catalyst-relay 0.2.0 → 0.2.2

package/dist/index.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,6 +17,14 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
@@ -115,93 +125,6 @@ function dictToAbapXml(data, root = "DATA") {
 </asx:abap>`;
 }
 
-// src/core/utils/sql.ts
-var SqlValidationError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "SqlValidationError";
-  }
-};
-function validateSqlInput(input, maxLength = 1e4) {
-  if (typeof input !== "string") {
-    return err(new SqlValidationError("Input must be a string"));
-  }
-  if (input.length > maxLength) {
-    return err(new SqlValidationError(`Input exceeds maximum length of ${maxLength}`));
-  }
-  const dangerousPatterns = [
-    {
-      pattern: /\b(DROP|DELETE|INSERT|UPDATE|ALTER|CREATE|TRUNCATE)\s+/i,
-      description: "DDL/DML keywords (DROP, DELETE, INSERT, etc.)"
-    },
-    {
-      pattern: /;[\s]*\w/,
-      description: "Statement termination followed by another statement"
-    },
-    {
-      pattern: /--[\s]*\w/,
-      description: "SQL comments with content"
-    },
-    {
-      pattern: /\/\*.*?\*\//,
-      description: "Block comments"
-    },
-    {
-      pattern: /\bEXEC(UTE)?\s*\(/i,
-      description: "Procedure execution"
-    },
-    {
-      pattern: /\bSP_\w+/i,
-      description: "Stored procedures"
-    },
-    {
-      pattern: /\bXP_\w+/i,
-      description: "Extended stored procedures"
-    },
-    {
-      pattern: /\bUNION\s+(ALL\s+)?SELECT/i,
-      description: "Union-based injection"
-    },
-    {
-      pattern: /@@\w+/,
-      description: "System variables"
-    },
-    {
-      pattern: /\bDECLARE\s+@/i,
-      description: "Variable declarations"
-    },
-    {
-      pattern: /\bCAST\s*\(/i,
-      description: "Type casting"
-    },
-    {
-      pattern: /\bCONVERT\s*\(/i,
-      description: "Type conversion"
-    }
-  ];
-  for (const { pattern, description } of dangerousPatterns) {
-    if (pattern.test(input)) {
-      return err(new SqlValidationError(
-        `Input contains potentially dangerous SQL pattern: ${description}`
-      ));
-    }
-  }
-  const specialCharMatches = input.match(/[;'"\\]/g);
-  const specialCharCount = specialCharMatches ? specialCharMatches.length : 0;
-  if (specialCharCount > 5) {
-    return err(new SqlValidationError("Input contains excessive special characters"));
-  }
-  const singleQuoteCount = (input.match(/'/g) || []).length;
-  if (singleQuoteCount % 2 !== 0) {
-    return err(new SqlValidationError("Unbalanced single quotes detected"));
-  }
-  const doubleQuoteCount = (input.match(/"/g) || []).length;
-  if (doubleQuoteCount % 2 !== 0) {
-    return err(new SqlValidationError("Unbalanced double quotes detected"));
-  }
-  return ok(true);
-}
-
 // src/core/utils/csrf.ts
 var FETCH_CSRF_TOKEN = "fetch";
 var CSRF_TOKEN_HEADER = "x-csrf-token";
@@ -252,6 +175,15 @@ function debugError(message, cause) {
 
 // src/types/config.ts
 var import_zod = require("zod");
+var samlFormSelectorsSchema = import_zod.z.object({
+  username: import_zod.z.string().min(1),
+  password: import_zod.z.string().min(1),
+  submit: import_zod.z.string().min(1)
+});
+var samlProviderConfigSchema = import_zod.z.object({
+  ignoreHttpsErrors: import_zod.z.boolean(),
+  formSelectors: samlFormSelectorsSchema
+});
 var clientConfigSchema = import_zod.z.object({
   url: import_zod.z.string().url(),
   client: import_zod.z.string().min(1).max(3),
@@ -265,10 +197,14 @@ var clientConfigSchema = import_zod.z.object({
       type: import_zod.z.literal("saml"),
       username: import_zod.z.string().min(1),
       password: import_zod.z.string().min(1),
-      provider: import_zod.z.string().optional()
+      providerConfig: samlProviderConfigSchema.optional()
     }),
     import_zod.z.object({
       type: import_zod.z.literal("sso"),
+      slsUrl: import_zod.z.string().url(),
+      profile: import_zod.z.string().optional(),
+      servicePrincipalName: import_zod.z.string().optional(),
+      forceEnroll: import_zod.z.boolean().optional(),
       certificate: import_zod.z.string().optional()
     })
   ]),
@@ -276,6 +212,16 @@ var clientConfigSchema = import_zod.z.object({
   insecure: import_zod.z.boolean().optional()
 });
 
+// src/core/session/types.ts
+var DEFAULT_SESSION_CONFIG = {
+  sessionTimeout: 10800,
+  // 3 hours (Basic/SSO)
+  samlSessionTimeout: 1800,
+  // 30 minutes (SAML)
+  cleanupInterval: 60
+  // 1 minute
+};
+
 // src/core/session/login.ts
 async function fetchCsrfToken(state, request) {
   const endpoint = state.config.auth.type === "saml" ? "/sap/bc/adt/core/http/sessions" : "/sap/bc/adt/compatibility/graph";
@@ -308,22 +254,43 @@ async function fetchCsrfToken(state, request) {
   debug(`Stored CSRF token in state: ${state.csrfToken?.substring(0, 20)}...`);
   return ok(token);
 }
-async function login(state, request) {
-  if (state.config.auth.type === "saml") {
-    return err(new Error("SAML authentication not yet implemented"));
+function getSessionTimeout(authType) {
+  switch (authType) {
+    case "saml":
+      return DEFAULT_SESSION_CONFIG.samlSessionTimeout * 1e3;
+    case "basic":
+    case "sso":
+      return DEFAULT_SESSION_CONFIG.sessionTimeout * 1e3;
+    default: {
+      const _exhaustive = authType;
+      return DEFAULT_SESSION_CONFIG.sessionTimeout * 1e3;
+    }
   }
-  if (state.config.auth.type === "sso") {
-    return err(new Error("SSO authentication not yet implemented"));
+}
+function extractUsername(auth) {
+  switch (auth.type) {
+    case "basic":
+    case "saml":
+      return auth.username;
+    case "sso":
+      return process.env["USERNAME"] ?? process.env["USER"] ?? "SSO_USER";
+    default: {
+      const _exhaustive = auth;
+      return "";
+    }
   }
+}
+async function login(state, request) {
   const [token, tokenErr] = await fetchCsrfToken(state, request);
   if (tokenErr) {
     return err(new Error(`Login failed: ${tokenErr.message}`));
   }
-  const username = state.config.auth.type === "basic" ? state.config.auth.username : "";
+  const username = extractUsername(state.config.auth);
+  const timeout = getSessionTimeout(state.config.auth.type);
   const session = {
     sessionId: token,
     username,
-    expiresAt: Date.now() + 8 * 60 * 60 * 1e3
+    expiresAt: Date.now() + timeout
   };
   state.session = session;
   return ok(session);
@@ -904,63 +871,6 @@ function extractTransports(xml) {
   return ok(transports);
 }
 
-// src/core/adt/queryBuilder.ts
-function buildWhereClauses(filters) {
-  if (!filters || filters.length === 0) {
-    return "";
-  }
-  const clauses = filters.map((filter) => {
-    const { column, operator, value } = filter;
-    switch (operator) {
-      case "eq":
-        return `${column} = ${formatValue(value)}`;
-      case "ne":
-        return `${column} != ${formatValue(value)}`;
-      case "gt":
-        return `${column} > ${formatValue(value)}`;
-      case "ge":
-        return `${column} >= ${formatValue(value)}`;
-      case "lt":
-        return `${column} < ${formatValue(value)}`;
-      case "le":
-        return `${column} <= ${formatValue(value)}`;
-      case "like":
-        return `${column} LIKE ${formatValue(value)}`;
-      case "in":
-        if (Array.isArray(value)) {
-          const values = value.map((v) => formatValue(v)).join(", ");
-          return `${column} IN (${values})`;
-        }
-        return `${column} IN (${formatValue(value)})`;
-      default:
-        return "";
-    }
-  }).filter((c) => c);
-  if (clauses.length === 0) {
-    return "";
-  }
-  return ` WHERE ${clauses.join(" AND ")}`;
-}
-function buildOrderByClauses(orderBy) {
-  if (!orderBy || orderBy.length === 0) {
-    return "";
-  }
-  const clauses = orderBy.map((o) => `${o.column} ${o.direction.toUpperCase()}`);
-  return ` ORDER BY ${clauses.join(", ")}`;
-}
-function formatValue(value) {
-  if (value === null) {
-    return "NULL";
-  }
-  if (typeof value === "string") {
-    return `'${value.replace(/'/g, "''")}'`;
-  }
-  if (typeof value === "boolean") {
-    return value ? "1" : "0";
-  }
-  return String(value);
-}
-
 // src/core/adt/previewParser.ts
 function parseDataPreview(xml, maxRows, isTable) {
   const [doc, parseErr] = safeParseXml(xml);
@@ -979,10 +889,18 @@ function parseDataPreview(xml, maxRows, isTable) {
     if (!name || !dataType) continue;
     columns.push({ name, dataType });
   }
+  const dataSetElements = doc.getElementsByTagNameNS(namespace, "dataSet");
+  if (columns.length === 0 && dataSetElements.length > 0) {
+    for (let i = 0; i < dataSetElements.length; i++) {
+      const dataSet = dataSetElements[i];
+      if (!dataSet) continue;
+      const name = dataSet.getAttributeNS(namespace, "columnName") || dataSet.getAttribute("columnName") || `column${i}`;
+      columns.push({ name, dataType: "unknown" });
+    }
+  }
   if (columns.length === 0) {
-    return err(new Error("No columns found in preview response"));
+    return ok({ columns: [], rows: [], totalRows: 0 });
   }
-  const dataSetElements = doc.getElementsByTagNameNS(namespace, "dataSet");
   const columnData = Array.from({ length: columns.length }, () => []);
   for (let i = 0; i < dataSetElements.length; i++) {
     const dataSet = dataSetElements[i];
@@ -1012,23 +930,16 @@ function parseDataPreview(xml, maxRows, isTable) {
   return ok(dataFrame);
 }
 
-// src/core/adt/data.ts
+// src/core/adt/dataPreview.ts
 async function previewData(client, query) {
   const extension = query.objectType === "table" ? "astabldt" : "asddls";
   const config = getConfigByExtension(extension);
-  if (!config || !config.dpEndpoint || !config.dpParam) {
+  if (!config?.dpEndpoint || !config?.dpParam) {
     return err(new Error(`Data preview not supported for object type: ${query.objectType}`));
   }
   const limit = query.limit ?? 100;
-  const whereClauses = buildWhereClauses(query.filters);
-  const orderByClauses = buildOrderByClauses(query.orderBy);
-  const sqlQuery = `select * from ${query.objectName}${whereClauses}${orderByClauses}`;
-  const [, validationErr] = validateSqlInput(sqlQuery);
-  if (validationErr) {
-    return err(new Error(`SQL validation failed: ${validationErr.message}`));
-  }
   debug(`Data preview: endpoint=${config.dpEndpoint}, param=${config.dpParam}=${query.objectName}`);
-  debug(`SQL: ${sqlQuery}`);
+  debug(`SQL: ${query.sqlQuery}`);
   const [response, requestErr] = await client.request({
     method: "POST",
     path: `/sap/bc/adt/datapreview/${config.dpEndpoint}`,
@@ -1040,7 +951,7 @@ async function previewData(client, query) {
       "Accept": "application/vnd.sap.adt.datapreview.table.v1+xml",
       "Content-Type": "text/plain"
     },
-    body: sqlQuery
+    body: query.sqlQuery
   });
   if (requestErr) {
     return err(requestErr);
@@ -1062,109 +973,41 @@ async function previewData(client, query) {
 // src/core/adt/distinct.ts
 var MAX_ROW_COUNT = 5e4;
 async function getDistinctValues(client, objectName, column, objectType = "view") {
-  const extension = objectType === "table" ? "astabldt" : "asddls";
-  const config = getConfigByExtension(extension);
-  if (!config || !config.dpEndpoint || !config.dpParam) {
-    return err(new Error(`Data preview not supported for object type: ${objectType}`));
-  }
   const columnName = column.toUpperCase();
   const sqlQuery = `SELECT ${columnName} AS value, COUNT(*) AS count FROM ${objectName} GROUP BY ${columnName}`;
-  const [, validationErr] = validateSqlInput(sqlQuery);
-  if (validationErr) {
-    return err(new Error(`SQL validation failed: ${validationErr.message}`));
-  }
-  const [response, requestErr] = await client.request({
-    method: "POST",
-    path: `/sap/bc/adt/datapreview/${config.dpEndpoint}`,
-    params: {
-      "rowNumber": MAX_ROW_COUNT,
-      [config.dpParam]: objectName
-    },
-    headers: {
-      "Accept": "application/vnd.sap.adt.datapreview.table.v1+xml"
-    },
-    body: sqlQuery
+  const [dataFrame, error] = await previewData(client, {
+    objectName,
+    objectType,
+    sqlQuery,
+    limit: MAX_ROW_COUNT
   });
-  if (requestErr) {
-    return err(requestErr);
-  }
-  if (!response.ok) {
-    const text2 = await response.text();
-    const errorMsg = extractError(text2);
-    return err(new Error(`Distinct values query failed: ${errorMsg}`));
-  }
-  const text = await response.text();
-  const [doc, parseErr] = safeParseXml(text);
-  if (parseErr) {
-    return err(parseErr);
-  }
-  const dataSets = doc.getElementsByTagNameNS("http://www.sap.com/adt/dataPreview", "dataSet");
-  const values = [];
-  for (let i = 0; i < dataSets.length; i++) {
-    const dataSet = dataSets[i];
-    if (!dataSet) continue;
-    const dataElements = dataSet.getElementsByTagNameNS("http://www.sap.com/adt/dataPreview", "data");
-    if (dataElements.length < 2) continue;
-    const value = dataElements[0]?.textContent ?? "";
-    const countText = dataElements[1]?.textContent?.trim() ?? "0";
-    values.push({
-      value,
-      count: parseInt(countText, 10)
-    });
-  }
-  const result = {
-    column,
-    values
-  };
-  return ok(result);
+  if (error) {
+    return err(new Error(`Distinct values query failed: ${error.message}`));
+  }
+  const values = dataFrame.rows.map((row) => ({
+    value: row[0],
+    count: parseInt(String(row[1]), 10)
+  }));
+  return ok({ column, values });
 }
 
 // src/core/adt/count.ts
 async function countRows(client, objectName, objectType) {
-  const extension = objectType === "table" ? "astabldt" : "asddls";
-  const config = getConfigByExtension(extension);
-  if (!config || !config.dpEndpoint || !config.dpParam) {
-    return err(new Error(`Data preview not supported for object type: ${objectType}`));
-  }
   const sqlQuery = `SELECT COUNT(*) AS count FROM ${objectName}`;
-  const [, validationErr] = validateSqlInput(sqlQuery);
-  if (validationErr) {
-    return err(new Error(`SQL validation failed: ${validationErr.message}`));
-  }
-  const [response, requestErr] = await client.request({
-    method: "POST",
-    path: `/sap/bc/adt/datapreview/${config.dpEndpoint}`,
-    params: {
-      "rowNumber": 1,
-      [config.dpParam]: objectName
-    },
-    headers: {
-      "Accept": "application/vnd.sap.adt.datapreview.table.v1+xml"
-    },
-    body: sqlQuery
+  const [dataFrame, error] = await previewData(client, {
+    objectName,
+    objectType,
+    sqlQuery,
+    limit: 1
   });
-  if (requestErr) {
-    return err(requestErr);
-  }
-  if (!response.ok) {
-    const text2 = await response.text();
-    const errorMsg = extractError(text2);
-    return err(new Error(`Row count query failed: ${errorMsg}`));
-  }
-  const text = await response.text();
-  const [doc, parseErr] = safeParseXml(text);
-  if (parseErr) {
-    return err(parseErr);
+  if (error) {
+    return err(new Error(`Row count query failed: ${error.message}`));
   }
-  const dataElements = doc.getElementsByTagNameNS("http://www.sap.com/adt/dataPreview", "data");
-  if (dataElements.length === 0) {
+  const countValue = dataFrame.rows[0]?.[0];
+  if (countValue === void 0) {
     return err(new Error("No count value returned"));
   }
-  const countText = dataElements[0]?.textContent?.trim();
-  if (!countText) {
-    return err(new Error("Empty count value returned"));
-  }
-  const count = parseInt(countText, 10);
+  const count = parseInt(String(countValue), 10);
   if (isNaN(count)) {
     return err(new Error("Invalid count value returned"));
   }
@@ -1424,7 +1267,590 @@ async function gitDiff(client, object) {
 }
 
 // src/core/client.ts
+var import_undici2 = require("undici");
+
+// src/core/auth/basic/basic.ts
+var BasicAuth = class {
+  type = "basic";
+  authHeader;
+  /**
+   * Create a Basic Auth strategy
+   * @param username - SAP username
+   * @param password - SAP password
+   */
+  constructor(username, password) {
+    if (!username || !password) {
+      throw new Error("BasicAuth requires both username and password");
+    }
+    const credentials = `${username}:${password}`;
+    const encoded = btoa(credentials);
+    this.authHeader = `Basic ${encoded}`;
+  }
+  /**
+   * Get Authorization header with Basic credentials
+   * @returns Headers object with Authorization field
+   */
+  getAuthHeaders() {
+    return {
+      Authorization: this.authHeader
+    };
+  }
+};
+
+// src/core/auth/sso/slsClient.ts
 var import_undici = require("undici");
+
+// src/core/auth/sso/types.ts
+var SLS_DEFAULTS = {
+  PROFILE: "SAPSSO_P",
+  LOGIN_ENDPOINT: "/SecureLoginServer/slc3/doLogin",
+  CERTIFICATE_ENDPOINT: "/SecureLoginServer/slc2/getCertificate",
+  KEY_SIZE: 2048
+};
+var CERTIFICATE_STORAGE = {
+  BASE_DIR: "./certificates/sso",
+  FULL_CHAIN_SUFFIX: "_full_chain.pem",
+  KEY_SUFFIX: "_key.pem"
+};
+
+// src/core/auth/sso/kerberos.ts
+async function loadKerberosModule() {
+  try {
+    const kerberosModule = require("kerberos");
+    return ok(kerberosModule);
+  } catch {
+    return err(new Error(
+      "kerberos package is not installed. Install it with: npm install kerberos"
+    ));
+  }
+}
+async function getSpnegoToken(servicePrincipalName) {
+  const [kerberos, loadErr] = await loadKerberosModule();
+  if (loadErr) return err(loadErr);
+  try {
+    const client = await kerberos.initializeClient(servicePrincipalName);
+    const token = await client.step("");
+    if (!token) {
+      return err(new Error("Failed to generate SPNEGO token: empty response"));
+    }
+    return ok(token);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Kerberos authentication failed: ${message}`));
+  }
+}
+function extractSpnFromUrl(slsUrl) {
+  const url = new URL(slsUrl);
+  return `HTTP/${url.hostname}`;
+}
+
+// src/core/auth/sso/certificate.ts
+var import_node_forge = __toESM(require("node-forge"));
+function generateKeypair(keySize = SLS_DEFAULTS.KEY_SIZE) {
+  const keypair = import_node_forge.default.pki.rsa.generateKeyPair({ bits: keySize, e: 65537 });
+  const privateKeyPem = import_node_forge.default.pki.privateKeyToPem(keypair.privateKey);
+  return {
+    privateKeyPem,
+    privateKey: keypair.privateKey,
+    publicKey: keypair.publicKey
+  };
+}
+function createCsr(keypair, username) {
+  const csr = import_node_forge.default.pki.createCertificationRequest();
+  csr.publicKey = keypair.publicKey;
+  csr.setSubject([{
+    name: "commonName",
+    value: username
+  }]);
+  csr.setAttributes([{
+    name: "extensionRequest",
+    extensions: [
+      {
+        name: "keyUsage",
+        digitalSignature: true,
+        keyEncipherment: true
+      },
+      {
+        name: "extKeyUsage",
+        clientAuth: true
+      }
+    ]
+  }]);
+  csr.sign(keypair.privateKey, import_node_forge.default.md.sha256.create());
+  const csrAsn1 = import_node_forge.default.pki.certificationRequestToAsn1(csr);
+  const csrDer = import_node_forge.default.asn1.toDer(csrAsn1);
+  return Buffer.from(csrDer.getBytes(), "binary");
+}
+function getCurrentUsername() {
+  return process.env["USERNAME"] ?? process.env["USER"] ?? "unknown";
+}
+
+// src/core/auth/sso/pkcs7.ts
+var import_node_forge2 = __toESM(require("node-forge"));
+function parsePkcs7Certificates(data) {
+  try {
+    const dataString = data.toString("utf-8").replace(/\r?\n/g, "").trim();
+    const derBytes = import_node_forge2.default.util.decode64(dataString);
+    const p7Asn1 = import_node_forge2.default.asn1.fromDer(derBytes);
+    const p7 = import_node_forge2.default.pkcs7.messageFromAsn1(p7Asn1);
+    if (!("certificates" in p7) || !p7.certificates || p7.certificates.length === 0) {
+      return err(new Error("No certificates found in PKCS#7 structure"));
+    }
+    const certificates = p7.certificates;
+    const clientCert = certificates[0];
+    const caCerts = certificates.slice(1);
+    if (!clientCert) {
+      return err(new Error("No client certificate found in PKCS#7 structure"));
+    }
+    const clientCertPem = import_node_forge2.default.pki.certificateToPem(clientCert);
+    const caChainPem = caCerts.map((cert) => import_node_forge2.default.pki.certificateToPem(cert)).join("");
+    return ok({
+      clientCert: clientCertPem,
+      caChain: caChainPem,
+      fullChain: clientCertPem + caChainPem
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to parse PKCS#7 certificates: ${message}`));
+  }
+}
+
+// src/core/auth/sso/slsClient.ts
+async function enrollCertificate(options) {
+  const { config, insecure = false } = options;
+  const profile = config.profile ?? SLS_DEFAULTS.PROFILE;
+  const agent = insecure ? new import_undici.Agent({ connect: { rejectUnauthorized: false } }) : void 0;
+  const [authResponse, authErr] = await authenticateToSls(config, profile, agent);
+  if (authErr) return err(authErr);
+  const keySize = authResponse.clientConfig.keySize ?? SLS_DEFAULTS.KEY_SIZE;
+  const keypair = generateKeypair(keySize);
+  const username = getCurrentUsername();
+  const csrDer = createCsr(keypair, username);
+  const [certData, certErr] = await requestCertificate(config, profile, csrDer, agent);
+  if (certErr) return err(certErr);
+  const [certs, parseErr] = parsePkcs7Certificates(certData);
+  if (parseErr) return err(parseErr);
+  return ok({
+    fullChain: certs.fullChain,
+    privateKey: keypair.privateKeyPem
+  });
+}
+async function authenticateToSls(config, profile, agent) {
+  const spn = config.servicePrincipalName ?? extractSpnFromUrl(config.slsUrl);
+  const [token, tokenErr] = await getSpnegoToken(spn);
+  if (tokenErr) return err(tokenErr);
+  const authUrl = `${config.slsUrl}${SLS_DEFAULTS.LOGIN_ENDPOINT}?profile=${profile}`;
+  try {
+    const fetchOptions = {
+      method: "POST",
+      headers: {
+        "Authorization": `Negotiate ${token}`,
+        "Accept": "*/*"
+      }
+    };
+    if (agent) {
+      fetchOptions.dispatcher = agent;
+    }
+    const response = await (0, import_undici.fetch)(authUrl, fetchOptions);
+    if (!response.ok) {
+      const text = await response.text();
+      return err(new Error(`SLS authentication failed: ${response.status} - ${text}`));
+    }
+    const authResponse = await response.json();
+    return ok(authResponse);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`SLS authentication request failed: ${message}`));
+  }
+}
+async function requestCertificate(config, profile, csrDer, agent) {
+  const certUrl = `${config.slsUrl}${SLS_DEFAULTS.CERTIFICATE_ENDPOINT}?profile=${profile}`;
+  try {
+    const fetchOptions = {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/pkcs10",
+        "Content-Length": String(csrDer.length),
+        "Accept": "*/*"
+      },
+      body: csrDer
+    };
+    if (agent) {
+      fetchOptions.dispatcher = agent;
+    }
+    const response = await (0, import_undici.fetch)(certUrl, fetchOptions);
+    if (!response.ok) {
+      const text = await response.text();
+      return err(new Error(`Certificate request failed: ${response.status} - ${text}`));
+    }
+    const buffer = await response.arrayBuffer();
+    return ok(Buffer.from(buffer));
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Certificate request failed: ${message}`));
+  }
+}
+
+// src/core/auth/sso/storage.ts
+var import_promises = require("fs/promises");
+var import_node_path = require("path");
+function getCertificatePaths(username) {
+  const user = username ?? getCurrentUsername();
+  return {
+    fullChainPath: (0, import_node_path.join)(CERTIFICATE_STORAGE.BASE_DIR, `${user}${CERTIFICATE_STORAGE.FULL_CHAIN_SUFFIX}`),
+    keyPath: (0, import_node_path.join)(CERTIFICATE_STORAGE.BASE_DIR, `${user}${CERTIFICATE_STORAGE.KEY_SUFFIX}`)
+  };
+}
+async function saveCertificates(material, username) {
+  const paths = getCertificatePaths(username);
+  try {
+    await (0, import_promises.mkdir)(CERTIFICATE_STORAGE.BASE_DIR, { recursive: true });
+    await (0, import_promises.writeFile)(paths.fullChainPath, material.fullChain, "utf-8");
+    await (0, import_promises.writeFile)(paths.keyPath, material.privateKey, { encoding: "utf-8", mode: 384 });
+    return ok(paths);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to save certificates: ${message}`));
+  }
+}
+async function loadCertificates(username) {
+  const paths = getCertificatePaths(username);
+  try {
+    const [fullChain, privateKey] = await Promise.all([
+      (0, import_promises.readFile)(paths.fullChainPath, "utf-8"),
+      (0, import_promises.readFile)(paths.keyPath, "utf-8")
+    ]);
+    return ok({ fullChain, privateKey });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to load certificates: ${message}`));
+  }
+}
+async function certificatesExist(username) {
+  const paths = getCertificatePaths(username);
+  try {
+    await Promise.all([
+      (0, import_promises.stat)(paths.fullChainPath),
+      (0, import_promises.stat)(paths.keyPath)
+    ]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isCertificateExpired(certPem, bufferDays = 1) {
+  try {
+    const forge3 = require("node-forge");
+    const cert = forge3.pki.certificateFromPem(certPem);
+    const notAfter = cert.validity.notAfter;
+    const bufferMs = bufferDays * 24 * 60 * 60 * 1e3;
+    const expiryThreshold = new Date(Date.now() + bufferMs);
+    return ok(notAfter <= expiryThreshold);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return err(new Error(`Failed to check certificate expiry: ${message}`));
+  }
+}
+
+// src/core/auth/sso/sso.ts
+var SsoAuth = class {
+  type = "sso";
+  config;
+  certificates = null;
+  /**
+   * Create an SSO Auth strategy
+   *
+   * @param config - SSO authentication configuration
+   */
+  constructor(config) {
+    if (!config.slsUrl) {
+      throw new Error("SsoAuth requires slsUrl");
+    }
+    this.config = config;
+  }
+  /**
+   * Get auth headers for SSO
+   *
+   * SSO uses mTLS for authentication, not headers.
+   * Returns empty headers - the mTLS agent handles auth.
+   */
+  getAuthHeaders() {
+    return {};
+  }
+  /**
+   * Get mTLS certificates
+   *
+   * Returns the certificate material after successful login.
+   * Used by ADT client to create an mTLS agent.
+   *
+   * @returns Certificate material or null if not enrolled
+   */
+  getCertificates() {
+    return this.certificates;
+  }
+  /**
+   * Perform SSO login via certificate enrollment
+   *
+   * Checks for existing valid certificates and enrolls new ones if needed.
+   *
+   * @param _fetchFn - Unused, kept for interface compatibility
+   * @returns Success/error tuple
+   */
+  async performLogin(_fetchFn) {
+    if (!this.config.forceEnroll) {
+      const [loadResult, loadErr] = await this.tryLoadExistingCertificates();
+      if (!loadErr && loadResult) {
+        this.certificates = loadResult;
+        return ok(void 0);
+      }
+    }
+    const slsConfig = {
+      slsUrl: this.config.slsUrl
+    };
+    if (this.config.profile) {
+      slsConfig.profile = this.config.profile;
+    }
+    if (this.config.servicePrincipalName) {
+      slsConfig.servicePrincipalName = this.config.servicePrincipalName;
+    }
+    const [material, enrollErr] = await enrollCertificate({
+      config: slsConfig,
+      insecure: this.config.insecure ?? false
+    });
+    if (enrollErr) {
+      return err(enrollErr);
+    }
+    if (!this.config.returnContents) {
+      const [, saveErr] = await saveCertificates(material);
+      if (saveErr) {
+        return err(saveErr);
+      }
+    }
+    this.certificates = material;
+    return ok(void 0);
+  }
+  /**
+   * Try to load and validate existing certificates
+   */
+  async tryLoadExistingCertificates() {
+    const exists = await certificatesExist();
+    if (!exists) {
+      return err(new Error("No existing certificates found"));
+    }
+    const [material, loadErr] = await loadCertificates();
+    if (loadErr) {
+      return err(loadErr);
+    }
+    const [isExpired, expiryErr] = isCertificateExpired(material.fullChain);
+    if (expiryErr) {
+      return err(expiryErr);
+    }
+    if (isExpired) {
+      return err(new Error("Certificate is expired or expiring soon"));
+    }
+    return ok(material);
+  }
+};
+
+// src/core/auth/saml/types.ts
+var DEFAULT_FORM_SELECTORS = {
+  username: "#j_username",
+  password: "#j_password",
+  submit: "#logOnFormSubmit"
+};
+var DEFAULT_PROVIDER_CONFIG = {
+  ignoreHttpsErrors: false,
+  formSelectors: DEFAULT_FORM_SELECTORS
+};
+
+// src/core/auth/saml/browser.ts
+var TIMEOUTS = {
+  PAGE_LOAD: 6e4,
+  FORM_SELECTOR: 1e4
+};
+async function performBrowserLogin(options) {
+  const { baseUrl, credentials, headless = true } = options;
+  const config = options.providerConfig ?? DEFAULT_PROVIDER_CONFIG;
+  let playwright;
+  try {
+    playwright = await import("playwright");
+  } catch {
+    return err(
+      new Error(
+        "Playwright is required for SAML authentication but is not installed. Install it with: npm install playwright"
+      )
+    );
+  }
+  const browserArgs = config.ignoreHttpsErrors ? ["--ignore-certificate-errors", "--disable-web-security"] : [];
+  let browser;
+  try {
+    browser = await playwright.chromium.launch({
+      headless,
+      args: browserArgs
+    });
+  } catch (launchError) {
+    return err(
+      new Error(
+        `Failed to launch browser: ${launchError instanceof Error ? launchError.message : String(launchError)}`
+      )
+    );
+  }
+  try {
+    const context = await browser.newContext({
+      ignoreHTTPSErrors: config.ignoreHttpsErrors
+    });
+    const page = await context.newPage();
+    const loginUrl = `${baseUrl}/sap/bc/adt/compatibility/graph`;
+    try {
+      await page.goto(loginUrl, {
+        timeout: TIMEOUTS.PAGE_LOAD,
+        waitUntil: "domcontentloaded"
+      });
+    } catch {
+      return err(new Error("Failed to load login page. Please check if the server is online."));
+    }
+    try {
+      await page.waitForSelector(config.formSelectors.username, {
+        timeout: TIMEOUTS.FORM_SELECTOR
+      });
+    } catch {
+      return err(new Error("Login form not found. The page may have changed or loaded incorrectly."));
+    }
+    await page.fill(config.formSelectors.username, credentials.username);
+    await page.fill(config.formSelectors.password, credentials.password);
+    await page.click(config.formSelectors.submit);
+    await page.waitForLoadState("networkidle");
+    const cookies = await context.cookies();
+    return ok(cookies);
+  } finally {
+    await browser.close();
+  }
+}
+
+// src/core/auth/saml/cookies.ts
+function toAuthCookies(playwrightCookies) {
+  return playwrightCookies.map((cookie) => ({
+    name: cookie.name,
+    value: cookie.value,
+    domain: cookie.domain,
+    path: cookie.path
+  }));
+}
+function formatCookieHeader(cookies) {
+  return cookies.map((c) => `${c.name}=${c.value}`).join("; ");
+}
+
+// src/core/auth/saml/saml.ts
+var SamlAuth = class {
+  type = "saml";
+  cookies = [];
+  config;
+  /**
+   * Create a SAML Auth strategy
+   *
+   * @param config - SAML authentication configuration
+   */
+  constructor(config) {
+    if (!config.username || !config.password) {
+      throw new Error("SamlAuth requires both username and password");
+    }
+    if (!config.baseUrl) {
+      throw new Error("SamlAuth requires baseUrl");
+    }
+    this.config = config;
+  }
+  /**
+   * Get auth headers for SAML
+   *
+   * After successful login, includes Cookie header with session cookies.
+   */
+  getAuthHeaders() {
+    if (this.cookies.length === 0) {
+      return {};
+    }
+    return {
+      Cookie: formatCookieHeader(this.cookies)
+    };
+  }
+  /**
+   * Get authentication cookies
+   *
+   * @returns Array of cookies obtained during SAML login
+   */
+  getCookies() {
+    return this.cookies;
+  }
+  /**
+   * Perform SAML login using headless browser automation
+   *
+   * Launches a Chromium browser, navigates to the SAP login page,
+   * fills in credentials, and extracts session cookies.
+   *
+   * @param _fetchFn - Unused, kept for interface compatibility
+   * @returns Success/error tuple
+   */
+  async performLogin(_fetchFn) {
+    const [playwrightCookies, loginError] = await performBrowserLogin({
+      baseUrl: this.config.baseUrl,
+      credentials: {
+        username: this.config.username,
+        password: this.config.password
+      },
+      ...this.config.providerConfig && { providerConfig: this.config.providerConfig }
+    });
+    if (loginError) {
+      return err(loginError);
+    }
+    this.cookies = toAuthCookies(playwrightCookies);
+    if (this.cookies.length === 0) {
+      return err(new Error("SAML login succeeded but no cookies were returned"));
+    }
+    return ok(void 0);
+  }
+};
+
+// src/core/auth/factory.ts
+function createAuthStrategy(options) {
+  const { config, baseUrl, insecure } = options;
+  switch (config.type) {
+    case "basic":
+      return new BasicAuth(config.username, config.password);
+    case "saml":
+      if (!baseUrl) {
+        throw new Error("SAML authentication requires baseUrl");
+      }
+      return new SamlAuth({
+        username: config.username,
+        password: config.password,
+        baseUrl,
+        ...config.providerConfig && { providerConfig: config.providerConfig }
+      });
+    case "sso": {
+      const ssoConfig = {
+        slsUrl: config.slsUrl
+      };
+      if (config.profile) {
+        ssoConfig.profile = config.profile;
+      }
+      if (config.servicePrincipalName) {
+        ssoConfig.servicePrincipalName = config.servicePrincipalName;
+      }
+      if (config.forceEnroll) {
+        ssoConfig.forceEnroll = config.forceEnroll;
+      }
+      if (insecure) {
+        ssoConfig.insecure = insecure;
+      }
+      return new SsoAuth(ssoConfig);
+    }
+    default: {
+      const _exhaustive = config;
+      throw new Error(`Unknown auth type: ${_exhaustive.type}`);
+    }
+  }
+}
+
+// src/core/client.ts
 function buildParams(baseParams, clientNum) {
   const params = new URLSearchParams();
   if (baseParams) {
@@ -1449,15 +1875,24 @@ var ADTClientImpl = class {
   requestor;
   agent;
   constructor(config) {
+    const authOptions = {
+      config: config.auth,
+      baseUrl: config.url
+    };
+    if (config.insecure) {
+      authOptions.insecure = config.insecure;
+    }
+    const authStrategy = createAuthStrategy(authOptions);
     this.state = {
       config,
       session: null,
       csrfToken: null,
-      cookies: /* @__PURE__ */ new Map()
+      cookies: /* @__PURE__ */ new Map(),
+      authStrategy
     };
     this.requestor = { request: this.request.bind(this) };
     if (config.insecure) {
-      this.agent = new import_undici.Agent({
+      this.agent = new import_undici2.Agent({
         connect: {
           rejectUnauthorized: false,
           checkServerIdentity: () => void 0
@@ -1518,7 +1953,7 @@ var ADTClientImpl = class {
     try {
       debug(`Fetching URL: ${url}`);
       debug(`Insecure mode: ${!!this.agent}`);
-      const response = await (0, import_undici.fetch)(url, fetchOptions);
+      const response = await (0, import_undici2.fetch)(url, fetchOptions);
       this.storeCookies(response);
       if (response.status === 403) {
         const text = await response.text();
@@ -1533,7 +1968,7 @@ var ADTClientImpl = class {
             headers["Cookie"] = retryCookieHeader;
           }
           debug(`Retrying with new CSRF token: ${newToken.substring(0, 20)}...`);
-          const retryResponse = await (0, import_undici.fetch)(url, { ...fetchOptions, headers });
+          const retryResponse = await (0, import_undici2.fetch)(url, { ...fetchOptions, headers });
           this.storeCookies(retryResponse);
           return ok(retryResponse);
         }
@@ -1569,6 +2004,29 @@ var ADTClientImpl = class {
   }
   // --- Lifecycle ---
   async login() {
+    const { authStrategy } = this.state;
+    if (authStrategy.performLogin) {
+      const [, loginErr] = await authStrategy.performLogin(fetch);
+      if (loginErr) {
+        return err(loginErr);
+      }
+    }
+    if (authStrategy.type === "sso" && authStrategy.getCertificates) {
+      const certs = authStrategy.getCertificates();
+      if (certs) {
+        this.agent = new import_undici2.Agent({
+          connect: {
+            cert: certs.fullChain,
+            key: certs.privateKey,
+            rejectUnauthorized: !this.state.config.insecure,
+            ...this.state.config.insecure && {
+              checkServerIdentity: () => void 0
+            }
+          }
+        });
+        debug("Created mTLS agent with SSO certificates");
+      }
+    }
     return login(this.state, this.request.bind(this));
   }
   async logout() {