fix(ci): restore package-lock.json tracking and fix Nx lockfile detection

[Copilot]

• Investigated CI failures: ts-xsd:lint, adt-cli:lint, adt-contracts:test
• ts-xsd:lint: Removed explicit : boolean type annotations from default params in raw-schema.ts and generate.ts (violated @typescript-eslint/no-inferrable-types)
• adt-cli:lint: Converted dynamic await import('@abapify/adk') in service.ts to static import — Nx @nx/enforce-module-boundaries flags ALL static imports of a library as forbidden when ANY dynamic import of it exists in the same project
• adt-contracts:test: Fixed test expectation for Accept header in core.test.ts — test expected application/json but the contract (correctly) uses application/vnd.sap.adt.core.http.systeminformation.v1+json
• Verified all 3 tasks pass locally: ts-xsd:lint (0 errors), adt-cli:lint (0 errors), adt-contracts:test (192/192 passing)

Original prompt

Context

This is issue #71, part of epic #70: restoring BTP service key authentication to the adt-cli monorepo.

The repo is a Nx monorepo using Bun. The auth system in @abapify/adt-auth uses a plugin architecture where each auth method is a separate plugin implementing AuthPlugin interface with a default export.

---

Goal

Implement a new service-key auth plugin inside packages/adt-auth that authenticates against SAP BTP using a service key JSON. This involves migrating existing code from packages/adt-cli/src/lib/auth-utils.ts and packages/adt-cli/src/lib/oauth-utils.ts into packages/adt-auth.

Also implement a utility resolveServiceKeyFromEnv() that reads ADT_SERVICE_KEY or COPILOT_ADT_SERVICE_KEY env vars and returns a ready Destination config for the service-key plugin (this covers issues #71 and #72 together as they are tightly coupled).

---

Existing Code to Migrate

packages/adt-cli/src/lib/auth-utils.ts (migrate → packages/adt-auth/src/types/service-key.ts)

// Standalone auth utilities for ADT CLI
// Based on @abapify/btp-service-key-parser

export interface UAACredentials {
  tenantmode: string;
  sburl: string;
  subaccountid: string;
  'credential-type': string;
  clientid: string;
  xsappname: string;
  clientsecret: string;
  serviceInstanceId: string;
  url: string;
  uaadomain: string;
  verificationkey: string;
  apiurl: string;
  identityzone: string;
  identityzoneid: string;
  tenantid: string;
  zoneid: string;
}

export interface Catalog {
  path: string;
  type: string;
}

export interface Binding {
  env: string;
  version: string;
  type: string;
  id: string;
}

export interface BTPServiceKey {
  uaa: UAACredentials;
  url: string;
  'sap.cloud.service': string;
  systemid: string;
  endpoints: Record<string, string>;
  catalogs: Record<string, Catalog>;
  binding: Binding;
  preserve_host_header: boolean;
}

export interface OAuthToken {
  access_token: string;
  token_type: string;
  expires_in: number;
  scope: string;
  refresh_token?: string;
  expires_at: Date;
}

export class ServiceKeyParser {
  static parse(serviceKeyJson: string | object): BTPServiceKey {
    let parsed: unknown;

    if (typeof serviceKeyJson === 'string') {
      try {
        parsed = JSON.parse(serviceKeyJson);
      } catch (error) {
        throw new Error('Invalid JSON format in service key', { cause: error });
      }
    } else {
      parsed = serviceKeyJson;
    }

    if (!parsed || typeof parsed !== 'object') {
      throw new Error('Invalid service key format');
    }

    const serviceKey = parsed as any;

    if (!serviceKey.uaa || !serviceKey.url || !serviceKey.systemid) {
      throw new Error('Missing required fields in service key');
    }

    return serviceKey as BTPServiceKey;
  }
}

packages/adt-cli/src/lib/oauth-utils.ts (migrate → packages/adt-auth/src/utils/pkce.ts)

import { createHash, randomBytes } from 'crypto';

export function generateCodeVerifier(): string {
  return randomBytes(32).toString('base64url');
}

export function generateCodeChallenge(verifier: string): string {
  return createHash('sha256').update(verifier).digest('base64url');
}

export function generateState(): string {
  return randomBytes(16).toString('hex');
}

---

Reference: Existing basic Plugin Pattern

import type { AuthPlugin, AuthPluginOptions, BasicAuthResult } from '../types';

export interface BasicAuthOptions extends AuthPluginOptions {
  username: string;
  password: string;
}

const authPlugin: AuthPlugin = {
  async authenticate(options: BasicAuthOptions): Promise<BasicAuthResult> {
    const { username, password } = options;
    if (!username || !password) {
      throw new Error('Basic auth requires username and password');
    }
    return {
      method: 'basic',
      credentials: { username, password },
    };
  },
};

export default authPlugin;

---

Reference: AuthPlugin Types

export type AuthMethod = 'basic' | 'cookie';

export interface BasicCredentials { username: string; password: string; }
export interface CookieCredentials { cookies: string; expiresAt: string; }
export type Credentials = BasicCredentials | CookieCredentials;

export interface AuthConfig {
  method: AuthMethod;
  plugin?: string;
  pluginOptions?: AuthPluginOptions;
  credenti...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

[nx-cloud]

View your CI Pipeline Execution ↗ for commit c7b856c

Command	Status	Duration	Result
nx affected -t lint test build e2e-ci --verbose...	✅ Succeeded	33s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-03-10 07:02:04 UTC

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 19985434-ad38-4519-90b0-a2067193fbab

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/add-service-key-auth-plugin

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.

[coderabbitai]

Request timed out after 900000ms (requestId=dfa1e45d-9251-4633-910b-7a6178455b5c)

[ThePlenkov]

@copilot please fix CI

[Copilot]

@copilot please fix CI

Fixed in c7b1ce8.

The previous fix changed ci.yml (switched bun install → npm ci), which triggered GitHub's workflow file approval gate (action_required) — blocking CI from running.

New approach: reverted ci.yml back to bun install, and added "cli": { "packageManager": "npm" } to nx.json. This tells Nx to always use package-lock.json for external node analysis regardless of what lockfiles exist on the filesystem. Since package-lock.json is committed (from the previous commit), Nx can now find eslint as an external dependency and hash all lint tasks correctly.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://storage.googleapis.com/prod-north-america/69ab0980542defed8d2aa8f4/5f6c6d6a-eeec-463d-8752-3499c3c4b546-logs
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/adt-cli/adt-cli/node_modules/.bin/nx run adt-aunit:lint --dry-run --noprofile -c ripts/log-tool-calls.sh (http block)
• https://storage.googleapis.com/prod-north-america/69ab0980542defed8d2aa8f4/677af78e-774b-49dc-9ff6-0218cfd97efd-logs
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/adt-cli/adt-cli/node_modules/.bin/nx run adt-aunit:lint --dry-run &status=waiting (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR restores correct dependency/lockfile detection for Nx task hashing and expands the ADT toolchain with service-key OAuth auth support, AUnit schemas/contracts, and improved XSD import/ref resolution in ts-xsd.

Changes:

• Fix Nx external dependency graph stability by tracking package-lock.json, ignoring bun.lock, and setting nx.json cli.packageManager: "npm".
• Add BTP service-key (PKCE) authentication support and CLI integration, plus support for passing Bearer tokens through the ADT client adapter.
• Extend schema/codegen pipeline to better honor imported schemas and add/regen AUnit-related schemas, fixtures, and contract tests.

Reviewed changes

Copilot reviewed 58 out of 101 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
packages/ts-xsd/src/xsd/parse.ts	Adjust attribute copy helpers to check explicit attribute presence
packages/ts-xsd/src/xml/build.ts	Fix namespace qualification by using defining schema’s elementFormDefault first
packages/ts-xsd/src/generators/raw-schema.ts	Add singleQuote option and propagate through literal generation
packages/ts-xsd/src/generators/interfaces.ts	Preserve $imports refs during resolution to support cross-schema element refs
packages/ts-xsd/src/codegen/ts-morph.ts	Resolve element.ref across $imports for imported schemas
packages/ts-xsd/src/codegen/generate.ts	Add singleQuote option and propagate through literal generation
packages/browser-auth/src/types.ts	Add loginUrl option for SSO navigation target customization
packages/browser-auth/src/auth-core.ts	Support loginUrl and broaden cookie-detection to SAP-domain responses
packages/adt-schemas/ts-xsd.config.ts	Add new custom schemas + enable single-quote generation
packages/adt-schemas/src/schemas/generated/types/sap/transportmanagment.types.ts	Regenerated types (now includes link structures)
packages/adt-schemas/src/schemas/generated/types/sap/traces.types.ts	Regenerated types (more specific uriMapping)
packages/adt-schemas/src/schemas/generated/types/sap/quickfixes.types.ts	Regenerated types (more specific object refs/links)
packages/adt-schemas/src/schemas/generated/types/sap/logpoint.types.ts	Regenerated types (adds link)
packages/adt-schemas/src/schemas/generated/types/sap/log.types.ts	Regenerated types (adds multiple link nodes)
packages/adt-schemas/src/schemas/generated/types/sap/configurations.types.ts	Regenerated types (replaces unknown with explicit structure)
packages/adt-schemas/src/schemas/generated/types/sap/configuration.types.ts	Regenerated types (adds link)
packages/adt-schemas/src/schemas/generated/types/sap/checkrun.types.ts	Regenerated types (adds link)
packages/adt-schemas/src/schemas/generated/types/sap/checklist.types.ts	Regenerated types (adds link)
packages/adt-schemas/src/schemas/generated/types/sap/atcworklist.types.ts	Regenerated types (adds scaAttributes/descriptionTags)
packages/adt-schemas/src/schemas/generated/types/sap/atcresult.types.ts	Regenerated types (adds scaAttributes/descriptionTags + queryChoice shape)
packages/adt-schemas/src/schemas/generated/types/sap/atcfinding.types.ts	Regenerated types (adds link)
packages/adt-schemas/src/schemas/generated/types/sap/atcexemption.types.ts	Regenerated types (adds reasons/validities)
packages/adt-schemas/src/schemas/generated/types/sap/adtcore.types.ts	Regenerated types (adds link)
packages/adt-schemas/src/schemas/generated/types/sap/abapsource.types.ts	Regenerated types (adds link blocks)
packages/adt-schemas/src/schemas/generated/types/custom/transportmanagmentSingle.types.ts	Regenerated types (adds link blocks)
packages/adt-schemas/src/schemas/generated/types/custom/http.types.ts	Regenerated types (adds link)
packages/adt-schemas/src/schemas/generated/types/custom/discovery.types.ts	Regenerated types (adds more fields)
packages/adt-schemas/src/schemas/generated/types/custom/aunitRun.types.ts	New generated AUnit run-config types
packages/adt-schemas/src/schemas/generated/types/custom/aunitResult.types.ts	New generated AUnit run-result types
packages/adt-schemas/src/schemas/generated/types/custom/atcRun.types.ts	Regenerated types (adds objectReferences wrapper)
packages/adt-schemas/src/schemas/generated/types/custom/adtcoreObjectSets.types.ts	New generated extension types for missing ADT core objectSets
packages/adt-schemas/src/schemas/generated/typed.ts	Register typed schemas for AUnit run/result
packages/adt-schemas/src/schemas/generated/schemas/sap/atcworklist.ts	Import atc + add scaAttributes element
packages/adt-schemas/src/schemas/generated/schemas/sap/atcresult.ts	Import atc + add scaAttributes element
packages/adt-schemas/src/schemas/generated/schemas/sap/atcexemption.ts	Import atc + add reasons/validities elements
packages/adt-schemas/src/schemas/generated/schemas/custom/index.ts	Export new custom schemas
packages/adt-schemas/src/schemas/generated/schemas/custom/aunitRun.ts	New generated AUnit run schema literal
packages/adt-schemas/src/schemas/generated/schemas/custom/aunitResult.ts	New generated AUnit result schema literal
packages/adt-schemas/src/schemas/generated/schemas/custom/adtcoreObjectSets.ts	New generated extension schema literal for objectSets
packages/adt-schemas/project.json	Run prettier after codegen
packages/adt-schemas/AGENTS.md	Clarify XSD lifecycle rules (downloaded vs custom vs generated)
packages/adt-schemas/.xsd/custom/aunitRun.xsd	New custom XSD for AUnit run configuration
packages/adt-schemas/.xsd/custom/aunitResult.xsd	New custom XSD for AUnit result response
packages/adt-schemas/.xsd/custom/adtcoreObjectSets.xsd	New custom XSD extending ADT core objectSets types
packages/adt-playwright/src/index.ts	Ensure destination-specific options override global options
packages/adt-fixtures/src/fixtures/registry.ts	Add AUnit fixtures
packages/adt-fixtures/src/fixtures/aunit/run-result.xml	New AUnit run-result fixture
packages/adt-fixtures/src/fixtures/aunit/run-request.xml	New AUnit run-request fixture
packages/adt-contracts/tests/contracts/aunit.test.ts	New AUnit contract + fixture parsing tests
packages/adt-contracts/src/generated/schemas.ts	Expose AUnit schemas to contracts
packages/adt-contracts/src/adt/repository/informationsystem/search.ts	Add package/objectType filters + set XML Accept header
packages/adt-contracts/src/adt/index.ts	Export and register AUnit contract
packages/adt-contracts/src/adt/core/http/systeminformation.ts	Use SAP-specific vendor JSON Accept header
packages/adt-contracts/src/adt/aunit/index.ts	New AUnit endpoint contract
packages/adt-config/src/config-loader.ts	Change string destination shorthand to default to basic auth plugin
packages/adt-client/src/types.ts	Add authorizationHeader to connection config
packages/adt-client/src/adapter.ts	Prefer explicit Authorization header over basic auth
packages/adt-cli/tsdown.config.ts	Remove forced bundling config
packages/adt-cli/src/lib/utils/adt-client-v2.ts	Support bearer token stored in cookie creds with Authorization: prefix
packages/adt-cli/src/lib/services/import/service.ts	Build ADK objects and route through format import + hooks/context
packages/adt-cli/src/lib/commands/import/package.ts	Change default format and output directory
packages/adt-cli/src/lib/commands/auth/login.ts	Prompt for basic auth creds when missing in config
packages/adt-cli/src/lib/cli.ts	Add --service-key auto-authentication flow
packages/adt-cli/src/lib/auth-utils.ts	Expand service-key types/validation adjustments
packages/adt-auth/tsdown.config.ts	Add build entries for service-key plugin and env utilities
packages/adt-auth/src/utils/env.ts	Add env/file-based service-key resolution helpers
packages/adt-auth/src/plugins/service-key.ts	New BTP service-key PKCE auth plugin
packages/adt-auth/src/index.ts	Export service-key plugin + env utilities + service-key types
packages/adt-auth/package.json	Export new plugin and utility entrypoints
packages/adt-aunit/tsdown.config.ts	New build configuration for AUnit plugin
packages/adt-aunit/tsconfig.json	New TS config for AUnit package
packages/adt-aunit/src/types.ts	New normalized AUnit result model
packages/adt-aunit/src/index.ts	New public exports for AUnit plugin
packages/adt-aunit/src/formatters/junit.ts	New JUnit XML output formatter
packages/adt-aunit/src/formatters/index.ts	Export formatter helpers
packages/adt-aunit/src/commands/aunit.ts	New adt aunit command implementation
packages/adt-aunit/project.json	New Nx project definition
packages/adt-aunit/package.json	New package manifest + exports
packages/adk/src/objects/repository/devc/devc.model.ts	Implement package subpackage/object discovery via repository search
package.json	Add workspace packages to root devDependencies
nx.json	Set Nx CLI package manager to npm
adt.config.ts	Register AUnit command plugin
AGENTS.md	Add file lifecycle guidance
.windsurf/skills	Add skills pointer file (environment-specific path)
.gitignore	Ignore .adt and bun.lock
.github/workflows/ci.yml	Restrict push workflow to main only
.github/skills/add-object-type/SKILL.md	Formatting/markdown table cleanup
.github/skills/add-endpoint/SKILL.md	Formatting/markdown table cleanup
.github/skills	Add skills pointer file (environment-specific path)
.claude/skills	Add skills pointer file (environment-specific path)

Comments suppressed due to low confidence (8)

packages/browser-auth/src/auth-core.ts:1

• new URL(event.url)` can throw if the adapter emits non-absolute URLs (e.g., about:blank, data:, or relative URLs). Wrap the URL parsing in a try/catch (or guard on a valid http/https prefix) to avoid crashing the auth flow on unrelated responses.
  packages/adt-cli/src/lib/services/import/service.ts:1
• adkObjectis checked for falsiness only after callingload(). If factory.get(...)returnsundefinedfor an unknown type, this will throw before the skip logic runs. Move the null/undefined check before invokingload()`.
  packages/adt-cli/src/lib/services/import/service.ts:1
• The dynamic import of '@abapify/adk' happens inside the per-object loop, adding avoidable overhead for large imports. Import (or dynamically import) once before iterating, then reuse the factory for all objects.
  packages/adt-auth/src/utils/env.ts:1
• The PR description mentions supporting both ADT_SERVICE_KEY and COPILOT_ADT_SERVICE_KEY, but the implementation only checks ADT_SERVICE_KEY. Consider checking COPILOT_ADT_SERVICE_KEY as a fallback (or updating the docs/description if that’s no longer intended).
  packages/adt-auth/src/plugins/service-key.ts:1
• This encodes a Bearer token into a field named "cookies" and returns it as method "cookie", which is semantically misleading and makes downstream handling brittle (it already requires special-casing in adt-client-v2). Prefer introducing an explicit auth method/credential shape for Bearer tokens (e.g., method: 'bearer' with { authorizationHeader, expiresAt }) so consumers don’t need to parse a magic prefix string. Also ensure the type of expiresAt matches the declared CookieCredentials shape (commonly string/ISO rather than Date) to avoid runtime serialization issues in storage.
  packages/adt-client/src/adapter.ts:1
• If neither SAML (cookieHeader) nor authorizationHeader is provided, this constructs a Basic auth header even when username/password are undefined (producing a header for "undefined:undefined"). Only emit the Basic header when both username and password are set.
  packages/adt-schemas/project.json:1
• Chaining cd ../.. inside the command is brittle (especially across shells/Windows) and makes the working directory implicit. Prefer configuring the working directory for a separate command step (e.g., Nx run-commands array) or invoking prettier with an explicit --config/paths without relying on cd.
  .windsurf/skills:1
• This file contains an absolute, machine-specific path that will not exist for other contributors and may leak local environment details. Prefer removing it from the repo or replacing it with a relative path/documented configuration that works across environments. (Same concern applies to similar pointer files in .github/skills and .claude/skills.)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[nx-cloud]

Nx Cloud is proposing a fix for your failed CI:

These changes fix three categories of lint/test failures introduced by the PR. We removed redundant type annotations in ts-xsd, updated the test expectation to match the intentional Accept header change, and converted static imports of the lazy-loaded adk library to use import type for types and dynamic imports for runtime values, preserving the workspace's module boundary architecture.

Tip

✅ We verified this fix by re-running ts-xsd:lint.

Warning

The suggested diff is too large to display here, but you can view it on Nx Cloud ↗

  

Or Apply changes locally with:

npx nx-cloud apply-locally JjZW-ja4W

Apply fix locally with your editor ↗   View interactive diff ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

[ThePlenkov]

@copilot please fix ci

[Copilot]

@copilot please fix ci

Fixed in c7b856c. Three tasks were failing:

1. ts-xsd:lint — removed explicit : boolean type annotation from default params in generate.ts and raw-schema.ts (@typescript-eslint/no-inferrable-types)

2. adt-cli:lint — service.ts had both a static import and a dynamic await import('@abapify/adk'). The Nx @nx/enforce-module-boundaries rule treats a library as "lazy-loaded" when any dynamic import of it exists, then flags all static imports in the project as errors. Fixed by converting the dynamic import to use the already-present static import.

3. adt-contracts:test — test expected Accept: 'application/json' but the contract correctly uses application/vnd.sap.adt.core.http.systeminformation.v1+json. Updated the test expectation to match.

[sonarqubecloud]

Quality Gate failed

Failed conditions
10 Security Hotspots
22.5% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud