fix(security): per-instance HttpTransport + tightened auth guard [APS-19019]

Two related leaks in BrowserStackClient:

1. setProxy() reassigned a static HTTP_TRANSPORT field, leaking
   proxy state across every BrowserStackClient/AutomateClient in
   the same JVM. Move HTTP_TRANSPORT to an instance field
   (httpTransport) and update newRequestFactory() (no longer
   static) and setProxy() to use it. No other readers of
   HTTP_TRANSPORT existed in the repo (verified via search_code).

2. checkAuthState() guarded with `accessKey == null && username == null`
   — only fired when both creds were missing, so a half-configured
   client would proceed and emit a malformed Basic auth header.
   Switch to `||` (either-null is an error) and tighten the
   exception message.

Tests:
- BrowserStackClientProxyIsolationTest verifies cross-instance
  isolation via reflection: setProxy on client A must not change
  client B's httpTransport.
- AutomateClientSecurityTest (added in APS-19018 commit) covers
  checkAuthState: throws when username null, throws when accessKey
  null, passes when both present.

BREAKING CHANGE for consumers relying on undocumented behavior:
anyone whose code called setProxy on one client and expected it
to apply to other clients in the same JVM must now call setProxy
on each client individually.

Resolves: APS-19019

Author: Jimesh-browserstack

src/main/java/com/browserstack/client/BrowserStackClient.java

@@ -69,7 +69,7 @@ public Object parseAndClose(Reader reader, Type type) throws IOException {
             throw new IOException("Unsupported operation");
         }
     };
-    private static HttpTransport HTTP_TRANSPORT = new ApacheHttpTransport();
+    private HttpTransport httpTransport = new ApacheHttpTransport();
     protected final BrowserStackCache<String, Object> cacheMap;
 
     private HttpRequestFactory requestFactory;
@@ -105,8 +105,8 @@ public BrowserStackClient(String baseUrl, String username, String accessKey) {
         this.accessKey = accessKey.trim();
     }
 
-    static HttpRequestFactory newRequestFactory() {
-        return HTTP_TRANSPORT.createRequestFactory(httpRequest -> httpRequest.setParser(OBJECT_PARSER));
+    HttpRequestFactory newRequestFactory() {
+        return httpTransport.createRequestFactory(httpRequest -> httpRequest.setParser(OBJECT_PARSER));
     }
 
     static HttpRequest newRequest(final HttpRequestFactory requestFactory, final Method method, final GenericUrl url) throws BrowserStackException {
@@ -174,7 +174,7 @@ public void setProxy(final String proxyHost, final int proxyPort, final String p
         }
 
         final HttpClient client = clientBuilder.build();
-        HTTP_TRANSPORT = new ApacheHttpTransport(client);
+        this.httpTransport = new ApacheHttpTransport(client);
         this.requestFactory = newRequestFactory();
     }
 
@@ -187,8 +187,8 @@ protected synchronized void setAccessKey(final String accessKey) {
     }
 
     private void checkAuthState() {
-        if (this.accessKey == null && this.username == null) {
-            throw new IllegalStateException("Missing API credentials");
+        if (this.accessKey == null || this.username == null) {
+            throw new IllegalStateException("Missing API credentials (username or access key is null)");
         }
     }
 

src/test/java/com/browserstack/client/BrowserStackClientProxyIsolationTest.java

@@ -0,0 +1,64 @@
+package com.browserstack.client;
+
+import com.browserstack.automate.AutomateClient;
+import com.google.api.client.http.HttpTransport;
+import org.junit.Test;
+
+import java.lang.reflect.Field;
+
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertSame;
+
+/**
+ * APS-19019: setProxy must mutate per-instance state only.
+ *
+ * <p>Before this fix, {@code setProxy} reassigned a JVM-wide {@code static HTTP_TRANSPORT}
+ * field — meaning a proxy configured on one client leaked to every other client in
+ * the same process (and the only-process-wide reset persisted across requests on
+ * unrelated tenants). The fix moves the field to an instance variable {@code httpTransport}.
+ *
+ * <p>This test verifies cross-instance isolation by snapshotting both clients'
+ * {@code httpTransport} references before and after a proxy is configured on one of them.
+ */
+public class BrowserStackClientProxyIsolationTest {
+
+    private static HttpTransport getHttpTransport(BrowserStackClient client) throws Exception {
+        Field f = BrowserStackClient.class.getDeclaredField("httpTransport");
+        f.setAccessible(true);
+        return (HttpTransport) f.get(client);
+    }
+
+    @Test
+    public void setProxy_isInstanceScoped_doesNotLeakAcrossClients() throws Exception {
+        AutomateClient clientA = new AutomateClient("user_a", "key_a");
+        AutomateClient clientB = new AutomateClient("user_b", "key_b");
+
+        HttpTransport beforeA = getHttpTransport(clientA);
+        HttpTransport beforeB = getHttpTransport(clientB);
+        assertNotNull("clientA must have a transport before setProxy", beforeA);
+        assertNotNull("clientB must have a transport before setProxy", beforeB);
+
+        // Configure a proxy on clientA only.
+        clientA.setProxy("proxy.example.invalid", 3128, null, null);
+
+        HttpTransport afterA = getHttpTransport(clientA);
+        HttpTransport afterB = getHttpTransport(clientB);
+
+        // clientA's transport should have been replaced.
+        assertNotSame(
+                "clientA.httpTransport must be replaced after setProxy",
+                beforeA, afterA);
+
+        // clientB's transport must NOT have changed.
+        assertSame(
+                "clientB.httpTransport must NOT change when setProxy is called on clientA "
+                        + "(was the static-field cross-instance leak — see APS-19019)",
+                beforeB, afterB);
+
+        // And clientA's new transport must not equal clientB's transport.
+        assertNotSame(
+                "clientA and clientB must have distinct transports after setProxy on A",
+                afterA, afterB);
+    }
+}