fix: delegate Azure AD credential creation to tedious and remove underscore column filter

- **Azure AD auth**: Pass `azure-active-directory-*` types directly to tedious
  instead of constructing `DefaultAzureCredential` ourselves. Tedious imports
  `@azure/identity` internally and creates credentials — avoids bun CJS/ESM
  `isTokenCredential` boundary issue that caused "not an instance of the token
  credential class" errors.
- **Auth shorthands**: Map `CLI`, `default`, `password`, `service-principal`,
  `msi`, `managed-identity` to their full tedious type names.
- **Column filter**: Remove `_.startsWith("_")` filter from `execute()` result
  columns — it stripped legitimate aliases like `_p` used by partition discovery,
  causing partitioned diffs to return empty results.
- **Tests**: Remove `@azure/identity` mock (no longer imported by driver),
  update auth assertions, add shorthand mapping tests, fix column filter test.
- **Verified**: All 97 driver tests pass. Full data-diff pipeline tested against
  real MSSQL server (profile, joindiff, auto, where_clause, partitioned).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: suryaiyer95

packages/drivers/src/sqlserver.ts

@@ -37,29 +37,30 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
         },
       }
 
-      const authType = config.authentication as string | undefined
+      // Normalize shorthand auth values to tedious-compatible types
+      const AUTH_SHORTHANDS: Record<string, string> = {
+        cli: "azure-active-directory-default",
+        default: "azure-active-directory-default",
+        password: "azure-active-directory-password",
+        "service-principal": "azure-active-directory-service-principal-secret",
+        serviceprincipal: "azure-active-directory-service-principal-secret",
+        "managed-identity": "azure-active-directory-msi-vm",
+        msi: "azure-active-directory-msi-vm",
+      }
+      const rawAuth = config.authentication as string | undefined
+      const authType = rawAuth ? (AUTH_SHORTHANDS[rawAuth.toLowerCase()] ?? rawAuth) : undefined
 
-      if (authType?.startsWith("azure-active-directory") || authType === "token-credential") {
-        // Azure AD / Entra ID — always encrypt
+      if (authType?.startsWith("azure-active-directory")) {
+        // Azure AD / Entra ID — tedious handles credential creation internally.
+        // We pass the type + options; tedious imports @azure/identity itself.
         ;(mssqlConfig.options as any).encrypt = true
 
-        if (authType === "token-credential" || authType === "azure-active-directory-default") {
-          try {
-            const { DefaultAzureCredential } = await import("@azure/identity")
-            mssqlConfig.authentication = {
-              type: "token-credential",
-              options: {
-                credential: new DefaultAzureCredential(
-                  config.azure_client_id
-                    ? { managedIdentityClientId: config.azure_client_id as string }
-                    : undefined,
-                ),
-              },
-            }
-          } catch {
-            throw new Error(
-              "Azure AD authentication requires @azure/identity. Run: npm install @azure/identity",
-            )
+        if (authType === "azure-active-directory-default") {
+          mssqlConfig.authentication = {
+            type: "azure-active-directory-default",
+            options: {
+              ...(config.azure_client_id && { clientId: config.azure_client_id as string }),
+            },
           }
         } else if (authType === "azure-active-directory-password") {
           mssqlConfig.authentication = {
@@ -128,7 +129,7 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
       const rows = result.recordset ?? []
       const columns =
         rows.length > 0
-          ? Object.keys(rows[0]).filter((k) => !k.startsWith("_"))
+          ? Object.keys(rows[0])
           : (result.recordset?.columns
               ? Object.keys(result.recordset.columns)
               : [])

packages/drivers/test/sqlserver-unit.test.ts

@@ -53,18 +53,6 @@ mock.module("mssql", () => ({
   },
 }))
 
-// Mock @azure/identity for Azure AD tests
-class MockDefaultAzureCredential {
-  opts: any
-  constructor(opts?: any) {
-    this.opts = opts
-  }
-}
-
-mock.module("@azure/identity", () => ({
-  DefaultAzureCredential: MockDefaultAzureCredential,
-}))
-
 // Import after mocking
 const { connect } = await import("../src/sqlserver")
 
@@ -250,7 +238,7 @@ describe("SQL Server driver unit tests", () => {
       })
     })
 
-    test("azure-active-directory-default uses DefaultAzureCredential", async () => {
+    test("azure-active-directory-default passes type to tedious (no credential object)", async () => {
       resetMocks()
       const c = await connect({
         host: "myserver.database.windows.net",
@@ -259,23 +247,22 @@ describe("SQL Server driver unit tests", () => {
       })
       await c.connect()
       const cfg = mockConnectCalls[0]
-      expect(cfg.authentication.type).toBe("token-credential")
-      expect(cfg.authentication.options.credential).toBeInstanceOf(MockDefaultAzureCredential)
+      expect(cfg.authentication.type).toBe("azure-active-directory-default")
+      expect(cfg.authentication.options.credential).toBeUndefined()
     })
 
-    test("token-credential uses DefaultAzureCredential with managed identity", async () => {
+    test("azure-active-directory-default with client_id passes clientId option", async () => {
       resetMocks()
       const c = await connect({
         host: "myserver.database.windows.net",
         database: "db",
-        authentication: "token-credential",
+        authentication: "azure-active-directory-default",
         azure_client_id: "mi-client-id",
       })
       await c.connect()
       const cfg = mockConnectCalls[0]
-      expect(cfg.authentication.type).toBe("token-credential")
-      const cred = cfg.authentication.options.credential as MockDefaultAzureCredential
-      expect(cred.opts).toEqual({ managedIdentityClientId: "mi-client-id" })
+      expect(cfg.authentication.type).toBe("azure-active-directory-default")
+      expect(cfg.authentication.options.clientId).toBe("mi-client-id")
     })
 
     test("encryption forced for all Azure AD connections", async () => {
@@ -299,6 +286,47 @@ describe("SQL Server driver unit tests", () => {
       const cfg = mockConnectCalls[0]
       expect(cfg.options.encrypt).toBe(false)
     })
+
+    test("'CLI' shorthand maps to azure-active-directory-default", async () => {
+      resetMocks()
+      const c = await connect({
+        host: "myserver.datawarehouse.fabric.microsoft.com",
+        database: "migration",
+        authentication: "CLI",
+      })
+      await c.connect()
+      const cfg = mockConnectCalls[0]
+      expect(cfg.authentication.type).toBe("azure-active-directory-default")
+      expect(cfg.options.encrypt).toBe(true)
+    })
+
+    test("'service-principal' shorthand maps correctly", async () => {
+      resetMocks()
+      const c = await connect({
+        host: "myserver.database.windows.net",
+        database: "db",
+        authentication: "service-principal",
+        azure_client_id: "cid",
+        azure_client_secret: "csec",
+        azure_tenant_id: "tid",
+      })
+      await c.connect()
+      const cfg = mockConnectCalls[0]
+      expect(cfg.authentication.type).toBe("azure-active-directory-service-principal-secret")
+      expect(cfg.authentication.options.clientId).toBe("cid")
+    })
+
+    test("'msi' shorthand maps to azure-active-directory-msi-vm", async () => {
+      resetMocks()
+      const c = await connect({
+        host: "myserver.database.windows.net",
+        database: "db",
+        authentication: "msi",
+      })
+      await c.connect()
+      const cfg = mockConnectCalls[0]
+      expect(cfg.authentication.type).toBe("azure-active-directory-msi-vm")
+    })
   })
 
   // --- Schema introspection ---
@@ -372,12 +400,12 @@ describe("SQL Server driver unit tests", () => {
       ])
     })
 
-    test("filters underscore-prefixed columns", async () => {
+    test("preserves underscore-prefixed columns", async () => {
       mockQueryResult = {
-        recordset: [{ id: 1, _bucket: 3, name: "x" }],
+        recordset: [{ id: 1, _p: "Delivered", name: "x" }],
       }
       const result = await connector.execute("SELECT * FROM t")
-      expect(result.columns).toEqual(["id", "name"])
+      expect(result.columns).toEqual(["id", "_p", "name"])
     })
   })
 })