finTS 4.0 Support and Mock Server

[Copilot]

• Add TLS/HTTPS certificate support (fetchOptions + createTlsAgent helper in connection.ts)
• Add interactive TAN flow (TanChallenge, TanCallback, FinTS4TanRequiredError, challenge detection + auto-resolution in dialog.send())
• Improve BPD/UPD parsing (maxTransactionsPerMsg, minSignaturesBalance/Statement, fallback element names, negotiatedVersion)
• Add HBCI version negotiation (auto-retry on 9010 with 4.1 → 4.0 → 3.0 fallback, preferredHbciVersion config option, hbciVersion propagated into buildMessage)
• Add buildTanSubmitSegment to segments, export from v4/index.ts
• Add FinTS4TanRequiredError, createTlsAgent, TanChallenge, TanCallback, FinTS4TlsOptions to public exports
• Update root README.md — prominent experimental warning, FinTS 4.1 quickstart, TLS agent guide, version negotiation section
• Update packages/fints/README.md — experimental warning, FinTS 4.1 config reference, TAN callback example, FinTS4TanRequiredError usage
• All 541 tests pass, eslint clean

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c9614a8595

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Parse balance segment in FinTS4 responses

FinTS4Client.balance() relies on response.balance, but parseResponse() never extracts a Balance segment, so response.balance is always undefined and the client silently returns the hardcoded zero-balance fallback even when the bank returned real balance values. This causes incorrect financial data for every successful balance query unless downstream code bypasses FinTS4Client.balance().

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Use negotiated HBCI version in DialogInit segment

The sync retry logic negotiates hbciVersion (4.1 → 4.0 → 3.0), but buildDialogInitSegment() still hardcodes <HBCIVersion> to FINTS_VERSION (4.1). On servers that validate the version inside DialogInit, retries will keep advertising 4.1 in the segment body and fail with 9010, so version fallback cannot actually recover.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Introduces an experimental FinTS 4.1 (XML-based) implementation alongside the existing FinTS 3.0 client, including a mock server and a negotiating client to select v3 vs v4 at runtime.

Changes:

• Added a FinTS 4.1 module (XML builder/parser, dialog/client/connection, segment builders, camt parser) plus extensive unit/integration tests.
• Added a FinTS 4.1 mock bank server + test data to enable realistic end-to-end integration testing.
• Added a NegotiatingClient and updated public exports + documentation to expose the new v4 functionality.

Reviewed changes

Copilot reviewed 35 out of 36 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
yarn.lock	Lockfile updates for dependency resolution sources.
packages/fints/src/v4/xml-parser.ts	New FinTS 4.1 XML response parsing utilities + response parsing.
packages/fints/src/v4/xml-builder.ts	New FinTS 4.1 XML message builder.
packages/fints/src/v4/types.ts	New FinTS 4.1 public types (config/response/TAN types).
packages/fints/src/v4/test-server/test-data.ts	Mock server test fixtures (bank/users/accounts/camt).
packages/fints/src/v4/test-server/mock-bank-server.ts	New FinTS 4.1 mock server implementation.
packages/fints/src/v4/test-server/index.ts	Public exports for the v4 test server.
packages/fints/src/v4/segments/index.ts	New v4 segment builders incl. TAN submit segment.
packages/fints/src/v4/index.ts	Public exports for the v4 module.
packages/fints/src/v4/dialog.ts	New v4 dialog orchestration incl. TAN callback + version negotiation.
packages/fints/src/v4/constants.ts	New v4 protocol constants (namespace/version/camt).
packages/fints/src/v4/connection.ts	New v4 HTTP connection + TLS agent helper.
packages/fints/src/v4/client.ts	New v4 read-only client (accounts/balance/statements/capabilities).
packages/fints/src/v4/camt-parser.ts	New camt.052/053 parsing for v4 statement responses.
packages/fints/src/v4/tests/test-xml-parser.ts	Unit tests for v4 XML parsing helpers + response parsing.
packages/fints/src/v4/tests/test-xml-builder.ts	Unit tests for v4 XML message builder.
packages/fints/src/v4/tests/test-segments.ts	Unit tests for v4 segment builders.
packages/fints/src/v4/tests/test-negotiating-client.ts	Tests for negotiating client behavior (v3 default / v4 creation).
packages/fints/src/v4/tests/test-negotiating-client-v4.ts	Tests for negotiating strategy + routing when v4 is used.
packages/fints/src/v4/tests/test-mock-bank-integration.ts	End-to-end integration tests against the v4 mock server.
packages/fints/src/v4/tests/test-dialog.ts	Unit tests for v4 dialog lifecycle and behavior.
packages/fints/src/v4/tests/test-connection.ts	Unit tests for v4 HTTP connection retry/timeout behavior.
packages/fints/src/v4/tests/test-client.ts	Unit tests for v4 client high-level methods.
packages/fints/src/v4/tests/test-camt-parser.ts	Unit tests for camt parsing logic.
packages/fints/src/test-server/test-data.ts	Renames/organizes v3 mock-server test constants to avoid v4 collisions.
packages/fints/src/test-server/mock-bank-server.ts	Updates v3 mock server to match renamed fixtures and reset behavior.
packages/fints/src/test-server/index.ts	Updates v3 test-server public exports after renames.
packages/fints/src/test-server/tests/test-mock-bank-v3-integration.ts	Updates v3 integration tests to renamed fixtures.
packages/fints/src/negotiating-client.ts	Adds a unified client that selects FinTS 3.0 vs 4.1 at runtime.
packages/fints/src/index.ts	Exposes v4 module + negotiating client from the main package entrypoint.
packages/fints/package.json	Bumps core library version.
packages/fints/README.md	Adds experimental v4 docs, quickstart, TAN callback, TLS guidance, negotiation notes.
packages/fints-cli/package.json	Bumps CLI version.
eslint.config.js	Adds globals required by new code/tests (e.g. globalThis/require/module).
README.md	Updates root docs with experimental v4 guide, TLS and negotiation sections.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

buildDialogInitSegment always embeds FINTS_VERSION ("4.1") in the segment body. During HBCI version negotiation (e.g. retrying with "4.0"/"3.0"), this makes the DialogInit segment inconsistent with the negotiated hbciVersion used in the MsgHead and can cause servers to reject the request. Consider passing hbciVersion into the segment builder (or removing this field if it’s redundant) so it matches the actual version in use.

[Copilot]

parserOptions.isArray does not include "Parameter", but parseReturnValues() expects multiple <Parameter> elements and calls ensureArray() on the parsed value. Without marking it as an array, fast-xml-parser may collapse multiple <Parameter> nodes, losing all but one parameter. Add "Parameter" to isArray (or switch to an ensureArray strategy that works even when the parser overwrites duplicates).

[Copilot]

FinTS4ClientConfig exposes tlsOptions, but the client currently never uses it (only fetchOptions is forwarded). This makes tlsOptions a no-op for consumers. Either remove tlsOptions from the public config or implement it by creating an agent via createTlsAgent() and wiring it into fetchOptions when running in Node.js.

[Copilot]

NegotiatingClient creates the v4 client without forwarding v4-specific options like tanCallback, fetchOptions (TLS agent), or preferredHbciVersion. Also, NegotiatingClientConfig doesn’t currently allow specifying them. If NegotiatingClient is intended to be a unified entry point, consider extending its config to include these v4 options and passing them through when constructing FinTS4Client.

[Copilot]

The README suggests passing an agent into the v3 HttpConnection/PinTanClient flow, but packages/fints/src/http-connection.ts’s ConnectionConfig doesn’t support an agent option and the fetch call doesn’t forward it. This snippet appears inaccurate; either update the v3 connection to support a custom agent or adjust the documentation to only describe agent usage for v4 (fetchOptions.agent).

Suggested change

	For FinTS 3.0 (`PinTanClient`), pass the agent the same way:
	```typescript
	import { PinTanClient, HttpConnection } from "fints-lib";
	const connection = new HttpConnection({ url: "https://...", agent });
	const client = new PinTanClient({ /* ... */ }, connection);
	```
	For now, this custom agent configuration is only documented for the FinTS 4 flow via
	`fetchOptions.agent`.
	`PinTanClient` / `HttpConnection` (FinTS 3.0) do not currently expose the same documented
	`agent` option, so the `new HttpConnection({ url: "https://...", agent })` pattern should
	not be used here.

[Copilot]

FinTS4HttpConnection logs full request/response XML when debug is enabled. That XML contains <PIN> and may contain <TAN>, which can leak credentials into logs. Consider redacting sensitive fields before logging (e.g., replace PIN/TAN element contents with "***") similar to how the v3 HttpConnection avoids logging the raw request string.

[Copilot]

createTlsAgent() is documented as throwing outside Node.js, but the current implementation will throw a generic ReferenceError: require is not defined in browser-like runtimes. Add an explicit environment check and throw a clearer error message (and/or use a safe dynamic import) so consumers get a predictable failure mode.

[Copilot]

balance() currently returns a hard-coded zeroed balance when the response doesn’t include response.balance, but parseResponse() never populates balance at all. As a result, FinTS4Client.balance() will always return zeros even when the server provides a Balance segment. Implement Balance segment parsing (either in parseResponse() or directly here using the Balance segment body) so callers get real balances.

[Copilot]

reset() clears dialogs and logs, but handleSync() mutates TEST_USERS[...].systemId. Since TEST_USERS is module-level state, not resetting it can leak state between tests and make results order-dependent. Consider resetting all TEST_USERS[*].systemId values in reset() (similar to the v3 mock server).

[Copilot]

The tanCallback docs in v4 types mention throwing TanRequiredError, but the v4 dialog throws FinTS4TanRequiredError. Update the comment to reference the correct error type so consumers know what to catch.

[larsdecker]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All review comments from both threads have been addressed in commit 3831673:

• Balance parsing — added parseBalance() helper; parseResponse() now populates response.balance when a <Balance> segment is present; FinTS4Client.balance() passes the account context so real values are returned instead of hardcoded zeros
• hbciVersion in buildDialogInitSegment — parameter added; both doSync() and init() pass this.hbciVersion so the segment body stays in sync with the MsgHead during version fallback
• "Parameter" in isArray — added to fast-xml-parser config so multiple <Parameter> siblings are never collapsed
• tlsOptions wiring — FinTS4Client constructor now auto-converts tlsOptions → createTlsAgent() → fetchOptions.agent
• createTlsAgent() environment check — explicit typeof require === "undefined" guard with a clear error message
• Debug log redaction — redactXmlCredentials() masks <PIN> and <TAN> contents before logging
• Docstrings — all three TanRequiredError references updated to FinTS4TanRequiredError
• NegotiatingClient — NegotiatingClientConfig extended with tanCallback, fetchOptions, tlsOptions, preferredHbciVersion; all forwarded to FinTS4Client
• Mock server reset() — now also clears TEST_USERS[*].systemId to prevent inter-test state leakage
• README — removed inaccurate v3 HttpConnection({ agent }) snippet; replaced with a note that custom agents are v4-only