- AuthInterceptor.kt: fix resp.code→resp.status and resp.message.request()
  compilation errors; use ThreadLocal<URL> to thread request URL into
  responseFunction for nonce caching; change private→internal so
  SDKBuilder.java can access dpopRetryInterceptor(); add dpopRetryInterceptor()
  OkHttp interceptor that caches DPoP-Nonce and retries 401 once
- TokenSource.java: wrap nonce String as new Nonce(nonce) to match
  DefaultDPoPProofFactory.createDPoPJWT signature; generalize RSAKey to
  JWK+JWSAlgorithm to support EC keys for ES256/ES384/ES512
- SDKBuilder.java: update to JWK+JWSAlgorithm, separate SRT key from DPoP
  key (EC DPoP key auto-generates RSA for SRT), wire dpopRetryInterceptor
  into OkHttpClient for KAS and all platform services; add dpopAlgorithm()
  builder method
- Add TokenSourceTest and DPoPRetryInterceptorTest (6 new tests)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>

Add DPoP configuration flags to the tdf cmdline tool (shared by encrypt
and decrypt via buildSDK()):
- --dpop[=<alg>]: enable DPoP; optional algorithm (RS256, RS384, RS512,
  ES256, ES384, ES512); defaults to RS256; generates ephemeral key
- --dpop-key <path>: use PEM-encoded private key from file; algorithm
  inferred from key type (EC or RSA); combinable with --dpop=<alg>

Both flags work for encrypt and decrypt subcommands. Help text contains
"dpop" so the grep probe matches: encrypt --help | grep -i dpop.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>

…e.INHERIT

Add scope = CommandLine.ScopeType.INHERIT to --dpop and --dpop-key so they
appear in `help encrypt` and `help decrypt` (not just the parent `tdf` help),
allowing the tests-repo cli.sh probe to pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>

Gemini review: System.exit() in Supports.run() abruptly terminates
the JVM and prevents unit testing. Switch to Callable<Integer> so
picocli handles the exit code via CommandLine.execute().

Also remove `required = true` from --client-id, --client-secret, and
--platform-endpoint so `supports dpop` can run without auth credentials
(it performs a local capability check, not a platform call).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>

… imports

Adds EC key, origin-isolated nonce, and empty-nonce guard tests to
TokenSourceTest; removes three nl.altindag.ssl imports from SDKBuilder
that were added without a corresponding pom.xml dependency.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>

… §8)

- Add test cases for Command.Supports subcommand
- Implement support for dpop_nonce_challenge feature
- Add JUnit 5 and AssertJ test dependencies to cmdline module

- Validate DPoP JWK/JWS-algorithm compatibility at TokenSource
  construction (new DpopKeyValidation helper, also used by SDKBuilder
  for EC curve→algorithm inference): RSA keys require RS*/PS*, EC keys
  must match curve to ES* (P-256↔ES256, P-384↔ES384, P-521↔ES512),
  other JWK types are rejected. Mismatches now fail fast at build time
  instead of at first proof.
- Replace the broad catch(Exception) in getToken() with specific
  catches: SDKException passes through unwrapped (no double-wrapping
  of use_dpop_nonce errors), IOException/JOSEException/ParseException/
  MalformedURLException each get a distinct, endpoint-named message.
- Reject a 200 response with no access_token as a defensive guard
  against a null token being cached and producing 'DPoP null' headers.
- Include the token endpoint URI in the use_dpop_nonce-missing-header
  warn log and promote the unknown-token-type log from trace to warn,
  since both indicate AS protocol violations.
- Cover EC→RSA SRT key separation and the inverse RSA-reuse case with
  SDKBuilderTest cases. The EC path was previously untested even
  though it's the load-bearing motivation for the JWK generalization.

Tests cover: nonce origin keying by port/scheme/default-port, parse
errors attributed to the token endpoint, three JWK/algorithm mismatch
cases, and EC↔RSA SRT signer behavior.

The --client-id/--client-secret/--platform-endpoint flags were demoted
from required=true so that 'tdf supports <feature>' (used by xtest
harnesses to probe SDK capabilities) could run without credentials.
The side effect was that 'tdf encrypt' and 'tdf decrypt' silently
passed picocli validation and failed deep inside SDKBuilder.build()
with an opaque error.

Keep the picocli annotations optional and instead enforce in buildSDK()
with picocli's ParameterException, which produces the standard
'Missing required option: ...' error + usage and exits with code 2.
'tdf supports' is unaffected since it does not call buildSDK().

Picocli's default execution handler prints only ex.getMessage(), which
is null for many failure modes (NPE, etc.). Exceptions thrown during
CommandLine construction or by picocli itself bypass that handler
entirely and would otherwise terminate the JVM silently.

Wrap main() in a top-level try/catch that calls printStackTrace() —
the first line is the exception's toString (class + message) so the
failure category is always identifiable, and the stack trace gives
diagnostic depth for bug reports.

Normal exit codes from picocli's execute() are unaffected.

If Keycloak (or any AS) returns token_type=Bearer despite the SDK sending
a DPoP proof, the prior behavior was to emit "Authorization: DPoP <bearer>"
which misuses the scheme (RFC 9449 §7.1) and is rejected by any
DPoP-enforcing resource server.

TokenSource now remembers the scheme the AS declared (DPoP vs Bearer) and
getAuthHeaders() emits a plain Bearer credential without a DPoP proof on
downgrade. AuthInterceptor only sets the DPoP request header when a proof
is present. A single WARN is logged on downgrade to flag the IdP
misconfiguration.

After 38ac01f the SDK correctly downgrades to the Bearer scheme when
the token endpoint returns token_type=Bearer, so the shared
sdkServicesSetup helper stopped sending a DPoP header and the three
tests calling it (testCreatingSDKServicesPlainText,
testPlatformPlainTextAndIDPWithSSL, testSDKServicesWithTruststore)
failed at the 'expecting DPoP header' assertion. The test intent is
the DPoP path, so make the mock token endpoint advertise DPoP.

…tform_issuer

Previously SDKBuilder.getAuthInterceptor would silently warn-and-return-null
when the well-known configuration omitted platform_issuer, which also
disabled the dpopRetryInterceptor (gated on authInterceptor != null).
A caller who explicitly opted into DPoP via dpopKey()/dpopAlgorithm() would
then watch every request silently downgrade to no-auth and 401 from a
DPoP-enforcing resource server with no client-side breadcrumb.

Now the explicit-DPoP case throws SDKException with a message naming both
DPoP and platform_issuer. The pre-existing no-auth fallback (no DPoP key
configured) still warn-and-returns-null.

The two SRT-derivation tests that relied on the silent fallback path are
updated to mock a real OIDC endpoint, since 'dpopKey set + no token endpoint'
is no longer a supported configuration.

Previously Command.applyDPoPOptions caught Exception and wrapped everything
as 'Failed to configure DPoP: <message>', collapsing file-not-found, malformed
PEM, unsupported algorithm, and key generation failures into one opaque
RuntimeException. A public-key-only PEM was accepted without complaint and
only failed deep inside proof generation. A --dpop-key with --dpop=<alg>
mismatch was deferred to TokenSource construction.

Refactor:
- New CliDpopOptions static helper owns parse + validate + private-key check.
  Returns DpopMaterial (jwk + alg) or Optional.empty(); throws
  IllegalArgumentException with user-actionable messages.
- applyDPoPOptions delegates to the helper and wraps IAE as
  CommandLine.ParameterException so picocli exits with USAGE (2) instead of
  a generic stack trace.
- Promote DpopKeyValidation to public so cmdline can reuse the validation
  rules instead of duplicating them.

Latent bug fixed: bcpkix-jdk18on was only test-scoped via the sdk module,
so the production CLI's JWK.parseFromPEMEncodedObjects call for --dpop-key
would have thrown NoClassDefFoundError. Adding it as a cmdline runtime
dependency.

Tests:
- New CliDpopOptionsTest (16 cases): all six supported algorithms,
  default RS256, unsupported algorithm, missing/malformed/public-only PEM,
  RSA vs EC PEM acceptance and alg inference, RSA-key + ES256 mismatch.
- Two new end-to-end CommandTest cases covering the unsupported-algorithm
  and missing-key-file ParameterException paths through CommandLine.execute.