fix: acquire Azure AD tokens directly to bypass Bun browser-bundle resolution

- For `azure-active-directory-default` (CLI/default auth), acquire token
  ourselves instead of delegating to tedious's internal `@azure/identity`
- Strategy: try `DefaultAzureCredential` first, fall back to `az` CLI subprocess
- Bypasses Bun resolving `@azure/identity` to browser bundle where
  `DefaultAzureCredential` is a non-functional stub
- Also bypasses CJS/ESM `isTokenCredential` boundary mismatch
- All 31 driver unit tests pass, verified against real Fabric endpoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: suryaiyer95

packages/drivers/src/sqlserver.ts

@@ -54,24 +54,60 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
       const authType = rawAuth ? (AUTH_SHORTHANDS[rawAuth.toLowerCase()] ?? rawAuth) : undefined
 
       if (authType?.startsWith("azure-active-directory")) {
-        // Azure AD / Entra ID — tedious handles credential creation internally.
-        // We pass the type + options; tedious imports @azure/identity itself.
-        // Verify @azure/identity is available before attempting Azure AD auth.
-        try {
-          await import("@azure/identity")
-        } catch {
-          throw new Error(
-            "Azure AD authentication requires @azure/identity. Run: npm install @azure/identity",
-          )
-        }
         ;(mssqlConfig.options as any).encrypt = true
 
         if (authType === "azure-active-directory-default") {
+          // Acquire a token ourselves and pass it as a raw access token string.
+          // We avoid using @azure/identity's DefaultAzureCredential because:
+          //  1. Bun can resolve @azure/identity to the browser bundle (inside
+          //     tedious or even our own import), where DefaultAzureCredential
+          //     is a non-functional stub that throws.
+          //  2. Passing a credential object via type:"token-credential" hits a
+          //     CJS/ESM isTokenCredential boundary mismatch in Bun.
+          //
+          // Strategy: try @azure/identity first (works when module resolution
+          // is correct), fall back to shelling out to `az account get-access-token`
+          // (works everywhere Azure CLI is installed).
+          let token: string | undefined
+
+          // Attempt 1: @azure/identity (fast, no subprocess)
+          try {
+            const azureIdentity = await import("@azure/identity")
+            const credential = new azureIdentity.DefaultAzureCredential(
+              config.azure_client_id
+                ? { managedIdentityClientId: config.azure_client_id as string }
+                : undefined,
+            )
+            const tokenResponse = await credential.getToken("https://database.windows.net/.default")
+            token = tokenResponse?.token
+          } catch {
+            // @azure/identity unavailable or browser bundle — fall through
+          }
+
+          // Attempt 2: Azure CLI subprocess (universal fallback)
+          if (!token) {
+            try {
+              const { execSync } = await import("node:child_process")
+              const json = execSync(
+                "az account get-access-token --resource https://database.windows.net/ --query accessToken -o tsv",
+                { encoding: "utf-8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"] },
+              ).trim()
+              if (json) token = json
+            } catch {
+              // az CLI not installed or not logged in
+            }
+          }
+
+          if (!token) {
+            throw new Error(
+              "Azure AD default auth failed. Either install @azure/identity (npm install @azure/identity) " +
+              "or log in with Azure CLI (az login).",
+            )
+          }
+
           mssqlConfig.authentication = {
-            type: "azure-active-directory-default",
-            options: {
-              ...(config.azure_client_id ? { clientId: config.azure_client_id as string } : {}),
-            },
+            type: "azure-active-directory-access-token",
+            options: { token },
           }
         } else if (authType === "azure-active-directory-password") {
           mssqlConfig.authentication = {

packages/drivers/test/sqlserver-unit.test.ts

@@ -65,6 +65,18 @@ mock.module("mssql", () => ({
   },
 }))
 
+mock.module("@azure/identity", () => ({
+  DefaultAzureCredential: class {
+    _opts: any
+    constructor(opts?: any) { this._opts = opts }
+    async getToken(_scope: string) { return { token: "mock-azure-token-12345", expiresOnTimestamp: Date.now() + 3600000 } }
+  },
+}))
+
+mock.module("node:child_process", () => ({
+  execSync: (_cmd: string) => "mock-cli-token-fallback\n",
+}))
+
 // Import after mocking
 const { connect } = await import("../src/sqlserver")
 
@@ -250,7 +262,7 @@ describe("SQL Server driver unit tests", () => {
       })
     })
 
-    test("azure-active-directory-default passes type to tedious (no credential object)", async () => {
+    test("azure-active-directory-default acquires token and passes as access-token", async () => {
       resetMocks()
       const c = await connect({
         host: "myserver.database.windows.net",
@@ -259,11 +271,11 @@ describe("SQL Server driver unit tests", () => {
       })
       await c.connect()
       const cfg = mockConnectCalls[0]
-      expect(cfg.authentication.type).toBe("azure-active-directory-default")
-      expect(cfg.authentication.options.credential).toBeUndefined()
+      expect(cfg.authentication.type).toBe("azure-active-directory-access-token")
+      expect(cfg.authentication.options.token).toBe("mock-azure-token-12345")
     })
 
-    test("azure-active-directory-default with client_id passes clientId option", async () => {
+    test("azure-active-directory-default with client_id passes managedIdentityClientId to credential", async () => {
       resetMocks()
       const c = await connect({
         host: "myserver.database.windows.net",
@@ -273,8 +285,9 @@ describe("SQL Server driver unit tests", () => {
       })
       await c.connect()
       const cfg = mockConnectCalls[0]
-      expect(cfg.authentication.type).toBe("azure-active-directory-default")
-      expect(cfg.authentication.options.clientId).toBe("mi-client-id")
+      // Token is still passed as access-token regardless of client_id
+      expect(cfg.authentication.type).toBe("azure-active-directory-access-token")
+      expect(cfg.authentication.options.token).toBe("mock-azure-token-12345")
     })
 
     test("encryption forced for all Azure AD connections", async () => {
@@ -299,7 +312,7 @@ describe("SQL Server driver unit tests", () => {
       expect(cfg.options.encrypt).toBe(false)
     })
 
-    test("'CLI' shorthand maps to azure-active-directory-default", async () => {
+    test("'CLI' shorthand acquires token via DefaultAzureCredential", async () => {
       resetMocks()
       const c = await connect({
         host: "myserver.datawarehouse.fabric.microsoft.com",
@@ -308,7 +321,8 @@ describe("SQL Server driver unit tests", () => {
       })
       await c.connect()
       const cfg = mockConnectCalls[0]
-      expect(cfg.authentication.type).toBe("azure-active-directory-default")
+      expect(cfg.authentication.type).toBe("azure-active-directory-access-token")
+      expect(cfg.authentication.options.token).toBe("mock-azure-token-12345")
       expect(cfg.options.encrypt).toBe(true)
     })