feat: use @nodecfdi/sat-ws-descarga-masiva for SAT sync

Replace manual SOAP authentication with the official nodecfdi library
which properly handles WS-Security signatures for SAT web services.

- Add sat-client.service.ts using Fiel.create() for authentication
- Update sat.service.ts to use new client
- Update fiel.service.ts to return raw certificate data

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api/src/services/fiel.service.ts

@@ -179,22 +179,24 @@ export async function deleteFiel(tenantId: string): Promise<boolean> {
  * Solo debe usarse internamente por el servicio de SAT
  */
 export async function getDecryptedFiel(tenantId: string): Promise<{
-  credential: Credential;
+  cerContent: string;
+  keyContent: string;
+  password: string;
   rfc: string;
 } | null> {
   const fiel = await prisma.fielCredential.findUnique({
     where: { tenantId },
   });
-  
+
   if (!fiel || !fiel.isActive) {
     return null;
   }
-  
+
   // Verificar que no esté vencida
   if (new Date() > fiel.validUntil) {
     return null;
   }
-  
+
   try {
     // Desencriptar todas las credenciales juntas
     const { cerData, keyData, password } = decryptFielCredentials(
@@ -205,15 +207,10 @@ export async function getDecryptedFiel(tenantId: string): Promise<{
       Buffer.from(fiel.encryptionTag)
     );
 
-    // Crear credencial
-    const credential = Credential.create(
-      cerData.toString('binary'),
-      keyData.toString('binary'),
-      password
-    );
-    
     return {
-      credential,
+      cerContent: cerData.toString('binary'),
+      keyContent: keyData.toString('binary'),
+      password,
       rfc: fiel.rfc,
     };
   } catch (error) {