sap-adt-mcp 0.7.1

package/src/adt-client.js

@@ -0,0 +1,278 @@
+import { Agent, fetch as undiciFetch } from "undici";
+import { BUILD_FINGERPRINT, CLIENT_TRACE_SALT } from "./tools/_shared.js";
+
+const UNSAFE_METHODS = new Set(["POST", "PUT", "DELETE", "PATCH"]);
+const DISCOVERY_PATH = "/sap/bc/adt/discovery";
+
+const DEFAULT_TIMEOUT_MS = 30_000;
+
+// ADT endpoints that use POST but are read-only queries — allowed in read-only mode.
+const READONLY_POST_PATHS = [
+  "/sap/bc/adt/repository/nodestructure",
+  "/sap/bc/adt/repository/informationsystem/search",
+  "/sap/bc/adt/repository/informationsystem/usagereferences",
+  "/sap/bc/adt/abapsource/parsers",
+  "/sap/bc/adt/checkruns",
+  // ATC worklist analysis: POSTs that create a transient worklist and run
+  // checks but do not modify any repository object — read-only in spirit.
+  "/sap/bc/adt/atc/",
+  // Data preview (OpenSQL SELECT / CDS preview) — read-only query execution.
+  "/sap/bc/adt/datapreview/",
+];
+
+// Headers a caller is NOT allowed to override via adt_request. Letting these
+// through would let the LLM (or anything that prompt-injects it) impersonate
+// another user (Authorization), forge a session (Cookie), or smuggle a stale
+// CSRF token. The client manages all three internally.
+const PROTECTED_HEADERS = new Set([
+  "authorization",
+  "cookie",
+  "x-csrf-token",
+]);
+
+const DEBUG = process.env.SAP_ADT_MCP_DEBUG === "1";
+
+export class ReadOnlyViolationError extends Error {
+  constructor(method, path) {
+    super(
+      `Read-only mode: refusing ${method} ${path}. ` +
+        "Set readOnly: false in config to allow writes."
+    );
+    this.name = "ReadOnlyViolationError";
+    this.code = "READ_ONLY";
+  }
+}
+
+export class AdtClient {
+  constructor(profile) {
+    this.profile = profile;
+    this.cookies = new Map();
+    this.csrfToken = null;
+    this.timeoutMs = profile.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    this.authHeader =
+      "Basic " +
+      Buffer.from(`${profile.user}:${profile.password}`).toString("base64");
+    this.dispatcher =
+      profile.rejectUnauthorized === false
+        ? new Agent({ connect: { rejectUnauthorized: false } })
+        : undefined;
+  }
+
+  async request({ method = "GET", path, query, body, headers = {}, accept, timeoutMs }) {
+    const upperMethod = method.toUpperCase();
+
+    // Resolve the path the same way #buildUrl will resolve it (collapsing
+    // "../" segments) BEFORE running the read-only check. Doing the check on
+    // the raw string lets a caller smuggle a write through a read-only
+    // allowlist entry, e.g. "/sap/bc/adt/checkruns/../programs/..."
+    // ─ startsWith() sees "/sap/bc/adt/checkruns" and allows the request, but
+    // new URL() then collapses it to "/sap/bc/adt/programs/...". Normalize
+    // first, gate second.
+    const resolvedPath = this.#resolvePath(path);
+
+    if (UNSAFE_METHODS.has(upperMethod) && this.profile.readOnly) {
+      if (!isReadOnlyPostPath(resolvedPath)) {
+        throw new ReadOnlyViolationError(upperMethod, resolvedPath);
+      }
+    }
+
+    if (UNSAFE_METHODS.has(upperMethod) && !this.csrfToken) {
+      await this.#fetchCsrf();
+    }
+
+    let res = await this.#send(upperMethod, resolvedPath, query, body, headers, accept, undefined, timeoutMs);
+
+    if (
+      res.status === 403 &&
+      (res.headers.get("x-csrf-token") || "").toLowerCase() === "required"
+    ) {
+      this.csrfToken = null;
+      await this.#fetchCsrf();
+      res = await this.#send(upperMethod, resolvedPath, query, body, headers, accept, undefined, timeoutMs);
+    }
+
+    return res;
+  }
+
+  // Public wrapper so callers (e.g. the adt_request handler) can apply the
+  // same path-prefix policy the client itself enforces internally.
+  resolvePath(path) {
+    return this.#resolvePath(path);
+  }
+
+  #resolvePath(path) {
+    if (typeof path !== "string" || path.length === 0) {
+      throw new Error("ADT path must be a non-empty string");
+    }
+    const base = this.profile.host.replace(/\/$/, "");
+    const normalized = path.startsWith("/") ? path : `/${path}`;
+    let url;
+    try {
+      url = new URL(base + normalized);
+    } catch {
+      throw new Error(`ADT path is not a valid URL component: ${path}`);
+    }
+    // Preserve any query stuffed into the path (some internal callers do
+    // this); the read-only check below splits on "?" anyway.
+    return url.pathname + url.search;
+  }
+
+  async #fetchCsrf() {
+    // Pass the fetch header via `internalHeaders` so #send doesn't strip it
+    // through the PROTECTED_HEADERS filter (that filter exists to stop
+    // adt_request callers from forging Authorization/Cookie/X-CSRF-Token —
+    // it must not apply to the client's own CSRF handshake).
+    const res = await this.#send(
+      "GET",
+      DISCOVERY_PATH,
+      null,
+      null,
+      {},
+      "application/atomsvc+xml",
+      { "X-CSRF-Token": "Fetch" }
+    );
+    const token = res.headers.get("x-csrf-token");
+    if (!token || token.toLowerCase() === "required") {
+      const body = await res.text().catch(() => "");
+      throw new Error(
+        `Failed to fetch CSRF token (status ${res.status}): ${body.slice(0, 200)}`
+      );
+    }
+    this.csrfToken = token;
+  }
+
+  async #send(method, adtPath, query, body, extraHeaders, accept, internalHeaders, timeoutMs) {
+    const url = this.#buildUrl(adtPath, query);
+    const headers = new Headers();
+    headers.set("Authorization", this.authHeader);
+    headers.set(
+      "Accept",
+      accept ?? "application/xml, application/json;q=0.9, */*;q=0.1"
+    );
+    headers.set(
+      "User-Agent",
+      `sap-adt-mcp (build ${BUILD_FINGERPRINT}; trace ${CLIENT_TRACE_SALT})`
+    );
+    if (this.cookies.size > 0) headers.set("Cookie", this.#cookieHeader());
+    if (this.csrfToken && UNSAFE_METHODS.has(method)) {
+      headers.set("X-CSRF-Token", this.csrfToken);
+    }
+    // Apply caller-supplied headers, but never let them override the auth /
+    // session headers the client owns. Without this, adt_request callers (or
+    // anything that prompt-injects the LLM into using it) could swap in a
+    // forged Authorization to impersonate another SAP user.
+    for (const [k, v] of Object.entries(extraHeaders)) {
+      if (PROTECTED_HEADERS.has(k.toLowerCase())) continue;
+      headers.set(k, v);
+    }
+    // Internal headers come from the client itself (e.g. the X-CSRF-Token:
+    // Fetch handshake) and are trusted — they bypass the protection filter.
+    if (internalHeaders) {
+      for (const [k, v] of Object.entries(internalHeaders)) {
+        headers.set(k, v);
+      }
+    }
+
+    let reqBody;
+    if (body !== undefined && body !== null) {
+      if (typeof body === "string") {
+        reqBody = body;
+      } else {
+        reqBody = JSON.stringify(body);
+        if (!headers.has("Content-Type")) {
+          headers.set("Content-Type", "application/json");
+        }
+      }
+    }
+
+    const init = { method, headers, body: reqBody };
+    if (this.dispatcher) init.dispatcher = this.dispatcher;
+
+    const effectiveTimeout = timeoutMs ?? this.timeoutMs;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), effectiveTimeout);
+    init.signal = controller.signal;
+
+    if (DEBUG) traceRequest(method, url, headers, reqBody);
+
+    let res;
+    const start = Date.now();
+    try {
+      res = await undiciFetch(url, init);
+    } catch (err) {
+      if (err.name === "AbortError") {
+        throw new Error(
+          `ADT request timed out after ${effectiveTimeout}ms: ${method} ${adtPath}`,
+          { cause: err }
+        );
+      }
+      throw err;
+    } finally {
+      clearTimeout(timer);
+    }
+
+    if (DEBUG) traceResponse(method, url, res.status, Date.now() - start);
+
+    this.#captureCookies(res.headers);
+    return res;
+  }
+
+  #buildUrl(adtPath, query) {
+    const base = this.profile.host.replace(/\/$/, "");
+    const normalized = adtPath.startsWith("/") ? adtPath : `/${adtPath}`;
+    const url = new URL(base + normalized);
+    if (this.profile.client && !url.searchParams.has("sap-client")) {
+      url.searchParams.set("sap-client", this.profile.client);
+    }
+    if (this.profile.language && !url.searchParams.has("sap-language")) {
+      url.searchParams.set("sap-language", this.profile.language);
+    }
+    if (query) {
+      for (const [k, v] of Object.entries(query)) {
+        url.searchParams.set(k, String(v));
+      }
+    }
+    return url.toString();
+  }
+
+  #captureCookies(headers) {
+    const setCookies =
+      typeof headers.getSetCookie === "function" ? headers.getSetCookie() : [];
+    for (const sc of setCookies) {
+      const [pair] = sc.split(";");
+      const eq = pair.indexOf("=");
+      if (eq > 0) {
+        this.cookies.set(pair.slice(0, eq).trim(), pair.slice(eq + 1).trim());
+      }
+    }
+  }
+
+  #cookieHeader() {
+    return [...this.cookies.entries()]
+      .map(([k, v]) => `${k}=${v}`)
+      .join("; ");
+  }
+}
+
+function isReadOnlyPostPath(p) {
+  if (typeof p !== "string") return false;
+  const lower = p.toLowerCase().split("?")[0];
+  return READONLY_POST_PATHS.some((allowed) => lower.startsWith(allowed));
+}
+
+function traceRequest(method, url, headers, body) {
+  const safeUrl = url.replace(/\/\/[^@/]+@/, "//***@"); // strip basic-auth prefix if any
+  process.stderr.write(`[adt-debug] → ${method} ${safeUrl}\n`);
+  for (const [k, v] of headers.entries()) {
+    if (k.toLowerCase() === "authorization") continue;
+    process.stderr.write(`[adt-debug]   ${k}: ${v}\n`);
+  }
+  if (body) {
+    const preview = typeof body === "string" ? body.slice(0, 200) : "[binary]";
+    process.stderr.write(`[adt-debug]   body: ${preview}\n`);
+  }
+}
+
+function traceResponse(method, url, status, ms) {
+  process.stderr.write(`[adt-debug] ← ${status} ${method} ${url} (${ms}ms)\n`);
+}

package/src/adt-error.js

@@ -0,0 +1,135 @@
+// Parse SAP ADT error envelopes.
+//
+// ADT typically returns failures as XML wrapped in <exc:exception>:
+//   <exc:exception ... xmlns:exc="http://www.sap.com/abapxml/types/communication">
+//     <namespace id="com.sap.adt"/>
+//     <type id="ExceptionResourceFailure"/>
+//     <message lang="EN">Object ZFOO does not exist</message>
+//     <localizedMessage lang="EN">...</localizedMessage>
+//     <properties>
+//       <entry key="LONGTEXT"><![CDATA[<html>...full diagnostics...</html>]]></entry>
+//       <entry key="T100KEY-ID">SLOCK</entry>
+//       <entry key="T100KEY-NO">038</entry>
+//       <entry key="T100KEY-V1">…blocking-transport id…</entry>
+//       <entry key="T100KEY-V2">…</entry>
+//       …
+//     </properties>
+//   </exc:exception>
+//
+// On CTS / SLOCK / S_LOCK errors, the properties carry the actual diagnostic
+// (which TR blocks the lock, who owns it, suggested resolution). Older code
+// dropped these — surface them as `properties.longText` and `properties.t100`.
+//
+// Some endpoints return abap-style messages instead — we fall through to a
+// best-effort message extraction.
+
+const TYPE_RE = /<type[^>]*id\s*=\s*"([^"]+)"/i;
+const NS_RE = /<namespace[^>]*id\s*=\s*"([^"]+)"/i;
+const MSG_RE = /<message[^>]*>([\s\S]*?)<\/message>/i;
+const LOCAL_MSG_RE = /<localizedMessage[^>]*>([\s\S]*?)<\/localizedMessage>/i;
+
+// Match both <entry key="X">val</entry> and <property name="X">val</property>
+// shapes — different ADT endpoints use different conventions.
+const PROPERTY_RE =
+  /<(?:entry|property)\b[^>]*\b(?:key|name)\s*=\s*"([^"]+)"[^>]*>([\s\S]*?)<\/(?:entry|property)>/gi;
+
+export function parseAdtError(body, contentType) {
+  if (typeof body !== "string" || body.length === 0) return null;
+
+  const isXml =
+    (contentType && /xml/i.test(contentType)) ||
+    body.trimStart().startsWith("<");
+
+  if (!isXml) return null;
+
+  const hasExceptionTag = /<\w*:?exception\b/i.test(body);
+  if (!hasExceptionTag && !MSG_RE.test(body)) return null;
+
+  const type = match(body, TYPE_RE);
+  const namespace = match(body, NS_RE);
+  const message = decode(match(body, MSG_RE));
+  const localizedMessage = decode(match(body, LOCAL_MSG_RE));
+  const props = extractProperties(body);
+
+  if (!type && !message && !localizedMessage && !props) return null;
+
+  return {
+    type,
+    namespace,
+    message,
+    localizedMessage: localizedMessage === message ? undefined : localizedMessage,
+    ...(props ? { properties: props } : {}),
+  };
+}
+
+function extractProperties(body) {
+  const raw = {};
+  let m;
+  PROPERTY_RE.lastIndex = 0;
+  while ((m = PROPERTY_RE.exec(body)) !== null) {
+    const key = m[1];
+    const value = stripCData(m[2]);
+    if (key && value) raw[key] = decode(value).trim();
+  }
+  if (Object.keys(raw).length === 0) return null;
+
+  const result = {};
+  if (raw.LONGTEXT) {
+    result.longText = stripHtml(raw.LONGTEXT);
+  }
+  const t100 = {};
+  if (raw["T100KEY-ID"]) t100.id = raw["T100KEY-ID"];
+  if (raw["T100KEY-NO"]) t100.number = raw["T100KEY-NO"];
+  for (let i = 1; i <= 4; i++) {
+    const v = raw[`T100KEY-V${i}`];
+    if (v) {
+      t100.vars = t100.vars || [];
+      t100.vars.push(v);
+    }
+  }
+  if (Object.keys(t100).length > 0) result.t100 = t100;
+
+  // Anything else (e.g. CTS-specific properties) — keep as `other`.
+  const other = {};
+  for (const k of Object.keys(raw)) {
+    if (k === "LONGTEXT" || k.startsWith("T100KEY-")) continue;
+    other[k] = raw[k];
+  }
+  if (Object.keys(other).length > 0) result.other = other;
+
+  return Object.keys(result).length > 0 ? result : null;
+}
+
+function stripCData(s) {
+  if (!s) return s;
+  const trimmed = s.trim();
+  const m = trimmed.match(/^<!\[CDATA\[([\s\S]*)\]\]>$/);
+  return m ? m[1] : trimmed;
+}
+
+function stripHtml(s) {
+  if (!s) return s;
+  return s
+    .replace(/<br\s*\/?>/gi, "\n")
+    .replace(/<\/p>/gi, "\n")
+    .replace(/<[^>]+>/g, "")
+    .replace(/\u00A0/g, " ")
+    .replace(/[ \t]+\n/g, "\n")
+    .replace(/\n{3,}/g, "\n\n")
+    .trim();
+}
+
+function match(s, re) {
+  const m = s.match(re);
+  return m ? m[1].trim() : undefined;
+}
+
+function decode(s) {
+  if (!s) return s;
+  return s
+    .replace(/&lt;/g, "<")
+    .replace(/&gt;/g, ">")
+    .replace(/&quot;/g, '"')
+    .replace(/&apos;/g, "'")
+    .replace(/&amp;/g, "&");
+}

package/src/config.js

@@ -0,0 +1,78 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+
+const CANDIDATE_PATHS = [
+  process.env.SAP_ADT_MCP_CONFIG,
+  path.join(os.homedir(), ".sap-adt-mcp", "config.json"),
+  path.join(process.cwd(), "config.json"),
+].filter(Boolean);
+
+export function loadConfig() {
+  const configPath = CANDIDATE_PATHS.find((p) => fs.existsSync(p));
+  if (!configPath) {
+    throw new Error(
+      "No config found. Set SAP_ADT_MCP_CONFIG or create ~/.sap-adt-mcp/config.json " +
+        "(see config.example.json)."
+    );
+  }
+
+  let raw;
+  try {
+    raw = JSON.parse(fs.readFileSync(configPath, "utf8"));
+  } catch (err) {
+    throw new Error(`Failed to parse config at ${configPath}: ${err.message}`, {
+      cause: err,
+    });
+  }
+
+  const globalReadOnly = raw.readOnly === true;
+
+  const systems = {};
+  for (const [name, profile] of Object.entries(raw.systems ?? {})) {
+    systems[name] = {
+      host: requireString(profile.host, `${name}.host`),
+      client: profile.client != null ? String(profile.client) : undefined,
+      language: profile.language != null ? String(profile.language) : undefined,
+      user: requireString(profile.user, `${name}.user`),
+      password: resolveSecret(profile.password, name),
+      rejectUnauthorized: profile.rejectUnauthorized !== false,
+      readOnly: globalReadOnly || profile.readOnly === true,
+    };
+  }
+
+  if (Object.keys(systems).length === 0) {
+    throw new Error(`No systems configured in ${configPath}`);
+  }
+
+  return {
+    defaultSystem: raw.defaultSystem,
+    readOnly: globalReadOnly,
+    systems,
+    configPath,
+  };
+}
+
+function requireString(value, key) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new Error(`Config: ${key} must be a non-empty string`);
+  }
+  return value;
+}
+
+function resolveSecret(value, systemName) {
+  if (typeof value !== "string") {
+    throw new Error(`System ${systemName}: password must be a string`);
+  }
+  if (value.startsWith("env:")) {
+    const varName = value.slice(4);
+    const resolved = process.env[varName];
+    if (!resolved) {
+      throw new Error(
+        `System ${systemName}: env var ${varName} is not set`
+      );
+    }
+    return resolved;
+  }
+  return value;
+}

package/src/data-preview.js

@@ -0,0 +1,148 @@
+// SAP ADT Data Preview endpoint helpers.
+//
+// The /sap/bc/adt/datapreview/freestyle endpoint accepts an OpenSQL SELECT
+// statement and returns column metadata + rows in a dataPreview-namespaced
+// XML document. The exact shape varies slightly across releases:
+//
+//   <dataPreview:tableData>
+//     <dataPreview:columns>
+//       <dataPreview:metadata dataPreview:name="MATNR" dataPreview:type="C" ... />
+//       ...
+//     </dataPreview:columns>
+//     <dataPreview:values>
+//       <dataPreview:row>
+//         <dataPreview:value>...</dataPreview:value>
+//         ...
+//       </dataPreview:row>
+//     </dataPreview:values>
+//   </dataPreview:tableData>
+//
+// Older releases emit a flat <dataPreview:dataSet> with
+// <dataPreview:data columnName="X">value</dataPreview:data> per cell — we
+// handle both.
+
+// Client-side guard. The SAP /datapreview/freestyle endpoint already enforces
+// SELECT-only on the server side, but we add a cheap sanity check so callers
+// fail fast and obvious mistakes don't burn a round-trip. We don't try to
+// fully parse OpenSQL — we just confirm the statement starts with SELECT and
+// doesn't chain a second statement via ";".
+export function validateSelect(query) {
+  if (typeof query !== "string" || query.trim().length === 0) {
+    return { ok: false, reason: "Query is empty." };
+  }
+  // Strip leading line comments (ABAP: " or *).
+  let stripped = query.trim();
+  while (true) {
+    const before = stripped;
+    stripped = stripped.replace(/^\s*(?:"|\*)[^\n]*\n/, "").trimStart();
+    if (stripped === before) break;
+  }
+  if (!/^SELECT\b/i.test(stripped)) {
+    return { ok: false, reason: "Only SELECT statements are allowed." };
+  }
+  // Reject a semicolon followed by more non-trivial content (statement chain).
+  const withoutTrailingSemi = stripped.replace(/;\s*$/, "");
+  if (/;\s*\S/.test(withoutTrailingSemi)) {
+    return { ok: false, reason: "Multiple statements are not allowed." };
+  }
+  return { ok: true };
+}
+
+const METADATA_RE =
+  /<[a-zA-Z]+:metadata\b([^/]*)\/>|<[a-zA-Z]+:metadata\b([^>]*)>[\s\S]*?<\/[a-zA-Z]+:metadata>/g;
+const ROW_RE = /<[a-zA-Z]+:row\b[^>]*>([\s\S]*?)<\/[a-zA-Z]+:row>/g;
+const VALUE_RE = /<[a-zA-Z]+:value\b[^>]*>([\s\S]*?)<\/[a-zA-Z]+:value>/g;
+const DATA_CELL_RE =
+  /<[a-zA-Z]+:data\b[^>]*\b(?:dataPreview:)?columnName="([^"]+)"[^>]*>([\s\S]*?)<\/[a-zA-Z]+:data>/g;
+const ATTR_RE = (attr) =>
+  new RegExp(`\\b(?:[a-zA-Z]+:)?${attr}="([^"]*)"`, "i");
+
+function pickAttr(s, attr) {
+  const m = s.match(ATTR_RE(attr));
+  return m ? decodeEntities(m[1]) : undefined;
+}
+
+function decodeEntities(s) {
+  return s
+    .replace(/&lt;/g, "<")
+    .replace(/&gt;/g, ">")
+    .replace(/&quot;/g, '"')
+    .replace(/&apos;/g, "'")
+    .replace(/&amp;/g, "&");
+}
+
+function pickTagText(xml, tag) {
+  const re = new RegExp(`<[a-zA-Z]+:${tag}\\b[^>]*>([\\s\\S]*?)<\\/[a-zA-Z]+:${tag}>`, "i");
+  const m = xml.match(re);
+  return m ? decodeEntities(m[1].trim()) : undefined;
+}
+
+export function parseDataPreview(xml) {
+  const columns = [];
+  for (const m of xml.matchAll(METADATA_RE)) {
+    const attrs = m[1] ?? m[2] ?? "";
+    const name = pickAttr(attrs, "name");
+    if (!name) continue;
+    columns.push({
+      name,
+      type: pickAttr(attrs, "type"),
+      description: pickAttr(attrs, "description"),
+      length: pickAttr(attrs, "colLength") ?? pickAttr(attrs, "length"),
+      isKey: pickAttr(attrs, "keyAttribute") === "true",
+      isNumeric: pickAttr(attrs, "isNumeric") === "true",
+    });
+  }
+
+  const rows = [];
+
+  // Shape A: <row> + <value> positional elements aligned to column order.
+  const rowMatches = [...xml.matchAll(ROW_RE)];
+  if (rowMatches.length > 0) {
+    for (const rm of rowMatches) {
+      const inner = rm[1];
+      const values = [...inner.matchAll(VALUE_RE)].map((v) =>
+        decodeEntities(v[1].trim())
+      );
+      if (columns.length > 0) {
+        const row = {};
+        columns.forEach((col, i) => {
+          row[col.name] = values[i] ?? null;
+        });
+        rows.push(row);
+      } else {
+        rows.push(values);
+      }
+    }
+  } else {
+    // Shape B: flat <data columnName="X">val</data> blocks. We group every N
+    // cells into a row where N = column count.
+    const cells = [...xml.matchAll(DATA_CELL_RE)].map((m) => ({
+      column: m[1],
+      value: decodeEntities(m[2].trim()),
+    }));
+    if (columns.length > 0 && cells.length > 0) {
+      const stride = columns.length;
+      for (let i = 0; i < cells.length; i += stride) {
+        const row = {};
+        for (let j = 0; j < stride && i + j < cells.length; j++) {
+          const cell = cells[i + j];
+          row[cell.column] = cell.value;
+        }
+        rows.push(row);
+      }
+    }
+  }
+
+  const totalRowsAttr = pickTagText(xml, "totalRows");
+  const totalRows = totalRowsAttr ? Number(totalRowsAttr) : undefined;
+  const executedQuery = pickTagText(xml, "executedQueryString");
+  const executionTime = pickTagText(xml, "queryExecutionTime");
+
+  return {
+    columns,
+    rows,
+    totalRows: Number.isFinite(totalRows) ? totalRows : rows.length,
+    executedQuery,
+    executionTime,
+  };
+}