catalyst-relay 0.2.0 → 0.2.1

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -252,6 +262,15 @@ function debugError(message, cause) {
 
 // src/types/config.ts
 var import_zod = require("zod");
+var samlFormSelectorsSchema = import_zod.z.object({
+  username: import_zod.z.string().min(1),
+  password: import_zod.z.string().min(1),
+  submit: import_zod.z.string().min(1)
+});
+var samlProviderConfigSchema = import_zod.z.object({
+  ignoreHttpsErrors: import_zod.z.boolean(),
+  formSelectors: samlFormSelectorsSchema
+});
 var clientConfigSchema = import_zod.z.object({
   url: import_zod.z.string().url(),
   client: import_zod.z.string().min(1).max(3),
@@ -265,10 +284,14 @@ var clientConfigSchema = import_zod.z.object({
       type: import_zod.z.literal("saml"),
       username: import_zod.z.string().min(1),
       password: import_zod.z.string().min(1),
-      provider: import_zod.z.string().optional()
+      providerConfig: samlProviderConfigSchema.optional()
     }),
     import_zod.z.object({
       type: import_zod.z.literal("sso"),
+      slsUrl: import_zod.z.string().url(),
+      profile: import_zod.z.string().optional(),
+      servicePrincipalName: import_zod.z.string().optional(),
+      forceEnroll: import_zod.z.boolean().optional(),
       certificate: import_zod.z.string().optional()
     })
   ]),
@@ -276,6 +299,16 @@ var clientConfigSchema = import_zod.z.object({
   insecure: import_zod.z.boolean().optional()
 });
 
+// src/core/session/types.ts
+var DEFAULT_SESSION_CONFIG = {
+  sessionTimeout: 10800,
+  // 3 hours (Basic/SSO)
+  samlSessionTimeout: 1800,
+  // 30 minutes (SAML)
+  cleanupInterval: 60
+  // 1 minute
+};
+
 // src/core/session/login.ts
 async function fetchCsrfToken(state, request) {
   const endpoint = state.config.auth.type === "saml" ? "/sap/bc/adt/core/http/sessions" : "/sap/bc/adt/compatibility/graph";
@@ -308,22 +341,43 @@ async function fetchCsrfToken(state, request) {
   debug(`Stored CSRF token in state: ${state.csrfToken?.substring(0, 20)}...`);
   return ok(token);
 }
-async function login(state, request) {
-  if (state.config.auth.type === "saml") {
-    return err(new Error("SAML authentication not yet implemented"));
+function getSessionTimeout(authType) {
+  switch (authType) {
+    case "saml":
+      return DEFAULT_SESSION_CONFIG.samlSessionTimeout * 1e3;
+    case "basic":
+    case "sso":
+      return DEFAULT_SESSION_CONFIG.sessionTimeout * 1e3;
+    default: {
+      const _exhaustive = authType;
+      return DEFAULT_SESSION_CONFIG.sessionTimeout * 1e3;
+    }
   }
-  if (state.config.auth.type === "sso") {
-    return err(new Error("SSO authentication not yet implemented"));
+}
+function extractUsername(auth) {
+  switch (auth.type) {
+    case "basic":
+    case "saml":
+      return auth.username;
+    case "sso":
+      return process.env["USERNAME"] ?? process.env["USER"] ?? "SSO_USER";
+    default: {
+      const _exhaustive = auth;
+      return "";
+    }
   }
+}
+async function login(state, request) {
   const [token, tokenErr] = await fetchCsrfToken(state, request);
   if (tokenErr) {
     return err(new Error(`Login failed: ${tokenErr.message}`));
   }
-  const username = state.config.auth.type === "basic" ? state.config.auth.username : "";
+  const username = extractUsername(state.config.auth);
+  const timeout = getSessionTimeout(state.config.auth.type);
   const session = {
     sessionId: token,
     username,
-    expiresAt: Date.now() + 8 * 60 * 60 * 1e3
+    expiresAt: Date.now() + timeout
   };
   state.session = session;
   return ok(session);
@@ -1424,7 +1478,590 @@ async function gitDiff(client, object) {
 }
 
 // src/core/client.ts
+var import_undici2 = require("undici");
+
+// src/core/auth/basic/basic.ts
+var BasicAuth = class {
+  type = "basic";
+  authHeader;
+  /**
+   * Create a Basic Auth strategy
+   * @param username - SAP username
+   * @param password - SAP password
+   */
+  constructor(username, password) {
+    if (!username || !password) {
+      throw new Error("BasicAuth requires both username and password");
+    }
+    const credentials = `${username}:${password}`;
+    const encoded = btoa(credentials);
+    this.authHeader = `Basic ${encoded}`;
+  }
+  /**
+   * Get Authorization header with Basic credentials
+   * @returns Headers object with Authorization field
+   */
+  getAuthHeaders() {
+    return {
+      Authorization: this.authHeader
+    };
+  }
+};
+
+// src/core/auth/sso/slsClient.ts
 var import_undici = require("undici");
+
+// src/core/auth/sso/types.ts
+var SLS_DEFAULTS = {
+  PROFILE: "SAPSSO_P",
+  LOGIN_ENDPOINT: "/SecureLoginServer/slc3/doLogin",
+  CERTIFICATE_ENDPOINT: "/SecureLoginServer/slc2/getCertificate",
+  KEY_SIZE: 2048
+};
+var CERTIFICATE_STORAGE = {
+  BASE_DIR: "./certificates/sso",
+  FULL_CHAIN_SUFFIX: "_full_chain.pem",
+  KEY_SUFFIX: "_key.pem"
+};
+
+// src/core/auth/sso/kerberos.ts
+async function loadKerberosModule() {
+  try {
+    const kerberosModule = require("kerberos");
+    return ok(kerberosModule);
+  } catch {
+    return err(new Error(
+      "kerberos package is not installed. Install it with: npm install kerberos"
+    ));
+  }
+}
+async function getSpnegoToken(servicePrincipalName) {
+  const [kerberos, loadErr] = await loadKerberosModule();
+  if (loadErr) return err(loadErr);
+  try {
+    const client = await kerberos.initializeClient(servicePrincipalName);
+    const token = await client.step("");
+    if (!token) {
+      return err(new Error("Failed to generate SPNEGO token: empty response"));
+    }
+    return ok(token);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Kerberos authentication failed: ${message}`));
+  }
+}
+function extractSpnFromUrl(slsUrl) {
+  const url = new URL(slsUrl);
+  return `HTTP/${url.hostname}`;
+}
+
+// src/core/auth/sso/certificate.ts
+var import_node_forge = __toESM(require("node-forge"));
+function generateKeypair(keySize = SLS_DEFAULTS.KEY_SIZE) {
+  const keypair = import_node_forge.default.pki.rsa.generateKeyPair({ bits: keySize, e: 65537 });
+  const privateKeyPem = import_node_forge.default.pki.privateKeyToPem(keypair.privateKey);
+  return {
+    privateKeyPem,
+    privateKey: keypair.privateKey,
+    publicKey: keypair.publicKey
+  };
+}
+function createCsr(keypair, username) {
+  const csr = import_node_forge.default.pki.createCertificationRequest();
+  csr.publicKey = keypair.publicKey;
+  csr.setSubject([{
+    name: "commonName",
+    value: username
+  }]);
+  csr.setAttributes([{
+    name: "extensionRequest",
+    extensions: [
+      {
+        name: "keyUsage",
+        digitalSignature: true,
+        keyEncipherment: true
+      },
+      {
+        name: "extKeyUsage",
+        clientAuth: true
+      }
+    ]
+  }]);
+  csr.sign(keypair.privateKey, import_node_forge.default.md.sha256.create());
+  const csrAsn1 = import_node_forge.default.pki.certificationRequestToAsn1(csr);
+  const csrDer = import_node_forge.default.asn1.toDer(csrAsn1);
+  return Buffer.from(csrDer.getBytes(), "binary");
+}
+function getCurrentUsername() {
+  return process.env["USERNAME"] ?? process.env["USER"] ?? "unknown";
+}
+
+// src/core/auth/sso/pkcs7.ts
+var import_node_forge2 = __toESM(require("node-forge"));
+function parsePkcs7Certificates(data) {
+  try {
+    const dataString = data.toString("utf-8").replace(/\r?\n/g, "").trim();
+    const derBytes = import_node_forge2.default.util.decode64(dataString);
+    const p7Asn1 = import_node_forge2.default.asn1.fromDer(derBytes);
+    const p7 = import_node_forge2.default.pkcs7.messageFromAsn1(p7Asn1);
+    if (!("certificates" in p7) || !p7.certificates || p7.certificates.length === 0) {
+      return err(new Error("No certificates found in PKCS#7 structure"));
+    }
+    const certificates = p7.certificates;
+    const clientCert = certificates[0];
+    const caCerts = certificates.slice(1);
+    if (!clientCert) {
+      return err(new Error("No client certificate found in PKCS#7 structure"));
+    }
+    const clientCertPem = import_node_forge2.default.pki.certificateToPem(clientCert);
+    const caChainPem = caCerts.map((cert) => import_node_forge2.default.pki.certificateToPem(cert)).join("");
+    return ok({
+      clientCert: clientCertPem,
+      caChain: caChainPem,
+      fullChain: clientCertPem + caChainPem
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to parse PKCS#7 certificates: ${message}`));
+  }
+}
+
+// src/core/auth/sso/slsClient.ts
+async function enrollCertificate(options) {
+  const { config, insecure = false } = options;
+  const profile = config.profile ?? SLS_DEFAULTS.PROFILE;
+  const agent = insecure ? new import_undici.Agent({ connect: { rejectUnauthorized: false } }) : void 0;
+  const [authResponse, authErr] = await authenticateToSls(config, profile, agent);
+  if (authErr) return err(authErr);
+  const keySize = authResponse.clientConfig.keySize ?? SLS_DEFAULTS.KEY_SIZE;
+  const keypair = generateKeypair(keySize);
+  const username = getCurrentUsername();
+  const csrDer = createCsr(keypair, username);
+  const [certData, certErr] = await requestCertificate(config, profile, csrDer, agent);
+  if (certErr) return err(certErr);
+  const [certs, parseErr] = parsePkcs7Certificates(certData);
+  if (parseErr) return err(parseErr);
+  return ok({
+    fullChain: certs.fullChain,
+    privateKey: keypair.privateKeyPem
+  });
+}
+async function authenticateToSls(config, profile, agent) {
+  const spn = config.servicePrincipalName ?? extractSpnFromUrl(config.slsUrl);
+  const [token, tokenErr] = await getSpnegoToken(spn);
+  if (tokenErr) return err(tokenErr);
+  const authUrl = `${config.slsUrl}${SLS_DEFAULTS.LOGIN_ENDPOINT}?profile=${profile}`;
+  try {
+    const fetchOptions = {
+      method: "POST",
+      headers: {
+        "Authorization": `Negotiate ${token}`,
+        "Accept": "*/*"
+      }
+    };
+    if (agent) {
+      fetchOptions.dispatcher = agent;
+    }
+    const response = await (0, import_undici.fetch)(authUrl, fetchOptions);
+    if (!response.ok) {
+      const text = await response.text();
+      return err(new Error(`SLS authentication failed: ${response.status} - ${text}`));
+    }
+    const authResponse = await response.json();
+    return ok(authResponse);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`SLS authentication request failed: ${message}`));
+  }
+}
+async function requestCertificate(config, profile, csrDer, agent) {
+  const certUrl = `${config.slsUrl}${SLS_DEFAULTS.CERTIFICATE_ENDPOINT}?profile=${profile}`;
+  try {
+    const fetchOptions = {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/pkcs10",
+        "Content-Length": String(csrDer.length),
+        "Accept": "*/*"
+      },
+      body: csrDer
+    };
+    if (agent) {
+      fetchOptions.dispatcher = agent;
+    }
+    const response = await (0, import_undici.fetch)(certUrl, fetchOptions);
+    if (!response.ok) {
+      const text = await response.text();
+      return err(new Error(`Certificate request failed: ${response.status} - ${text}`));
+    }
+    const buffer = await response.arrayBuffer();
+    return ok(Buffer.from(buffer));
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Certificate request failed: ${message}`));
+  }
+}
+
+// src/core/auth/sso/storage.ts
+var import_promises = require("fs/promises");
+var import_node_path = require("path");
+function getCertificatePaths(username) {
+  const user = username ?? getCurrentUsername();
+  return {
+    fullChainPath: (0, import_node_path.join)(CERTIFICATE_STORAGE.BASE_DIR, `${user}${CERTIFICATE_STORAGE.FULL_CHAIN_SUFFIX}`),
+    keyPath: (0, import_node_path.join)(CERTIFICATE_STORAGE.BASE_DIR, `${user}${CERTIFICATE_STORAGE.KEY_SUFFIX}`)
+  };
+}
+async function saveCertificates(material, username) {
+  const paths = getCertificatePaths(username);
+  try {
+    await (0, import_promises.mkdir)(CERTIFICATE_STORAGE.BASE_DIR, { recursive: true });
+    await (0, import_promises.writeFile)(paths.fullChainPath, material.fullChain, "utf-8");
+    await (0, import_promises.writeFile)(paths.keyPath, material.privateKey, { encoding: "utf-8", mode: 384 });
+    return ok(paths);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to save certificates: ${message}`));
+  }
+}
+async function loadCertificates(username) {
+  const paths = getCertificatePaths(username);
+  try {
+    const [fullChain, privateKey] = await Promise.all([
+      (0, import_promises.readFile)(paths.fullChainPath, "utf-8"),
+      (0, import_promises.readFile)(paths.keyPath, "utf-8")
+    ]);
+    return ok({ fullChain, privateKey });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to load certificates: ${message}`));
+  }
+}
+async function certificatesExist(username) {
+  const paths = getCertificatePaths(username);
+  try {
+    await Promise.all([
+      (0, import_promises.stat)(paths.fullChainPath),
+      (0, import_promises.stat)(paths.keyPath)
+    ]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isCertificateExpired(certPem, bufferDays = 1) {
+  try {
+    const forge3 = require("node-forge");
+    const cert = forge3.pki.certificateFromPem(certPem);
+    const notAfter = cert.validity.notAfter;
+    const bufferMs = bufferDays * 24 * 60 * 60 * 1e3;
+    const expiryThreshold = new Date(Date.now() + bufferMs);
+    return ok(notAfter <= expiryThreshold);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to check certificate expiry: ${message}`));
+  }
+}
+
+// src/core/auth/sso/sso.ts
+var SsoAuth = class {
+  type = "sso";
+  config;
+  certificates = null;
+  /**
+   * Create an SSO Auth strategy
+   *
+   * @param config - SSO authentication configuration
+   */
+  constructor(config) {
+    if (!config.slsUrl) {
+      throw new Error("SsoAuth requires slsUrl");
+    }
+    this.config = config;
+  }
+  /**
+   * Get auth headers for SSO
+   *
+   * SSO uses mTLS for authentication, not headers.
+   * Returns empty headers - the mTLS agent handles auth.
+   */
+  getAuthHeaders() {
+    return {};
+  }
+  /**
+   * Get mTLS certificates
+   *
+   * Returns the certificate material after successful login.
+   * Used by ADT client to create an mTLS agent.
+   *
+   * @returns Certificate material or null if not enrolled
+   */
+  getCertificates() {
+    return this.certificates;
+  }
+  /**
+   * Perform SSO login via certificate enrollment
+   *
+   * Checks for existing valid certificates and enrolls new ones if needed.
+   *
+   * @param _fetchFn - Unused, kept for interface compatibility
+   * @returns Success/error tuple
+   */
+  async performLogin(_fetchFn) {
+    if (!this.config.forceEnroll) {
+      const [loadResult, loadErr] = await this.tryLoadExistingCertificates();
+      if (!loadErr && loadResult) {
+        this.certificates = loadResult;
+        return ok(void 0);
+      }
+    }
+    const slsConfig = {
+      slsUrl: this.config.slsUrl
+    };
+    if (this.config.profile) {
+      slsConfig.profile = this.config.profile;
+    }
+    if (this.config.servicePrincipalName) {
+      slsConfig.servicePrincipalName = this.config.servicePrincipalName;
+    }
+    const [material, enrollErr] = await enrollCertificate({
+      config: slsConfig,
+      insecure: this.config.insecure ?? false
+    });
+    if (enrollErr) {
+      return err(enrollErr);
+    }
+    if (!this.config.returnContents) {
+      const [, saveErr] = await saveCertificates(material);
+      if (saveErr) {
+        return err(saveErr);
+      }
+    }
+    this.certificates = material;
+    return ok(void 0);
+  }
+  /**
+   * Try to load and validate existing certificates
+   */
+  async tryLoadExistingCertificates() {
+    const exists = await certificatesExist();
+    if (!exists) {
+      return err(new Error("No existing certificates found"));
+    }
+    const [material, loadErr] = await loadCertificates();
+    if (loadErr) {
+      return err(loadErr);
+    }
+    const [isExpired, expiryErr] = isCertificateExpired(material.fullChain);
+    if (expiryErr) {
+      return err(expiryErr);
+    }
+    if (isExpired) {
+      return err(new Error("Certificate is expired or expiring soon"));
+    }
+    return ok(material);
+  }
+};
+
+// src/core/auth/saml/types.ts
+var DEFAULT_FORM_SELECTORS = {
+  username: "#j_username",
+  password: "#j_password",
+  submit: "#logOnFormSubmit"
+};
+var DEFAULT_PROVIDER_CONFIG = {
+  ignoreHttpsErrors: false,
+  formSelectors: DEFAULT_FORM_SELECTORS
+};
+
+// src/core/auth/saml/browser.ts
+var TIMEOUTS = {
+  PAGE_LOAD: 6e4,
+  FORM_SELECTOR: 1e4
+};
+async function performBrowserLogin(options) {
+  const { baseUrl, credentials, headless = true } = options;
+  const config = options.providerConfig ?? DEFAULT_PROVIDER_CONFIG;
+  let playwright;
+  try {
+    playwright = await import("playwright");
+  } catch {
+    return err(
+      new Error(
+        "Playwright is required for SAML authentication but is not installed. Install it with: npm install playwright"
+      )
+    );
+  }
+  const browserArgs = config.ignoreHttpsErrors ? ["--ignore-certificate-errors", "--disable-web-security"] : [];
+  let browser;
+  try {
+    browser = await playwright.chromium.launch({
+      headless,
+      args: browserArgs
+    });
+  } catch (launchError) {
+    return err(
+      new Error(
+        `Failed to launch browser: ${launchError instanceof Error ? launchError.message : String(launchError)}`
+      )
+    );
+  }
+  try {
+    const context = await browser.newContext({
+      ignoreHTTPSErrors: config.ignoreHttpsErrors
+    });
+    const page = await context.newPage();
+    const loginUrl = `${baseUrl}/sap/bc/adt/compatibility/graph`;
+    try {
+      await page.goto(loginUrl, {
+        timeout: TIMEOUTS.PAGE_LOAD,
+        waitUntil: "domcontentloaded"
+      });
+    } catch {
+      return err(new Error("Failed to load login page. Please check if the server is online."));
+    }
+    try {
+      await page.waitForSelector(config.formSelectors.username, {
+        timeout: TIMEOUTS.FORM_SELECTOR
+      });
+    } catch {
+      return err(new Error("Login form not found. The page may have changed or loaded incorrectly."));
+    }
+    await page.fill(config.formSelectors.username, credentials.username);
+    await page.fill(config.formSelectors.password, credentials.password);
+    await page.click(config.formSelectors.submit);
+    await page.waitForLoadState("networkidle");
+    const cookies = await context.cookies();
+    return ok(cookies);
+  } finally {
+    await browser.close();
+  }
+}
+
+// src/core/auth/saml/cookies.ts
+function toAuthCookies(playwrightCookies) {
+  return playwrightCookies.map((cookie) => ({
+    name: cookie.name,
+    value: cookie.value,
+    domain: cookie.domain,
+    path: cookie.path
+  }));
+}
+function formatCookieHeader(cookies) {
+  return cookies.map((c) => `${c.name}=${c.value}`).join("; ");
+}
+
+// src/core/auth/saml/saml.ts
+var SamlAuth = class {
+  type = "saml";
+  cookies = [];
+  config;
+  /**
+   * Create a SAML Auth strategy
+   *
+   * @param config - SAML authentication configuration
+   */
+  constructor(config) {
+    if (!config.username || !config.password) {
+      throw new Error("SamlAuth requires both username and password");
+    }
+    if (!config.baseUrl) {
+      throw new Error("SamlAuth requires baseUrl");
+    }
+    this.config = config;
+  }
+  /**
+   * Get auth headers for SAML
+   *
+   * After successful login, includes Cookie header with session cookies.
+   */
+  getAuthHeaders() {
+    if (this.cookies.length === 0) {
+      return {};
+    }
+    return {
+      Cookie: formatCookieHeader(this.cookies)
+    };
+  }
+  /**
+   * Get authentication cookies
+   *
+   * @returns Array of cookies obtained during SAML login
+   */
+  getCookies() {
+    return this.cookies;
+  }
+  /**
+   * Perform SAML login using headless browser automation
+   *
+   * Launches a Chromium browser, navigates to the SAP login page,
+   * fills in credentials, and extracts session cookies.
+   *
+   * @param _fetchFn - Unused, kept for interface compatibility
+   * @returns Success/error tuple
+   */
+  async performLogin(_fetchFn) {
+    const [playwrightCookies, loginError] = await performBrowserLogin({
+      baseUrl: this.config.baseUrl,
+      credentials: {
+        username: this.config.username,
+        password: this.config.password
+      },
+      ...this.config.providerConfig && { providerConfig: this.config.providerConfig }
+    });
+    if (loginError) {
+      return err(loginError);
+    }
+    this.cookies = toAuthCookies(playwrightCookies);
+    if (this.cookies.length === 0) {
+      return err(new Error("SAML login succeeded but no cookies were returned"));
+    }
+    return ok(void 0);
+  }
+};
+
+// src/core/auth/factory.ts
+function createAuthStrategy(options) {
+  const { config, baseUrl, insecure } = options;
+  switch (config.type) {
+    case "basic":
+      return new BasicAuth(config.username, config.password);
+    case "saml":
+      if (!baseUrl) {
+        throw new Error("SAML authentication requires baseUrl");
+      }
+      return new SamlAuth({
+        username: config.username,
+        password: config.password,
+        baseUrl,
+        ...config.providerConfig && { providerConfig: config.providerConfig }
+      });
+    case "sso": {
+      const ssoConfig = {
+        slsUrl: config.slsUrl
+      };
+      if (config.profile) {
+        ssoConfig.profile = config.profile;
+      }
+      if (config.servicePrincipalName) {
+        ssoConfig.servicePrincipalName = config.servicePrincipalName;
+      }
+      if (config.forceEnroll) {
+        ssoConfig.forceEnroll = config.forceEnroll;
+      }
+      if (insecure) {
+        ssoConfig.insecure = insecure;
+      }
+      return new SsoAuth(ssoConfig);
+    }
+    default: {
+      const _exhaustive = config;
+      throw new Error(`Unknown auth type: ${_exhaustive.type}`);
+    }
+  }
+}
+
+// src/core/client.ts
 function buildParams(baseParams, clientNum) {
   const params = new URLSearchParams();
   if (baseParams) {
@@ -1449,15 +2086,24 @@ var ADTClientImpl = class {
   requestor;
   agent;
   constructor(config) {
+    const authOptions = {
+      config: config.auth,
+      baseUrl: config.url
+    };
+    if (config.insecure) {
+      authOptions.insecure = config.insecure;
+    }
+    const authStrategy = createAuthStrategy(authOptions);
     this.state = {
       config,
       session: null,
       csrfToken: null,
-      cookies: /* @__PURE__ */ new Map()
+      cookies: /* @__PURE__ */ new Map(),
+      authStrategy
     };
     this.requestor = { request: this.request.bind(this) };
     if (config.insecure) {
-      this.agent = new import_undici.Agent({
+      this.agent = new import_undici2.Agent({
         connect: {
           rejectUnauthorized: false,
           checkServerIdentity: () => void 0
@@ -1518,7 +2164,7 @@ var ADTClientImpl = class {
     try {
       debug(`Fetching URL: ${url}`);
       debug(`Insecure mode: ${!!this.agent}`);
-      const response = await (0, import_undici.fetch)(url, fetchOptions);
+      const response = await (0, import_undici2.fetch)(url, fetchOptions);
       this.storeCookies(response);
       if (response.status === 403) {
         const text = await response.text();
@@ -1533,7 +2179,7 @@ var ADTClientImpl = class {
             headers["Cookie"] = retryCookieHeader;
           }
           debug(`Retrying with new CSRF token: ${newToken.substring(0, 20)}...`);
-          const retryResponse = await (0, import_undici.fetch)(url, { ...fetchOptions, headers });
+          const retryResponse = await (0, import_undici2.fetch)(url, { ...fetchOptions, headers });
           this.storeCookies(retryResponse);
           return ok(retryResponse);
         }
@@ -1569,6 +2215,29 @@ var ADTClientImpl = class {
   }
   // --- Lifecycle ---
   async login() {
+    const { authStrategy } = this.state;
+    if (authStrategy.performLogin) {
+      const [, loginErr] = await authStrategy.performLogin(fetch);
+      if (loginErr) {
+        return err(loginErr);
+      }
+    }
+    if (authStrategy.type === "sso" && authStrategy.getCertificates) {
+      const certs = authStrategy.getCertificates();
+      if (certs) {
+        this.agent = new import_undici2.Agent({
+          connect: {
+            cert: certs.fullChain,
+            key: certs.privateKey,
+            rejectUnauthorized: !this.state.config.insecure,
+            ...this.state.config.insecure && {
+              checkServerIdentity: () => void 0
+            }
+          }
+        });
+        debug("Created mTLS agent with SSO certificates");
+      }
+    }
     return login(this.state, this.request.bind(this));
   }
   async logout() {