feat(kas)!: ConnectRPC transport + well-known discovery (CWT)

.github/workflows/swift.yaml

@@ -29,7 +29,8 @@ jobs:
         run: brew install swiftformat
 
       - name: Run SwiftFormat
-        run: swiftformat --swiftversion 6.2 . --lint
+        # Rules and Swift version are pinned in the repo's .swiftformat config.
+        run: swiftformat --lint .
 
 #      - name: Run SwiftLint
 #        run: swiftlint --strict

.swiftformat

@@ -0,0 +1,14 @@
+# SwiftFormat configuration for OpenTDFKit
+# Pinned so `swiftformat .` and the CI lint check agree.
+
+# Match the package's declared language version (Package.swift: swift-tools-version:6.2).
+--swiftversion 6.2
+
+# Force-unwraps in tests/benchmarks are intentional here: a nil in a test is a
+# legitimate, immediate failure. The autocorrect for this rule rewrites `!` to
+# `try XCTUnwrap(...)`, which breaks compilation in non-throwing benchmark
+# functions, so the rule is disabled rather than auto-applied.
+--disable noForceUnwrapInTests
+
+# Never touch build artifacts.
+--exclude .build

CLAUDE.md

@@ -213,7 +213,9 @@ OpenTDFKit is composed of several key components that work together to implement
 
 - **PublicKeyStore**: Manages only public keys for sharing with peers. Allows secure distribution of one-time use TDF keys.
 
-- **KASRewrapClient**: Client for interacting with KAS rewrap endpoints. Implements JWT signing (ES256), PEM parsing, and key unwrapping protocols. Supports both NanoTDF (EC key wrapping) and TDF (Archive Envelope) (RSA key wrapping) rewrap requests. Designed with protocol-based architecture for testability.
+- **KASRewrapClient**: Client for interacting with KAS rewrap endpoints. Implements JWT signing (ES256), PEM parsing, and key unwrapping protocols. Supports both NanoTDF (EC key wrapping) and TDF (Archive Envelope) (RSA key wrapping) rewrap requests. Designed with protocol-based architecture for testability. Resolves transport endpoints from an `OpenTDFConfiguration` (well-known discovery via `fetchWellKnown`, or `OpenTDFConfiguration.forKasConnect`), preferring ConnectRPC `/kas.AccessService/*` and falling back to legacy REST `/kas/v2/*`; the rewrap client follows no redirects and parses Connect error envelopes. Bearer tokens are opaque (a JWT or a base64url-encoded CWT — the platform decides validation).
+
+- **KASDiscovery**: ConnectRPC/well-known discovery support. Provides `OpenTDFConfiguration`/`KasConfig`/`IdpConfig` Codable types, `KasEndpoints` resolution (Connect-preferred, REST-fallback) with HTTPS/SSRF URL validation, Connect error-envelope parsing, and `fetchWellKnown` for `/.well-known/opentdf-configuration`.
 
 ### TDF (Archive Envelope) Components
 

OpenTDFKit/BinaryParser.swift

@@ -359,8 +359,7 @@ public class BinaryParser {
         else {
             throw ParsingError.invalidPayload("Failed to read ciphertext or payload MAC")
         }
-        let payload = Payload(length: length, iv: iv, ciphertext: ciphertext, mac: payloadMAC)
-        return payload
+        return Payload(length: length, iv: iv, ciphertext: ciphertext, mac: payloadMAC)
     }
 
     public func parseSignature(config: SignatureAndPayloadConfig) throws -> Signature? {
@@ -394,7 +393,7 @@ public class BinaryParser {
     }
 }
 
-// see https://github.com/opentdf/spec/tree/main/schema/nanotdf
+/// see https://github.com/opentdf/spec/tree/main/schema/nanotdf
 enum FieldSize {
     static let magicNumberSize = 2
     static let versionSize = 1

OpenTDFKit/CryptoHelper.swift

@@ -130,8 +130,8 @@ public actor CryptoHelper {
         publicKey.compressedRepresentation
     }
 
-    // Note: `activeSessions` is declared but not currently used in the provided methods.
-    // It might be intended for future stateful operations.
+    /// Note: `activeSessions` is declared but not currently used in the provided methods.
+    /// It might be intended for future stateful operations.
     private var activeSessions: [String: EphemeralKeyPair] = [:]
 
     /// Generates a new ephemeral key pair for the specified elliptic curve.