undefined, fakeLoader);
-  expect((c as any).buildAuthorizationHeader()).toBe('');
-});
-test('loaded material reaches getHttpsAgentOptions after material load', async () => {
-  const c = new CertificateAbapConnection(cfg, null, undefined, fakeLoader);
-  await (c as any).ensureMaterial();
-  const opts = (c as any).getHttpsAgentOptions();
-  expect(opts.cert).toBe('C');
-  expect(opts.key).toBe('K');
-});
-test('rejects connectionType rfc', () => {
-  expect(() => new CertificateAbapConnection({ ...cfg, connectionType: 'rfc' }, null, undefined, fakeLoader))
-    .toThrow(/rfc/i);
-});
-```
-- [ ] **Step 2: Run, verify FAIL.**
-- [ ] **Step 3: Implement** `src/connection/CertificateAbapConnection.ts`:
-```ts
-import type { AgentOptions } from 'node:https';
-import type { ICertificateMaterial, ICertificateMaterialLoader } from '@mcp-abap-adt/interfaces';
-import type { SapConfig } from '../config/sapConfig.js';
-import type { ILogger } from '../logger.js';
-import { AbstractAbapConnection } from './AbstractAbapConnection.js';
-import { FileCertificateMaterialLoader } from '../auth/FileCertificateMaterialLoader.js';
-/** Client-certificate (mTLS) authentication. Credential lives on the TLS agent. */
-export class CertificateAbapConnection extends AbstractAbapConnection {
-  private loader: ICertificateMaterialLoader;
-  private material: ICertificateMaterial | null = null;
-  constructor(config: SapConfig, logger?: ILogger | null, sessionId?: string, loader?: ICertificateMaterialLoader) {
-    CertificateAbapConnection.validateConfig(config);
-    super(config, logger || null, sessionId);
-    this.loader = loader ?? new FileCertificateMaterialLoader();
-  }
-  private static validateConfig(config: SapConfig): void {
-    if (config.authType !== 'certificate') {
-      throw new Error(`Certificate connection expects authType "certificate", got "${config.authType}"`);
-    }
-    if (config.connectionType === 'rfc') {
-      throw new Error('Certificate auth is not supported with connectionType "rfc".');
-    }
-    const hasPem = !!(config.certPath && config.certKeyPath);
-    const hasPfx = !!config.certPfxPath;
-    if (!hasPem && !hasPfx) {
-      throw new Error('Certificate auth requires certPfxPath OR (certPath AND certKeyPath).');
-    }
-    if ((config.certPath || config.certKeyPath) && config.certPfxPath) {
-      throw new Error('Certificate auth: provide either PEM pair OR PFX, not both.');
-    }
-  }
-  private cfg(): SapConfig {
-    return (this as unknown as { config: SapConfig }).config;
-  }
-  /** Load cert material before the first request so the cached agent carries the client cert. */
-  private async ensureMaterial(): Promise<void> {
-    if (!this.material) this.material = await this.loader.load(this.cfg());
-  }
-  async connect(): Promise<void> {
-    await this.ensureMaterial();
-    const baseUrl = await this.getBaseUrl();
-    const discoveryUrl = `${baseUrl}/sap/bc/adt/discovery`;
-    try {
-      const token = await this.fetchCsrfToken(discoveryUrl, 3, 1000);
-      this.setCsrfToken(token);
-    } catch (error) {
-      this.logger?.warn(
-        `[WARN] CertificateAbapConnection - connect deferred: ${error instanceof Error ? error.message : String(error)}`,
-      );
-    }
-  }
-  protected getHttpsAgentOptions(): AgentOptions {
-    if (!this.material) return {};
-    const { cert, key, pfx, passphrase } = this.material;
-    return { cert, key, pfx, passphrase };
-  }
-  protected buildAuthorizationHeader(): string {
-    return '';
-  }
-}
-```
-> `getConfig()`/`getBaseUrl()`/`fetchCsrfToken()`/`setCsrfToken()` exist on `AbstractAbapConnection` (used by Saml/Jwt). The private `config` is accessed via the `cfg()` helper because the base stores it privately; if the base exposes a `getConfig()` accessor, prefer that and drop `cfg()`.
-- [ ] **Step 4: Run, verify PASS.**
-- [ ] **Step 5: Commit** `feat(connection): CertificateAbapConnection (mTLS via https agent)`.
-### Task 2.4: `kerberosSpnego` wrapper (lazy, optional native dep)
-**Files:**
-- Create: `src/auth/kerberosSpnego.ts`
-- Test: `src/__tests__/auth/kerberosSpnego.test.ts`
-- Modify: `package.json` (`optionalDependencies`)
-- [ ] **Step 1: Add optional dependency** to `package.json`:
-```json
-"optionalDependencies": {
-  "kerberos": "^2.1.0"
-}
-```
-- [ ] **Step 2: Write the failing test** (mock the native module; assert token returned):
-```ts
-test('generateSpnegoToken returns a base64 token for an SPN', async () => {
-  jest.doMock('kerberos', () => ({
-    initializeClient: jest.fn(async () => ({
-      step: jest.fn(async (_c: string) => undefined),
-      response: 'YIIBexyz==',
-    })),
-  }), { virtual: true });
-  const { generateSpnegoToken } = await import('../../auth/kerberosSpnego');
-  const token = await generateSpnegoToken('HTTP@sap-host.corp');
-  expect(token).toBe('YIIBexyz==');
-});
-```
-> Use the repo's mocking idiom (jest shown; the `{ virtual: true }` lets the test run even if `kerberos` isn't installed). Match `jest.config.js` ESM/CJS conventions.
-- [ ] **Step 3: Run, verify FAIL.**
-- [ ] **Step 4: Implement** `src/auth/kerberosSpnego.ts`:
-```ts
-/** Thin, lazily-loaded wrapper over the optional `kerberos` native package. */
-export async function generateSpnegoToken(spn: string): Promise<string> {
-  let kerberos: typeof import('kerberos');
-  try {
-    kerberos = await import('kerberos');
-  } catch {
-    throw new Error(
-      'Kerberos authentication requires the optional "kerberos" package. ' +
-        'Install it (needs GSSAPI dev libs on Linux / build tools on Windows): npm i kerberos',
-    );
-  }
-  const client = await kerberos.initializeClient(spn, {});
-  await client.step(''); // single-leg: initial AP-REQ
-  const token = (client as unknown as { response?: string }).response;
-  if (!token) {
-    throw new Error('Kerberos: no SPNEGO token produced (no TGT? run kinit, or check SPN).');
-  }
-  return token;
-}
-```
-> **Verify the `kerberos` API** against the installed package's types before finalizing: confirm `initializeClient(spn, options)` and that the produced token is on `client.response` after `step()`. Adjust the accessor if the real API differs (some versions return the token from `step()`); keep the public `generateSpnegoToken(spn): Promise<string>` shape stable so the connection and test are unaffected.
-- [ ] **Step 5: Run, verify PASS.**
-- [ ] **Step 6: Commit** `feat(connection): lazy SPNEGO token wrapper over optional kerberos`.
-### Task 2.5: `KerberosAbapConnection`
-**Files:**
-- Create: `src/connection/KerberosAbapConnection.ts`
-- Test: `src/__tests__/connection/KerberosAbapConnection.test.ts`
-- [ ] **Step 1: Write the failing test** (mock the spnego wrapper; assert Negotiate header logic + rfc guard):
-```ts
-jest.mock('../../auth/kerberosSpnego', () => ({
-  generateSpnegoToken: jest.fn(async (_spn: string) => 'NEG_TOKEN'),
-}));
-import { KerberosAbapConnection } from '../../connection/KerberosAbapConnection';
-const cfg = { url: 'https://h:44300', authType: 'kerberos', client: '100', kerberosSpn: 'HTTP@h.corp' } as any;
-test('emits Authorization: Negotiate <token> before a cookie exists', async () => {
-  const c = new KerberosAbapConnection(cfg, null, undefined);
-  await (c as any).ensureToken();
-  expect((c as any).buildAuthorizationHeader()).toBe('Negotiate NEG_TOKEN');
-});
-test('derives SPN from url when kerberosSpn absent', async () => {
-  const c = new KerberosAbapConnection({ ...cfg, kerberosSpn: undefined }, null, undefined);
-  await (c as any).ensureToken();
-  const spnego = await import('../../auth/kerberosSpnego');
-  expect((spnego.generateSpnegoToken as any)).toHaveBeenCalledWith('HTTP@h');
-});
-test('rejects connectionType rfc', () => {
-  expect(() => new KerberosAbapConnection({ ...cfg, connectionType: 'rfc' }, null, undefined)).toThrow(/rfc/i);
-});
-```
-- [ ] **Step 2: Run, verify FAIL.**
-- [ ] **Step 3: Implement** `src/connection/KerberosAbapConnection.ts`:
-```ts
-import type { SapConfig } from '../config/sapConfig.js';
-import type { ILogger } from '../logger.js';
-import { AbstractAbapConnection } from './AbstractAbapConnection.js';
-import { generateSpnegoToken } from '../auth/kerberosSpnego.js';
-/** Kerberos / SPNEGO single-leg auth: send Negotiate token, reuse the resulting SAP session cookie. */
-export class KerberosAbapConnection extends AbstractAbapConnection {
-  private spn: string;
-  private currentToken = '';
-  constructor(config: SapConfig, logger?: ILogger | null, sessionId?: string) {
-    KerberosAbapConnection.validateConfig(config);
-    super(config, logger || null, sessionId);
-    this.spn = config.kerberosSpn ?? `${config.kerberosService ?? 'HTTP'}@${new URL(config.url).hostname}`;
-  }
-  private static validateConfig(config: SapConfig): void {
-    if (config.authType !== 'kerberos') {
-      throw new Error(`Kerberos connection expects authType "kerberos", got "${config.authType}"`);
-    }
-    if (config.connectionType === 'rfc') {
-      throw new Error('Kerberos auth is not supported with connectionType "rfc".');
-    }
-  }
-  private async ensureToken(): Promise<void> {
-    if (!this.currentToken) this.currentToken = await generateSpnegoToken(this.spn);
-  }
-  async connect(): Promise<void> {
-    await this.ensureToken();
-    const baseUrl = await this.getBaseUrl();
-    const discoveryUrl = `${baseUrl}/sap/bc/adt/discovery`;
-    try {
-      const token = await this.fetchCsrfToken(discoveryUrl, 3, 1000);
-      this.setCsrfToken(token);
-      // After the first authenticated round-trip SAP issues a session cookie which the base
-      // class captures and reuses; later requests need no new Negotiate token.
-    } catch (error) {
-      this.logger?.warn(
-        `[WARN] KerberosAbapConnection - connect deferred: ${error instanceof Error ? error.message : String(error)}`,
-      );
-    }
-  }
-  protected buildAuthorizationHeader(): string {
-    if (this.getCookies()) return '';            // cookie carries auth after first round-trip
-    return this.currentToken ? `Negotiate ${this.currentToken}` : '';
-  }
-}
-```
-> The default `getAuthHeaders()` calls `buildAuthorizationHeader()` and sets `Authorization` only when non-empty (confirm against `AbstractAbapConnection`; `SamlAbapConnection` relies on the same empty-header behavior). `getCookies()` is inherited. If the SPNEGO token must be generated lazily on the very first request rather than only in `connect()`, also call `ensureToken()` at the top of an overridden `getAuthHeaders()` — verify which entrypoint runs first and add the guard if needed. **NTLM reject:** if a live `WWW-Authenticate` response offers only `NTLM` (challenge decodes to prefix `TlRMTVNTUAA`), throw a clear error instead of looping — add this guard when wiring the 401 path (test with a mocked 401 carrying `www-authenticate: NTLM`).
-- [ ] **Step 4: Run, verify PASS.**
-- [ ] **Step 5: Commit** `feat(connection): KerberosAbapConnection (single-leg Negotiate)`.
-### Task 2.6: Wire the factory + config signature
-**Files:**
-- Modify: `src/connection/connectionFactory.ts`
-- Modify: `src/config/sapConfig.ts` (`sapConfigSignature`)
-- Test: `src/__tests__/connectionFactory.test.ts` (extend)
-- [ ] **Step 1: Write failing factory tests:**
-```ts
-test('creates CertificateAbapConnection for authType certificate', () => {
-  const c = createAbapConnection({ url: 'https://h', authType: 'certificate',
-    certPath: '/c', certKeyPath: '/k' } as any, null);
-  expect(c.constructor.name).toBe('CertificateAbapConnection');
-});
-test('creates KerberosAbapConnection for authType kerberos', () => {
-  const c = createAbapConnection({ url: 'https://h', authType: 'kerberos', kerberosSpn: 'HTTP@h' } as any, null);
-  expect(c.constructor.name).toBe('KerberosAbapConnection');
-});
-test('throws for certificate + rfc', () => {
-  expect(() => createAbapConnection({ url: 'https://h', authType: 'certificate', connectionType: 'rfc',
-    certPath: '/c', certKeyPath: '/k' } as any, null)).toThrow(/rfc/i);
-});
-```
-- [ ] **Step 2: Run, verify FAIL.**
-- [ ] **Step 3: Implement.** Add imports + an optional `certLoader` in `options` + cases. The kerberos case takes NO tokenRefresher (self-contained):
-```ts
-import { CertificateAbapConnection } from './CertificateAbapConnection.js';
-import { KerberosAbapConnection } from './KerberosAbapConnection.js';
-import type { ICertificateMaterialLoader } from '@mcp-abap-adt/interfaces';
-export function createAbapConnection(
-  config: SapConfig,
-  logger?: ILogger | null,
-  sessionId?: string,
-  tokenRefresher?: ITokenRefresher,
-  options?: { skipSessionType?: boolean; certLoader?: ICertificateMaterialLoader },
-): AbapConnection {
-  if (config.connectionType === 'rfc') {
-    if (config.authType === 'certificate' || config.authType === 'kerberos') {
-      throw new Error(`authType "${config.authType}" is not supported with connectionType "rfc".`);
-    }
-    return new RfcAbapConnection(config, logger);
-  }
-  switch (config.authType) {
-    case 'basic':
-      return new BaseAbapConnection(config, logger, sessionId, options);
-    case 'jwt':
-      return new JwtAbapConnection(config, logger, sessionId, tokenRefresher);
-    case 'saml':
-      return new SamlAbapConnection(config, logger, sessionId, options);
-    case 'certificate':
-      return new CertificateAbapConnection(config, logger, sessionId, options?.certLoader);
-    case 'kerberos':
-      return new KerberosAbapConnection(config, logger, sessionId);
-    default:
-      throw new Error(`Unsupported SAP authentication type: ${config.authType}`);
-  }
-}
-```
-> Verify no existing caller passes a 5th positional arg in a way the widened `options` shape breaks.
-- [ ] **Step 4: Extend `sapConfigSignature()`** in `src/config/sapConfig.ts` — add to the returned object (paths/flags only, never secrets):
-```ts
-    certPath: config.certPath ?? null,
-    certKeyPath: config.certKeyPath ?? null,
-    certPfxPath: config.certPfxPath ?? null,
-    certPassphrase: config.certPassphrase ? 'set' : null,
-    kerberosSpn: config.kerberosSpn ?? null,
-```
-- [ ] **Step 5: Run all connection tests, verify PASS.**
-- [ ] **Step 6: Commit** `feat(connection): route certificate/kerberos in factory; extend config signature`.
-### Task 2.7: Release connection (publish gate — user publishes)
-- [ ] **Step 1:** Bump version + CHANGELOG, commit. `npm run build` + full test suite green. **Do NOT publish.**
-- [ ] **Step 2:** PR + merge.
-- [ ] **Step 3: HAND OFF — ask the user to publish; record the confirmed version `<CONN_VER>` before Phase 3.**
----
-## Phase 3 — `mcp-abap-adt` (server, this repo)
-First: in the worktree, bump `@mcp-abap-adt/interfaces@<IFACE_VER>` and `@mcp-abap-adt/connection@<CONN_VER>` to the user-confirmed published versions. Work on branch `feat/cert-kerberos-auth`.
-### Task 3.1: Shared `parseAuthType()` accepting new types
-**Files:**
-- Create: `src/lib/config/parseAuthType.ts`
-- Modify: `src/lib/config.ts` (~59-75), `src/lib/utils.ts` (~1892-1900)
-- Test: `src/__tests__/lib/parseAuthType.test.ts`
-- [ ] **Step 1: Write failing test:**
-```ts
-import { parseAuthType } from '../../lib/config/parseAuthType';
-test('maps env to auth types', () => {
-  expect(parseAuthType({ SAP_JWT_TOKEN: 'x' })).toBe('jwt');
-  expect(parseAuthType({ SAP_AUTH_TYPE: 'xsuaa' })).toBe('jwt');
-  expect(parseAuthType({ SAP_AUTH_TYPE: 'certificate' })).toBe('certificate');
-  expect(parseAuthType({ SAP_AUTH_TYPE: 'kerberos' })).toBe('kerberos');
-  expect(parseAuthType({ SAP_AUTH_TYPE: 'saml' })).toBe('saml');
-  expect(parseAuthType({})).toBe('basic');
-});
-```
-- [ ] **Step 2: Run, verify FAIL.**
-- [ ] **Step 3: Implement** `src/lib/config/parseAuthType.ts`:
-```ts
-import type { SapAuthType } from '@mcp-abap-adt/interfaces';
-export function parseAuthType(env: NodeJS.ProcessEnv | Record<string, string | undefined>): SapAuthType {
-  if (env.SAP_JWT_TOKEN) return 'jwt';
-  const raw = env.SAP_AUTH_TYPE?.trim().toLowerCase();
-  if (!raw) return 'basic';
-  if (raw === 'xsuaa') return 'jwt';
-  if (raw === 'basic' || raw === 'jwt' || raw === 'saml' || raw === 'certificate' || raw === 'kerberos') {
-    return raw;
-  }
-  return 'basic';
-}
-```
-- [ ] **Step 4: Replace both inline parsers** in `config.ts` (~59-75) and `utils.ts` (~1892-1900) with `parseAuthType(process.env)`. Remove the duplicated literal logic.
-- [ ] **Step 5: Run, verify PASS.**
-- [ ] **Step 6: Commit** `refactor(config): shared parseAuthType incl. certificate/kerberos`.
-### Task 3.2: Read new env fields into `SapConfig`
-**Files:**
-- Modify: wherever `SapConfig` is assembled from env (`src/lib/config.ts`, and `src/lib/utils.ts` if it builds a parallel config).
-- Test: extend the existing config-building test (or add one targeting the exported builder).
-- [ ] **Step 1: Write failing test** — `SAP_AUTH_TYPE=certificate` + `SAP_CERT_PATH`/`SAP_CERT_KEY_PATH` env yields a config with those fields; `SAP_AUTH_TYPE=kerberos` + `SAP_KERBEROS_SPN` yields `kerberosSpn`.
-- [ ] **Step 2: Run, verify FAIL.**
-- [ ] **Step 3: Implement** — where the config object is built, add:
-```ts
-    certPath: process.env.SAP_CERT_PATH,
-    certKeyPath: process.env.SAP_CERT_KEY_PATH,
-    certPfxPath: process.env.SAP_CERT_PFX_PATH,
-    certPassphrase: process.env.SAP_CERT_PASSPHRASE,
-    kerberosSpn: process.env.SAP_KERBEROS_SPN,
-    kerberosService: process.env.SAP_KERBEROS_SERVICE,
-```
-- [ ] **Step 4: Run, verify PASS.**
-- [ ] **Step 5: Commit** `feat(config): read cert/kerberos env into SapConfig`.
-### Task 3.3: Confirm the connection-creation path (NOT the broker)
-**Files:**
-- Investigate, then minimal change: wherever the server calls `createAbapConnection(...)` for basic/RFC auth.
-- [ ] **Step 1:** Locate where the server constructs an `AbapConnection` for non-broker auth (grep for `createAbapConnection` in `src/`). Confirm cert/kerberos `SapConfig` flows there unchanged. Certificate/kerberos must NOT be routed through `brokerFactory`/`IBrokerSessionConfig` (broker is OAuth-only).
-- [ ] **Step 2:** If the path already passes the full `SapConfig` (with the new fields) to `createAbapConnection`, no code change is needed beyond Task 3.2 — add a test asserting that a `certificate`/`kerberos` config produces the right connection class via the server's creation path. If the server narrows authType anywhere (e.g. only handles basic/jwt before delegating), widen that branch.
-- [ ] **Step 3:** Run, verify PASS. Commit (only if a change was needed) `feat(server): create certificate/kerberos connections via direct path`.
-### Task 3.4: Docs + help text
-**Files:**
-- Modify: `src/lib/utils.ts` (~1337 env help block), `README.md`, `CHANGELOG.md`
-- [ ] **Step 1:** Add to help text:
-```
-  SAP_CERT_PATH / SAP_CERT_KEY_PATH         Client cert + key (PEM) for certificate auth
-  SAP_CERT_PFX_PATH / SAP_CERT_PASSPHRASE   PKCS#12 cert for certificate auth
-  SAP_KERBEROS_SPN                          SPN for kerberos auth (default HTTP@<host>)
-  SAP_AUTH_TYPE                             basic|jwt|saml|certificate|kerberos (default: basic)
-```
-- [ ] **Step 2:** README: document cert/kerberos setup (on-prem HTTP only; kerberos prereq: `kinit`/keytab + optional `kerberos` npm). Update CHANGELOG.
-- [ ] **Step 3: Commit** `docs: certificate + kerberos auth env vars and setup`.
-### Task 3.5: Integration smoke (live, gated)
-**Files:**
-- Create/extend: integration smoke behind env gates (see integration-test-env-gates skill).
-- [ ] **Step 1:** Add `describeCertificate`/`describeKerberos` gates that run only when `SAP_CERT_PATH`/`SAP_KERBEROS_SPN` (+ a target system) are present. One read (e.g. read a class source) per auth type.
-- [ ] **Step 2: Coordinate with the user** to run against a real on-prem system supporting the auth type (per CLAUDE.md — do not automate SAP env verification). Validate spec assumption A1 (single-leg) on kerberos here.
-- [ ] **Step 3:** Save full log to `/tmp/integration-cert-kerberos.log` (no `tail` truncation). Commit any test additions.
-### Task 3.6: Release server (publish gate — user publishes)
-- [ ] **Step 1:** Bump version + CHANGELOG, regenerate tool catalogs if affected (auth is not a tool — likely none). `npm run build` + tests green. **Do NOT publish.** PR, merge.
-- [ ] **Step 2: HAND OFF — ask the user to publish the server package.**
-- [ ] **Step 3:** Once the user confirms the full feature is published and verified, **delete the spec** `docs/superpowers/specs/2026-05-23-cert-kerberos-auth-design.md` and this plan (project lifecycle rule). History remains in git.
----
-## Self-review notes
-- **Spec coverage:** §3.1 → Phase 1 (done); §3.2 connection (cert+kerberos+spnego+factory) → Tasks 2.1–2.6; §3.3 (auth-providers/broker NOT touched) → respected (no tasks, by design); §3.4 server → Tasks 3.1–3.4; §4 config surface → 3.1/3.2/3.4; §5 security (no secret logging) → loader/signature avoid secrets; **NTLM reject** → folded into Task 2.5 note (add the guard when wiring the 401 path; test with mocked `www-authenticate: NTLM`); §6 test plan → per-task tests + 3.5; §7 release order → phase order; §8 A1/A4 → Tasks 2.5/2.3 notes.
-- **No broker/providers tasks** — intentional (cert+kerberos bypass them).
-- **Type consistency:** `ICertificateMaterialLoader.load(config)`, `getHttpsAgentOptions()`, `generateSpnegoToken(spn)`, `createAbapConnection(..., options?.certLoader)` are used consistently across tasks. Kerberos connection takes NO `tokenRefresher`.
-- **Verify-in-code flags:** the `kerberos` npm token accessor (`client.response`, Task 2.4); the server's connection-creation path (Task 3.3); `AbstractAbapConnection` empty-header behavior for kerberos cookie phase (Task 2.5).

package/docs/superpowers/specs/2026-05-23-cert-kerberos-auth-design.md DELETED Viewed

@@ -1,149 +0,0 @@
-# Spec: Certificate (mTLS) + Kerberos auth across the ADT connection stack
-> Status: design approved, ready for implementation planning.
-> Lifecycle: this spec lives only in `mcp-abap-adt`. **Delete after implementation** — history stays in git.
-> Source of idea: analysis of `sap-adt-mcp` (see `docs/superpowers/plans/innovations-from-sap-adt-mcp.md`, item A).
-## 1. Goal & scope
-Add two new authentication types to the ADT connection stack:
-- **`certificate`** — client-certificate mutual TLS (mTLS), cross-platform, credential material loaded from **files** (PEM or PFX/PKCS#12).
-- **`kerberos`** — SPNEGO/Negotiate SSO, cross-platform via the `kerberos` npm package (GSSAPI on Linux/macOS, SSPI on Windows), as an **optional dependency**.
-**In scope:** on-prem ABAP over **HTTP** (`connectionType: 'http'`). Both new types are invalid for `connectionType: 'rfc'` and for BTP cloud (which stays `jwt`).
-**Out of scope (explicitly NOT building):**
-- Windows Certificate Store / PowerShell-SChannel bridge (the `sap-adt-mcp` approach). Cross-platform file-based only.
-- NTLM. We hard-reject NTLM tokens if a server offers only NTLM (see Risks).
-- Kerberos mutual-auth multi-leg continuation (see Assumptions).
-- RFC-transport variants of these auth types.
-## 2. Architecture decision (the core call)
-**Both new auth types bypass `@mcp-abap-adt/auth-broker` and `@mcp-abap-adt/auth-providers` entirely.** The broker's role is narrow: OAuth-style authorization with browser-callback interception. Certificate and Kerberos are non-interactive and transport/connection-level — no browser callback, no broker token lifecycle. They live in the **connection** package (+ types in `interfaces`, + env wiring in the server).
-| Type | Pattern | Why |
-|------|---------|-----|
-| **Certificate** | Connection subclass + `httpsAgent` options, with an injected `ICertificateMaterialLoader` for testability | The credential is `cert`+private-key used in the **TLS handshake via `httpsAgent`** — transport-layer, below `getAuthHeaders()`. No header/cookie to "provide". |
-| **Kerberos** | Connection subclass that generates the SPNEGO token **locally** (lazy/optional `kerberos` npm wrapper inside the connection package), sends `Authorization: Negotiate <token>` on the first request, then reuses the SAP session cookie | The Negotiate blob goes into a header, but generation is local GSSAPI (no callback, no refresh lifecycle). No broker, no `ITokenRefresher`, no `BaseTokenProvider`. |
-`@mcp-abap-adt/connection` depends only on `interfaces` + `sap-rfc-lite` (not on `auth-providers`), so the SPNEGO wrapper lives in `connection`, keeping that dependency boundary intact.
-### Kerberos handshake = single-leg, cookie reuse
-`AbstractAbapConnection` already owns CSRF fetch + cookie capture/reuse (`fetchCsrfToken`, cookie merge). `KerberosAbapConnection` generates one AP-REQ for the SPN, sends `Authorization: Negotiate <token>` on the first request, captures the SAP session cookie (`SAP_SESSIONID`/`MYSAPSSO2`), and reuses the cookie thereafter. Single-leg only (no mutual-auth continuation in v1 — see Assumptions).
-## 3. Per-package changes
-**Three repos** (auth-broker and auth-providers are NOT touched). Listed in dependency (release) order — see §7.
-### 3.1 `@mcp-abap-adt/interfaces` (`~/prj/mcp-abap-adt-interfaces`)
-- `src/sap/SapAuthType.ts`: extend union →
-  `export type SapAuthType = 'basic' | 'jwt' | 'saml' | 'certificate' | 'kerberos';`
-- `src/sap/ISapConfig.ts`: add optional fields:
-  - Certificate: `certPath?`, `certKeyPath?`, `certPfxPath?`, `certPassphrase?`. (PEM = certPath+certKeyPath; PFX = certPfxPath. Mutually exclusive — validated in connector.)
-  - Kerberos: `kerberosSpn?` (e.g. `HTTP@host.domain`), `kerberosService?` (default `HTTP`).
-- `src/token/ITokenResult.ts`: no shape change needed — kerberos uses existing `tokenType: 'opaque'`. (Optional: add `'kerberos'` to the `tokenType` union for clarity; not required.)
-- New interface `src/auth/ICertificateMaterialLoader.ts`:
-  ```ts
-  export interface ICertificateMaterial { cert?: Buffer|string; key?: Buffer|string; pfx?: Buffer; passphrase?: string; }
-  export interface ICertificateMaterialLoader { load(config: ISapConfig): Promise<ICertificateMaterial>; }
-  ```
-- Export new symbols from `src/index.ts`.
-### 3.2 `@mcp-abap-adt/connection` (`~/prj/mcp-abap-connection`) — the connector, heaviest changes
-- `src/connection/AbstractAbapConnection.ts`:
-  - In `getAxiosInstance()` (currently builds `new Agent({ rejectUnauthorized })`), add a protected hook:
-    `protected getHttpsAgentOptions(): https.AgentOptions { return {}; }`
-    and merge it into the Agent options. **Important:** the Agent is currently cached on first build; certificate material must be available before the first request (it is — loaded in the cert connection's `connect()`/constructor). Keep `rejectUnauthorized` behavior intact.
-- New `src/connection/CertificateAbapConnection.ts` (extends `AbstractAbapConnection`):
-  - `validateConfig`: requires `connectionType !== 'rfc'`; requires either (`certPath`+`certKeyPath`) or `certPfxPath`; rejects having both PEM and PFX.
-  - Constructor takes an injected `ICertificateMaterialLoader` (default: a file-based impl). `connect()` loads material, then proceeds with normal CSRF fetch.
-  - `getHttpsAgentOptions()` returns `{ cert, key, pfx, passphrase }`.
-  - `buildAuthorizationHeader()` returns `''` (no Authorization header; mTLS identifies the user).
-- New `src/connection/KerberosAbapConnection.ts` (extends `AbstractAbapConnection`):
-  - **Self-contained — no broker, no `ITokenRefresher`, no provider.** Generates the SPNEGO token locally via the connection-local wrapper (below), using the resolved SPN.
-  - `connect()` generates the Negotiate token, sends it on the first request, captures the SAP session cookie via the existing cookie machinery; subsequent requests reuse the cookie.
-  - `buildAuthorizationHeader()` → `Negotiate ${token}` while no session cookie yet; `''` once a cookie exists.
-  - `validateConfig`: requires `connectionType !== 'rfc'`; requires resolvable SPN (`kerberosSpn` or derive `HTTP@<host>` from URL).
-- New `src/auth/FileCertificateMaterialLoader.ts`: reads PEM/PFX from disk → `ICertificateMaterial`. Pure I/O, mockable.
-- New `src/auth/kerberosSpnego.ts`: thin wrapper over the optional `kerberos` npm package (`initializeClient` / `step`), **lazy `import()`**; declared in this package's `optionalDependencies`. The single native, mockable seam. (Lives here, not in auth-providers, because `connection` does not depend on `auth-providers`.)
-- `src/connection/connectionFactory.ts`: add cases:
-  ```ts
-  case 'certificate': return new CertificateAbapConnection(config, logger, sessionId, options?.certLoader);
-  case 'kerberos':    return new KerberosAbapConnection(config, logger, sessionId);
-  ```
-  Keep the existing `connectionType === 'rfc'` early-return guard (rfc wins) — but add validation so cert/kerberos + rfc throws a clear error rather than silently doing RFC.
-- `src/config/sapConfig.ts`: extend `sapConfigSignature()` to include cert paths / SPN (so connection is recreated when these change). Never log key/passphrase contents.
-### 3.3 NOT touched: `auth-providers` and `auth-broker`
-Certificate and Kerberos bypass both. The broker is only for OAuth-style authorization + browser-callback interception; cert/kerberos are non-interactive and connection-level. **Do not add a `KerberosProvider` to auth-providers, do not modify `AuthBroker`, do not widen the broker's `IConnectionConfig.authType`** — that union is the broker's surface and stays `'basic' | 'jwt' | 'saml'`.
-### 3.4 `mcp-abap-adt` (server, this repo)
-- `src/lib/config.ts` (lines ~59-75) and `src/lib/utils.ts` (duplicate parser ~1892-1900): extend `SAP_AUTH_TYPE` acceptance to include `'certificate'` and `'kerberos'`. **De-dup opportunity:** these two parsers are copies — extract one shared `parseAuthType()` (recommended while here).
-- Read new env into the assembled `SapConfig`: `SAP_CERT_PATH`, `SAP_CERT_KEY_PATH`, `SAP_CERT_PFX_PATH`, `SAP_CERT_PASSPHRASE`, `SAP_KERBEROS_SPN`, `SAP_KERBEROS_SERVICE`. Document in the help text (~line 1337).
-- **Connection creation path:** find where the server creates an `AbapConnection` for non-broker auth (basic/RFC today) — cert/kerberos follow that same direct `createAbapConnection(...)` path, NOT the broker/`brokerFactory` path. Verify in code during Phase 3; do NOT route cert/kerberos through `brokerFactory`/`IBrokerSessionConfig`.
-- Tool `available_in`: cert/kerberos are connection concerns, not tool capabilities — no tool-level change; but verify nothing assumes `authType ∈ {basic,jwt,saml}`.
-## 4. Configuration surface (summary)
-`.env` (server-driven, on-prem HTTP):
-```
-SAP_AUTH_TYPE=certificate
-SAP_CERT_PATH=/path/client.crt          # PEM
-SAP_CERT_KEY_PATH=/path/client.key      # PEM
-# or:
-SAP_CERT_PFX_PATH=/path/client.pfx      # PKCS#12
-SAP_CERT_PASSPHRASE=...                  # optional
-```
-```
-SAP_AUTH_TYPE=kerberos
-SAP_KERBEROS_SPN=HTTP@sap-host.corp     # optional; derived from SAP_URL if absent
-```
-## 5. Security rules
-- Never log private-key bytes, PFX bytes, passphrase, or Negotiate tokens. Safe to log: cert subject/CN, cert path (not contents), SPN, `tokenType`.
-- `sapConfigSignature()` must not embed secret material — use presence flags / hashes, mirroring how it previews tokens today.
-- Reject NTLM: if the server's `WWW-Authenticate` offers only `NTLM` (token begins `TlRMTVNTUAA...`), fail with a clear error rather than negotiating.
-## 6. Test plan
-Per repo, unit-first (mock the native/IO seams):
-- **interfaces**: type-level only (compile).
-- **connection**:
-  - `CertificateAbapConnection`: inject a fake `ICertificateMaterialLoader`; assert `getHttpsAgentOptions()` carries cert/key/pfx; assert no Authorization header; assert PEM-vs-PFX validation and rfc-conflict errors.
-  - `KerberosAbapConnection`: mock the connection-local `kerberosSpnego` wrapper; assert `Authorization: Negotiate <token>` on first request and `''` after a cookie exists; assert cookie capture+reuse; assert rfc-conflict error. No real KDC.
-  - `connectionFactory`: new cases route correctly; cert/kerberos + rfc throws.
-- **server**: `SAP_AUTH_TYPE=certificate|kerberos` parsed (shared `parseAuthType`); cert/kerberos env fields land in the assembled `SapConfig`; connection created via the direct `createAbapConnection` path (not broker).
-- **Integration (live SAP, gated):** one cert smoke + one kerberos smoke against an on-prem system that supports them. Follow CLAUDE.md soft-mode strategy; do not block CI on secrets (see integration-test-env-gates approach).
-## 7. Release order (cross-package)
-Bottom-up. **The user publishes each package — the agent never runs `npm publish`.** Consumers import published npm versions (not local links), so each step is hard-gated: implement → commit → PR/merge → user publishes → bump consumer to the confirmed version → next step (follow the cross-package-fix-cycle discipline):
-1. `interfaces` — union + fields + `ICertificateMaterialLoader`. User publishes, bump everywhere.
-2. `connection` — connection classes + agent hook + cert loader + `kerberosSpnego` (optionalDep) + factory + signature. User publishes.
-3. `mcp-abap-adt` (server) — `parseAuthType` + env→`SapConfig` + direct `createAbapConnection` wiring + docs. Bump deps to the published versions.
-(`auth-providers` and `auth-broker` are not in the chain — not touched.) Each step gets its own worktree in its repo (per project workflow: worktrees on all changed code repos; spec stays only here).
-## 8. Risks & assumptions
-- **A1 — single-leg Negotiate.** Assumes SAP accepts a one-shot AP-REQ then issues a session cookie (typical for Kerberos). If a system demands mutual-auth continuation (`WWW-Authenticate: Negotiate <challenge>` round-trips), the single-token approach does not cover it; would need a continuation hook. **Accepted for v1** (user-confirmed); validate on a live system before claiming kerberos done.
-- **A2 — native build.** `kerberos` npm compiles native bindings (needs GSSAPI dev libs on Linux / build tools on Windows). Mitigated by `optionalDependencies` + lazy import so non-kerberos installs never touch it.
-- **A3 — TGT availability.** Cross-platform kerberos needs a valid TGT in the OS credential cache (`kinit`) or a keytab. Document prerequisite; not auto-provisioned.
-- **A4 — Agent caching.** `getAxiosInstance()` caches the Agent; ensure cert material is loaded before the first request (it is, in `connect()`), else the cached Agent lacks the client cert.
-- **A5 — duplicate auth parser.** `config.ts` and `utils.ts` both parse `SAP_AUTH_TYPE`; both must change. Optional de-dup flagged in §3.5.
-## 9. Decisions (resolved)
-1. **PEM and PFX both supported** in v1. (user-confirmed)
-2. **Single-leg Negotiate accepted** for v1; no mutual-auth continuation. (user-confirmed)
-3. **cert and kerberos both bypass the broker and auth-providers** — connection-layer only. (user-confirmed)