Auth requirements are per-operation, and a two-boolean "needs-auth / needs-key" model does not generalise to operations that accept several alternative schemes with different OAuth parameters. This adds a hand-constructable, scheme-agnostic auth descriptor model to sdk-core plus a deterministic resolver.

What this adds (org.dexpace.sdk.core.http.auth)

• AuthRequirement — one accepted AuthScheme paired with its own OAuth scopes/params. Where AuthMetadata flattens an operations schemes into a single shared OAuth bag, a requirement pairs each scheme with its own parameters. Immutable, private-field copy-in + Builder/newBuilder, of(scheme) convenience.
• AuthDescriptor — the per-operation ordered list of AuthRequirements in preference order. Immutable, Builder/newBuilder, of(...) / ofSchemes(...) factories, allowsAnonymous(). Records which schemes are acceptable and in what order, never how a scheme is stamped onto the wire.
• AuthDescriptorTier — the precedence tier an descriptor occupies: PER_CALL > OPERATION > CLIENT.
• AuthResolution — the resolved outcome: the chosen requirement, the tier it came from, and an isAnonymous flag.
• AuthResolutionException — tailored failure naming the required and available schemes (e.g. operation requires one of [OAUTH2, API_KEY] but no matching credential is available (have: [BASIC])).
• AuthDescriptorResolver — the precedence ladder. Two independent orders:
  1. Tier precedence: the most specific present descriptor wins outright (per-call override > operation default > client default). A supplied higher tier does not fall through to a lower one if it cannot be satisfied — an explicit per-call override fails rather than silently degrading.
  2. Requirement precedence: within the chosen descriptor, requirements are tried in declared order and the first satisfiable scheme wins. NO_AUTH is always satisfiable (anonymous access); any other scheme is satisfiable iff it is in the caller-supplied available-schemes set.

Scheme-agnostic by design

Core never inspects a concrete Credential or knows how a scheme is stamped. The caller supplies the set of schemes it can satisfy (derived from configured credentials) and maps the resolved requirement to a credential + auth step itself. Per-cloud / OAuth specifics stay in adapters. There is no code generation — these are the runtime primitives a generator would later target, fully usable by hand today.

Tests

New suites cover requirement/descriptor construction + builders + defensive copies, tier precedence (including the no-fall-through rule), requirement precedence, anonymous (NO_AUTH) handling, OAuth-parameter forwarding, and the tailored failure message.

Gated build (scoped, run locally)

./gradlew :sdk-core:test :sdk-core:ktlintCheck :sdk-core:detekt --no-daemon   # BUILD SUCCESSFUL
./gradlew :sdk-core:apiDump --no-daemon                                       # regenerated, committed
./gradlew :sdk-core:apiCheck --no-daemon                                      # BUILD SUCCESSFUL

Closes #63

Revision — consolidated onto one model

• Removed AuthMetadata. It flattened an operation's schemes into a single shared OAuth bag, was never wired into a pipeline path, and is fully superseded by AuthRequirement / AuthDescriptor (each scheme paired with its own OAuth parameters). Keeping both would have left two parallel models with no bridge. Its test is removed, and the AuthScheme KDoc and README package map now reference the descriptor model.
• AuthRequirement construction now matches AuthDescriptor — the primary constructor is private, with an of(scheme, scopes, params) factory (@JvmStatic / @JvmOverloads) alongside the Builder, so the two sibling value types share one construction pattern.
• AuthRequirement.Builder's OAuth setters defensively copy their argument, so a source collection mutated between the setter call and build() cannot leak into the built instance.

:sdk-core test / ktlintCheck / detekt / apiCheck all pass; the API snapshot is regenerated.