infrahub-sdk 0.0.6 → 0.0.8

package/.github/workflows/publish.yml

@@ -2,21 +2,25 @@ name: Publish Package to npmjs
 on:
   release:
     types: [published]
+
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
-  build:
+  publish:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
     steps:
       - uses: actions/checkout@v4
-      # Setup .npmrc file to publish to npm
+
       - uses: actions/setup-node@v4
         with:
-          node-version: '20.x'
+          node-version: '20'
           registry-url: 'https://registry.npmjs.org'
+
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
       - run: npm ci
-      - run: npm run build
+      - run: npm run build --if-present
       - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/README.md

@@ -37,6 +37,89 @@ const listDevices = gql`
 const usersData = await client.executeGraphQL(listDevices);
 ```
 
+## TLS/SSL Configuration
+
+When connecting to Infrahub instances with custom, self-signed, or expired certificates, you can configure TLS options:
+
+### Handling Certificate Errors
+
+If you encounter certificate errors such as:
+- `certificate has expired`
+- `self-signed certificate`
+- `unable to verify the first certificate`
+- `UNABLE_TO_VERIFY_LEAF_SIGNATURE`
+
+You can resolve these by configuring the TLS options as shown below.
+
+### Disable Certificate Verification (for development/testing)
+
+This is the recommended approach for handling expired certificates in development/testing environments:
+
+```typescript
+import { InfrahubClient, InfrahubClientOptions } from 'infrahub-sdk';
+
+const options: InfrahubClientOptions = {
+  address: "https://infrahub.example.com",
+  token: "your-api-token",
+  tls: {
+    rejectUnauthorized: false
+  }
+}
+
+const client = new InfrahubClient(options);
+```
+
+**Important Notes:**
+- Setting `rejectUnauthorized: false` disables ALL certificate validation
+- This bypasses checks for expired, self-signed, and invalid certificates
+- **Warning**: Never use this in production environments as it makes your connection vulnerable to man-in-the-middle attacks
+- Only use this for development, testing, or when connecting to trusted internal servers
+
+**Example:** See [examples/expired-certificate-example.ts](examples/expired-certificate-example.ts) for a complete working example.
+
+### Troubleshooting
+
+If you're still experiencing certificate errors after setting `rejectUnauthorized: false`:
+
+1. **Verify the configuration is being applied**: Make sure you're creating the client with the TLS options
+2. **Check for multiple client instances**: Ensure all instances use the same TLS configuration
+3. **Network/Proxy Issues**: If you're behind a proxy, you may need additional configuration
+4. **Node.js Version**: Ensure you're using Node.js 14 or later
+
+### Use Custom CA Certificate
+
+```typescript
+import fs from 'fs';
+
+const options: InfrahubClientOptions = {
+  address: "https://infrahub.example.com",
+  token: "your-api-token",
+  tls: {
+    ca: fs.readFileSync('/path/to/ca-certificate.pem')
+  }
+}
+
+const client = new InfrahubClient(options);
+```
+
+### Mutual TLS (Client Certificate Authentication)
+
+```typescript
+import fs from 'fs';
+
+const options: InfrahubClientOptions = {
+  address: "https://infrahub.example.com",
+  token: "your-api-token",
+  tls: {
+    ca: fs.readFileSync('/path/to/ca-certificate.pem'),
+    cert: fs.readFileSync('/path/to/client-cert.pem'),
+    key: fs.readFileSync('/path/to/client-key.pem')
+  }
+}
+
+const client = new InfrahubClient(options);
+```
+
 ## Development
 
 - Build: `npm run build`

package/dist/index.d.ts

@@ -13,10 +13,46 @@ import { InfrahubBranchManager } from './branch';
 import { InfrahubUserResponse } from './graphql/client';
 export * from 'graphql-request';
 export * from './types';
+export interface TLSConfig {
+    /**
+     * If true, the server certificate is verified against the list of supplied CAs.
+     * Set to false to disable certificate verification (not recommended for production).
+     *
+     * Note: Setting this to false will bypass all certificate validation, including
+     * expired certificates, self-signed certificates, and hostname mismatches.
+     */
+    rejectUnauthorized?: boolean;
+    /**
+     * Optional CA certificates to trust. Can be a string or Buffer containing the certificate(s).
+     * Use this when connecting to servers with custom or self-signed certificates.
+     */
+    ca?: string | Buffer | Array<string | Buffer>;
+    /**
+     * Optional client certificate for mutual TLS authentication.
+     */
+    cert?: string | Buffer;
+    /**
+     * Optional client private key for mutual TLS authentication.
+     */
+    key?: string | Buffer;
+}
 export interface InfrahubClientOptions {
     address: string;
     token?: string;
     branch?: string;
+    /**
+     * TLS/SSL configuration options for HTTPS connections.
+     * Use this to handle custom certificates, expired certificates, or disable certificate verification.
+     *
+     * @example
+     * // Disable certificate verification (development only)
+     * { tls: { rejectUnauthorized: false } }
+     *
+     * @example
+     * // Use custom CA certificate
+     * { tls: { ca: fs.readFileSync('/path/to/ca.pem') } }
+     */
+    tls?: TLSConfig;
 }
 export declare class InfrahubClient {
     rest: ReturnType<typeof createClient<paths>>;

package/dist/index.js

@@ -18,6 +18,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.InfrahubClient = void 0;
+const https_1 = __importDefault(require("https"));
+const node_fetch_1 = __importDefault(require("node-fetch"));
 const openapi_fetch_1 = __importDefault(require("openapi-fetch"));
 const graphql_request_1 = require("graphql-request");
 const branch_1 = require("./branch");
@@ -32,24 +34,52 @@ class InfrahubClient {
         this.token = options.token;
         this.defaultBranch = options.branch || DEFAULT_BRANCH_NAME;
         this.branch = new branch_1.InfrahubBranchManager(this);
-        // Initialize the openapi-fetch client
+        // Create custom fetch with TLS options if provided
+        let customFetch = node_fetch_1.default;
+        if (options.tls) {
+            // Build agent options, ensuring rejectUnauthorized is explicitly set if provided
+            const agentOptions = {};
+            if (options.tls.rejectUnauthorized !== undefined) {
+                agentOptions.rejectUnauthorized = options.tls.rejectUnauthorized;
+            }
+            if (options.tls.ca !== undefined) {
+                agentOptions.ca = options.tls.ca;
+            }
+            if (options.tls.cert !== undefined) {
+                agentOptions.cert = options.tls.cert;
+            }
+            if (options.tls.key !== undefined) {
+                agentOptions.key = options.tls.key;
+            }
+            const httpsAgent = new https_1.default.Agent(agentOptions);
+            customFetch = ((url, opts = {}) => {
+                // Ensure agent is passed for HTTPS URLs
+                // node-fetch v2 requires the agent to be explicitly set
+                const fetchOptions = { ...opts, agent: httpsAgent };
+                return (0, node_fetch_1.default)(url, fetchOptions);
+            });
+        }
+        // Initialize the openapi-fetch client with TLS configuration
         this.rest = (0, openapi_fetch_1.default)({
-            baseUrl: this.baseUrl
+            baseUrl: this.baseUrl,
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            fetch: customFetch
         });
-        const token = this.token;
-        const myMiddleware = {
-            async onRequest({ request }) {
-                // set "X-INFRAHUB-KEY" header if token is present
-                if (token) {
-                    request.headers.set('X-INFRAHUB-KEY', token);
+        // Use middleware to dynamically add the auth token to every REST request.
+        this.rest.use({
+            onRequest: (req) => {
+                req.headers.set('content-type', 'application/json');
+                if (this.token) {
+                    req.headers.set('X-INFRAHUB-KEY', this.token);
                 }
-                request.headers.set('content-type', 'application/json');
-                return request;
-            },
-        };
-        this.rest.use(myMiddleware);
+                return req;
+            }
+        });
         // Initialize the GraphQL client with the default branch endpoint
-        this.graphqlClient = new graphql_request_1.GraphQLClient(this._graphqlUrl(this.defaultBranch));
+        this.graphqlClient = new graphql_request_1.GraphQLClient(this._graphqlUrl(this.defaultBranch), {
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            fetch: customFetch
+        });
         this.graphqlClient.setHeaders({
             'Content-Type': 'application/json'
         });
@@ -110,6 +140,45 @@ class InfrahubClient {
             return await this.graphqlClient.request(query, variables);
         }
         catch (error) {
+            // Check if this is a certificate error and provide helpful guidance
+            if (error instanceof Error) {
+                const errorMessage = error.message.toLowerCase();
+                const isCertError = errorMessage.includes('certificate') ||
+                    errorMessage.includes('cert') ||
+                    errorMessage.includes('ssl') ||
+                    errorMessage.includes('tls');
+                const isExpired = errorMessage.includes('expired');
+                const isSelfSigned = errorMessage.includes('self-signed') || errorMessage.includes('self signed');
+                const isUnauthorized = errorMessage.includes('unauthorized');
+                if (isCertError && (isExpired || isSelfSigned || isUnauthorized)) {
+                    const helpMessage = [
+                        '',
+                        'Certificate validation failed. To resolve this issue, you can configure TLS options:',
+                        '',
+                        '1. Disable certificate verification (for development/testing only):',
+                        '   const client = new InfrahubClient({',
+                        '     address: "your-address",',
+                        '     token: "your-token",',
+                        '     tls: { rejectUnauthorized: false }',
+                        '   });',
+                        '',
+                        '2. Or provide a custom CA certificate (requires: import fs from "fs"):',
+                        '   const client = new InfrahubClient({',
+                        '     address: "your-address",',
+                        '     token: "your-token",',
+                        '     tls: { ca: fs.readFileSync("/path/to/ca-cert.pem") }',
+                        '   });',
+                        '',
+                        'See the README.md for more TLS configuration options.',
+                        ''
+                    ].join('\n');
+                    console.error(helpMessage);
+                    // Create a new error with helpful message appended
+                    const enhancedError = new Error(`${error.message}\n${helpMessage}`);
+                    enhancedError.stack = error.stack;
+                    throw enhancedError;
+                }
+            }
             console.error('Error executing GraphQL query:', error);
             throw error;
         }

package/dist/index.test.js

@@ -24,8 +24,8 @@ const globals_1 = require("@jest/globals");
         const newToken = 'new-token';
         client.setAuthToken(newToken);
         (0, globals_1.expect)(client.token).toBe(newToken);
-        // GraphQLClient headers are private, so we check no error is thrown
-        (0, globals_1.expect)(() => client.executeGraphQL('{ __typename }')).not.toThrow();
+        // Check that the GraphQL headers are properly set by verifying the token is updated
+        (0, globals_1.expect)(client.graphqlClient.requestConfig.headers['X-INFRAHUB-KEY']).toBe(newToken);
     });
     (0, globals_1.it)('should call graphqlQuery and handle errors', async () => {
         const mockRequest = globals_1.jest
@@ -38,6 +38,50 @@ const globals_1 = require("@jest/globals");
         await (0, globals_1.expect)(client.executeGraphQL('{ test }')).rejects.toThrow('GraphQL error');
         consoleErrorSpy.mockRestore();
     });
+    (0, globals_1.it)('should provide helpful error message for certificate errors', async () => {
+        const mockRequest = globals_1.jest
+            .fn()
+            .mockImplementation(() => Promise.reject(new Error('request failed, reason: certificate has expired')));
+        client.graphqlClient.request = mockRequest;
+        const consoleErrorSpy = globals_1.jest
+            .spyOn(console, 'error')
+            .mockImplementation(() => { });
+        try {
+            await client.executeGraphQL('{ test }');
+            (0, globals_1.expect)(true).toBe(false); // Should not reach here
+        }
+        catch (error) {
+            (0, globals_1.expect)(error).toBeInstanceOf(Error);
+            if (error instanceof Error) {
+                (0, globals_1.expect)(error.message).toContain('certificate has expired');
+                (0, globals_1.expect)(error.message).toContain('Certificate validation failed');
+                (0, globals_1.expect)(error.message).toContain('rejectUnauthorized: false');
+            }
+        }
+        consoleErrorSpy.mockRestore();
+    });
+    (0, globals_1.it)('should provide helpful error message for self-signed certificate errors', async () => {
+        const mockRequest = globals_1.jest
+            .fn()
+            .mockImplementation(() => Promise.reject(new Error('request failed, reason: self-signed certificate')));
+        client.graphqlClient.request = mockRequest;
+        const consoleErrorSpy = globals_1.jest
+            .spyOn(console, 'error')
+            .mockImplementation(() => { });
+        try {
+            await client.executeGraphQL('{ test }');
+            (0, globals_1.expect)(true).toBe(false); // Should not reach here
+        }
+        catch (error) {
+            (0, globals_1.expect)(error).toBeInstanceOf(Error);
+            if (error instanceof Error) {
+                (0, globals_1.expect)(error.message).toContain('self-signed certificate');
+                (0, globals_1.expect)(error.message).toContain('Certificate validation failed');
+                (0, globals_1.expect)(error.message).toContain('tls: { rejectUnauthorized: false }');
+            }
+        }
+        consoleErrorSpy.mockRestore();
+    });
     (0, globals_1.it)('should initialize rest client with baseUrl', () => {
         (0, globals_1.expect)(client.rest).toBeDefined();
     });
@@ -59,4 +103,83 @@ const globals_1 = require("@jest/globals");
         const url = client._graphqlUrl(branchName);
         (0, globals_1.expect)(url).toBe(`${baseURL}/graphql/${branchName}`);
     });
+    (0, globals_1.describe)('TLS Configuration', () => {
+        (0, globals_1.it)('should accept TLS configuration with rejectUnauthorized set to false', () => {
+            const options = {
+                address: baseURL,
+                token: token,
+                tls: {
+                    rejectUnauthorized: false
+                }
+            };
+            const tlsClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(tlsClient).toBeDefined();
+            (0, globals_1.expect)(tlsClient.graphqlClient).toBeInstanceOf(graphql_request_1.GraphQLClient);
+        });
+        (0, globals_1.it)('should create agent with rejectUnauthorized: false when explicitly set', () => {
+            const https = require('https');
+            const createAgentSpy = globals_1.jest.spyOn(https, 'Agent');
+            const options = {
+                address: baseURL,
+                token: token,
+                tls: {
+                    rejectUnauthorized: false
+                }
+            };
+            const tlsClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(createAgentSpy).toHaveBeenCalled();
+            const agentOptions = createAgentSpy.mock.calls[createAgentSpy.mock.calls.length - 1][0];
+            (0, globals_1.expect)(agentOptions.rejectUnauthorized).toBe(false);
+            createAgentSpy.mockRestore();
+        });
+        (0, globals_1.it)('should accept TLS configuration with custom CA certificate', () => {
+            const options = {
+                address: baseURL,
+                token: token,
+                tls: {
+                    ca: '-----BEGIN CERTIFICATE-----\nMockCertificate\n-----END CERTIFICATE-----'
+                }
+            };
+            const tlsClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(tlsClient).toBeDefined();
+            (0, globals_1.expect)(tlsClient.graphqlClient).toBeInstanceOf(graphql_request_1.GraphQLClient);
+        });
+        (0, globals_1.it)('should accept TLS configuration with client certificate and key', () => {
+            const options = {
+                address: baseURL,
+                token: token,
+                tls: {
+                    cert: '-----BEGIN CERTIFICATE-----\nMockCert\n-----END CERTIFICATE-----',
+                    key: '-----BEGIN PRIVATE KEY-----\nMockKey\n-----END PRIVATE KEY-----'
+                }
+            };
+            const tlsClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(tlsClient).toBeDefined();
+            (0, globals_1.expect)(tlsClient.graphqlClient).toBeInstanceOf(graphql_request_1.GraphQLClient);
+        });
+        (0, globals_1.it)('should accept TLS configuration with all options', () => {
+            const options = {
+                address: baseURL,
+                token: token,
+                tls: {
+                    rejectUnauthorized: true,
+                    ca: '-----BEGIN CERTIFICATE-----\nMockCA\n-----END CERTIFICATE-----',
+                    cert: '-----BEGIN CERTIFICATE-----\nMockCert\n-----END CERTIFICATE-----',
+                    key: '-----BEGIN PRIVATE KEY-----\nMockKey\n-----END PRIVATE KEY-----'
+                }
+            };
+            const tlsClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(tlsClient).toBeDefined();
+            (0, globals_1.expect)(tlsClient.graphqlClient).toBeInstanceOf(graphql_request_1.GraphQLClient);
+        });
+        (0, globals_1.it)('should work without TLS configuration (backward compatibility)', () => {
+            const options = {
+                address: baseURL,
+                token: token
+            };
+            const normalClient = new index_1.InfrahubClient(options);
+            (0, globals_1.expect)(normalClient).toBeDefined();
+            (0, globals_1.expect)(normalClient.graphqlClient).toBeInstanceOf(graphql_request_1.GraphQLClient);
+        });
+    });
 });

package/examples/expired-certificate-example.ts

@@ -0,0 +1,36 @@
+// Example: Connecting to Infrahub with an expired or self-signed certificate
+import { InfrahubClient, InfrahubClientOptions } from 'infrahub-sdk';
+import fs from 'fs';
+
+// Option 1: Disable certificate verification (for development/testing only)
+// This will bypass ALL certificate validation including expired certificates
+const clientWithoutVerification = new InfrahubClient({
+  address: 'https://your-infrahub-server.com',
+  token: 'your-api-token',
+  tls: {
+    rejectUnauthorized: false
+  }
+});
+
+// Test the connection
+async function testConnection() {
+  try {
+    const version = await clientWithoutVerification.getVersion();
+    console.log('Successfully connected! Infrahub version:', version);
+  } catch (error) {
+    console.error('Connection failed:', error);
+  }
+}
+
+testConnection();
+
+// Option 2: Use a custom CA certificate (production-friendly approach)
+// Uncomment the following to use a custom CA certificate instead:
+//
+// const clientWithCustomCA = new InfrahubClient({
+//   address: 'https://your-infrahub-server.com',
+//   token: 'your-api-token',
+//   tls: {
+//     ca: fs.readFileSync('/path/to/your/ca-certificate.pem')
+//   }
+// });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "infrahub-sdk",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "description": "A client SDK for the Infrahub API.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -19,14 +19,16 @@
   "dependencies": {
     "@graphql-codegen/typed-document-node": "^5.1.2",
     "graphql-request": "^6.1.0",
-    "openapi-fetch": "^0.14.0"
+    "node-fetch": "^2.7.0",
+    "openapi-fetch": "^0.9.4"
   },
   "devDependencies": {
     "@eslint/js": "^9.31.0",
+    "@types/node": "^24.10.0",
+    "@types/node-fetch": "^2.6.13",
     "eslint": "^9.31.0",
     "eslint-config-prettier": "^10.1.5",
     "eslint-plugin-prettier": "^5.5.1",
-    "openapi-typescript": "^7.8.0",
     "prettier": "3.6.2",
     "ts-jest": "^29.4.0",
     "typescript": "^5.8.3",

package/src/index.test.ts

@@ -27,8 +27,8 @@ describe('InfrahubClient', () => {
     const newToken = 'new-token';
     client.setAuthToken(newToken);
     expect((client as any).token).toBe(newToken);
-    // GraphQLClient headers are private, so we check no error is thrown
-    expect(() => client.executeGraphQL('{ __typename }')).not.toThrow();
+    // Check that the GraphQL headers are properly set by verifying the token is updated
+    expect((client as any).graphqlClient.requestConfig.headers['X-INFRAHUB-KEY']).toBe(newToken);
   });
 
   it('should call graphqlQuery and handle errors', async () => {
@@ -45,6 +45,58 @@ describe('InfrahubClient', () => {
     consoleErrorSpy.mockRestore();
   });
 
+  it('should provide helpful error message for certificate errors', async () => {
+    const mockRequest = jest
+      .fn()
+      .mockImplementation(() => 
+        Promise.reject(new Error('request failed, reason: certificate has expired'))
+      );
+    (client as any).graphqlClient.request = mockRequest;
+    const consoleErrorSpy = jest
+      .spyOn(console, 'error')
+      .mockImplementation(() => {});
+    
+    try {
+      await client.executeGraphQL('{ test }');
+      expect(true).toBe(false); // Should not reach here
+    } catch (error) {
+      expect(error).toBeInstanceOf(Error);
+      if (error instanceof Error) {
+        expect(error.message).toContain('certificate has expired');
+        expect(error.message).toContain('Certificate validation failed');
+        expect(error.message).toContain('rejectUnauthorized: false');
+      }
+    }
+    
+    consoleErrorSpy.mockRestore();
+  });
+
+  it('should provide helpful error message for self-signed certificate errors', async () => {
+    const mockRequest = jest
+      .fn()
+      .mockImplementation(() => 
+        Promise.reject(new Error('request failed, reason: self-signed certificate'))
+      );
+    (client as any).graphqlClient.request = mockRequest;
+    const consoleErrorSpy = jest
+      .spyOn(console, 'error')
+      .mockImplementation(() => {});
+    
+    try {
+      await client.executeGraphQL('{ test }');
+      expect(true).toBe(false); // Should not reach here
+    } catch (error) {
+      expect(error).toBeInstanceOf(Error);
+      if (error instanceof Error) {
+        expect(error.message).toContain('self-signed certificate');
+        expect(error.message).toContain('Certificate validation failed');
+        expect(error.message).toContain('tls: { rejectUnauthorized: false }');
+      }
+    }
+    
+    consoleErrorSpy.mockRestore();
+  });
+
   it('should initialize rest client with baseUrl', () => {
     expect((client as any).rest).toBeDefined();
   });
@@ -71,4 +123,93 @@ describe('InfrahubClient', () => {
     const url = (client as any)._graphqlUrl(branchName);
     expect(url).toBe(`${baseURL}/graphql/${branchName}`);
   });
+
+  describe('TLS Configuration', () => {
+    it('should accept TLS configuration with rejectUnauthorized set to false', () => {
+      const options: InfrahubClientOptions = {
+        address: baseURL,
+        token: token,
+        tls: {
+          rejectUnauthorized: false
+        }
+      };
+      const tlsClient = new InfrahubClient(options);
+      expect(tlsClient).toBeDefined();
+      expect((tlsClient as any).graphqlClient).toBeInstanceOf(GraphQLClient);
+    });
+
+    it('should create agent with rejectUnauthorized: false when explicitly set', () => {
+      const https = require('https');
+      const createAgentSpy = jest.spyOn(https, 'Agent');
+      
+      const options: InfrahubClientOptions = {
+        address: baseURL,
+        token: token,
+        tls: {
+          rejectUnauthorized: false
+        }
+      };
+      
+      const tlsClient = new InfrahubClient(options);
+      
+      expect(createAgentSpy).toHaveBeenCalled();
+      const agentOptions = createAgentSpy.mock.calls[createAgentSpy.mock.calls.length - 1][0] as any;
+      expect(agentOptions.rejectUnauthorized).toBe(false);
+      
+      createAgentSpy.mockRestore();
+    });
+
+    it('should accept TLS configuration with custom CA certificate', () => {
+      const options: InfrahubClientOptions = {
+        address: baseURL,
+        token: token,
+        tls: {
+          ca: '-----BEGIN CERTIFICATE-----\nMockCertificate\n-----END CERTIFICATE-----'
+        }
+      };
+      const tlsClient = new InfrahubClient(options);
+      expect(tlsClient).toBeDefined();
+      expect((tlsClient as any).graphqlClient).toBeInstanceOf(GraphQLClient);
+    });
+
+    it('should accept TLS configuration with client certificate and key', () => {
+      const options: InfrahubClientOptions = {
+        address: baseURL,
+        token: token,
+        tls: {
+          cert: '-----BEGIN CERTIFICATE-----\nMockCert\n-----END CERTIFICATE-----',
+          key: '-----BEGIN PRIVATE KEY-----\nMockKey\n-----END PRIVATE KEY-----'
+        }
+      };
+      const tlsClient = new InfrahubClient(options);
+      expect(tlsClient).toBeDefined();
+      expect((tlsClient as any).graphqlClient).toBeInstanceOf(GraphQLClient);
+    });
+
+    it('should accept TLS configuration with all options', () => {
+      const options: InfrahubClientOptions = {
+        address: baseURL,
+        token: token,
+        tls: {
+          rejectUnauthorized: true,
+          ca: '-----BEGIN CERTIFICATE-----\nMockCA\n-----END CERTIFICATE-----',
+          cert: '-----BEGIN CERTIFICATE-----\nMockCert\n-----END CERTIFICATE-----',
+          key: '-----BEGIN PRIVATE KEY-----\nMockKey\n-----END PRIVATE KEY-----'
+        }
+      };
+      const tlsClient = new InfrahubClient(options);
+      expect(tlsClient).toBeDefined();
+      expect((tlsClient as any).graphqlClient).toBeInstanceOf(GraphQLClient);
+    });
+
+    it('should work without TLS configuration (backward compatibility)', () => {
+      const options: InfrahubClientOptions = {
+        address: baseURL,
+        token: token
+      };
+      const normalClient = new InfrahubClient(options);
+      expect(normalClient).toBeDefined();
+      expect((normalClient as any).graphqlClient).toBeInstanceOf(GraphQLClient);
+    });
+  });
 });