From dfd4463409da4493a10d60126f0b08ad745c29b5 Mon Sep 17 00:00:00 2001
From: David Mihalcik <dmihalcik@virtru.com>
Date: Fri, 13 Feb 2026 11:19:13 -0500
Subject: [PATCH 1/4] chore(xtest): Enable key_management tests

and ec-wrapped on java and web sdks
---
 xtest/sdk/java/cli.sh | 5 +++++
 xtest/sdk/js/cli.sh   | 7 ++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/xtest/sdk/java/cli.sh b/xtest/sdk/java/cli.sh
index 0153932a..f2b264b6 100755
--- a/xtest/sdk/java/cli.sh
+++ b/xtest/sdk/java/cli.sh
@@ -51,6 +51,11 @@ if [ "$1" == "supports" ]; then
       java -jar "$SCRIPT_DIR"/cmdline.jar help decrypt | grep kas-allowlist
       exit $?
       ;;
+    key_management)
+      # Advanced key management from SDK version >= 0.10.0
+      java -jar "$SCRIPT_DIR"/cmdline.jar --version | jq -re .version | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 >= 10)) exit 0; else exit 1; }'
+      exit $?
+      ;;
     ecwrap)
       if java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep encap-key; then
         # versions 0.7.6 and earlier used an older value for EC HKDF salt; check for 0.7.7 or later
diff --git a/xtest/sdk/js/cli.sh b/xtest/sdk/js/cli.sh
index ffe6f915..49fa90b5 100755
--- a/xtest/sdk/js/cli.sh
+++ b/xtest/sdk/js/cli.sh
@@ -51,7 +51,7 @@ if [ "$1" == "supports" ]; then
     ecwrap)
       if npx $CTL help | grep encapKeyType; then
         # Claims to support ecwrap, but maybe with old salt? Look up version
-        npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 2) exit 0; else exit 1; }'
+        npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 4)) exit 0; else exit 1; }'
         exit $?
       else
         echo "ecwrap not supported"
@@ -67,6 +67,11 @@ if [ "$1" == "supports" ]; then
       npx $CTL help | grep tdfSpecVersion
       exit $?
       ;;
+    key_management)
+      # Advanced key management from SDK version >= 0.8.0
+      npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 7)) exit 0; else exit 1; }'
+      exit $?
+      ;;
     obligations)
       # Obligations support from SDK version >= 0.6.0
       set -o pipefail

From ce2ea466adc7af07040dc12ef8c0e821b2d5cd0b Mon Sep 17 00:00:00 2001
From: David Mihalcik <dmihalcik@virtru.com>
Date: Fri, 13 Feb 2026 11:23:38 -0500
Subject: [PATCH 2/4] pipefila

---
 xtest/sdk/java/cli.sh | 6 ++++++
 xtest/sdk/js/cli.sh   | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/xtest/sdk/java/cli.sh b/xtest/sdk/java/cli.sh
index f2b264b6..ff2bf268 100755
--- a/xtest/sdk/java/cli.sh
+++ b/xtest/sdk/java/cli.sh
@@ -40,23 +40,28 @@ if [ "$1" == "supports" ]; then
       exit 0
       ;;
     assertions)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep with-assertions
       exit $?
       ;;
     assertion_verification)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help decrypt | grep with-assertion-verification-keys
       exit $?
       ;;
     kasallowlist)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help decrypt | grep kas-allowlist
       exit $?
       ;;
     key_management)
       # Advanced key management from SDK version >= 0.10.0
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar --version | jq -re .version | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 >= 10)) exit 0; else exit 1; }'
       exit $?
       ;;
     ecwrap)
+      set -o pipefail
       if java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep encap-key; then
         # versions 0.7.6 and earlier used an older value for EC HKDF salt; check for 0.7.7 or later
         java -jar "$SCRIPT_DIR"/cmdline.jar --version | jq -re .version | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 7) || ($1 == 0 && $2 == 7 && $3 >= 7)) exit 0; else exit 1; }'
@@ -74,6 +79,7 @@ if [ "$1" == "supports" ]; then
       ;;
 
     hexaflexible)
+      set -o pipefail
       java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep with-target-mode
       exit $?
       ;;
diff --git a/xtest/sdk/js/cli.sh b/xtest/sdk/js/cli.sh
index 49fa90b5..e23faa20 100755
--- a/xtest/sdk/js/cli.sh
+++ b/xtest/sdk/js/cli.sh
@@ -33,22 +33,27 @@ if [ "$1" == "supports" ]; then
   fi
   case "$2" in
     assertions)
+      set -o pipefail
       npx $CTL help | grep assertions
       exit $?
       ;;
     assertion_verification)
+      set -o pipefail
       npx $CTL help | grep assertionVerificationKeys
       exit $?
       ;;
     autoconfigure | ns_grants)
+      set -o pipefail
       npx $CTL help | grep autoconfigure
       exit $?
       ;;
     kasallowlist)
+      set -o pipefail
       npx $CTL help | grep 'from "/key-access-servers" endpoint'
       exit $?
       ;;
     ecwrap)
+      set -o pipefail
       if npx $CTL help | grep encapKeyType; then
         # Claims to support ecwrap, but maybe with old salt? Look up version
         npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 4)) exit 0; else exit 1; }'
@@ -64,11 +69,13 @@ if [ "$1" == "supports" ]; then
       exit $?
       ;;
     hexaflexible)
+      set -o pipefail
       npx $CTL help | grep tdfSpecVersion
       exit $?
       ;;
     key_management)
       # Advanced key management from SDK version >= 0.8.0
+      set -o pipefail
       npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 7)) exit 0; else exit 1; }'
       exit $?
       ;;

From d914f9b8d25ee23ee822b52d6b7a926fa4c76b1a Mon Sep 17 00:00:00 2001
From: David Mihalcik <dmihalcik@virtru.com>
Date: Fri, 13 Feb 2026 17:02:32 -0500
Subject: [PATCH 3/4] Update test_abac.py

---
 xtest/test_abac.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/xtest/test_abac.py b/xtest/test_abac.py
index eae3b377..871cf05b 100644
--- a/xtest/test_abac.py
+++ b/xtest/test_abac.py
@@ -31,6 +31,13 @@ def skip_dspx1153(encrypt_sdk: tdfs.SDK, decrypt_sdk: tdfs.SDK):
         pytest.skip("dspx1153 fails with this SDK version combination")
 
 
+def skip_dspx2457(encrypt_sdk: tdfs.SDK):
+    if encrypt_sdk == "java":
+        pytest.skip(
+            "DSPX-2457 Java SDK unable to handle KAS grants with different types"
+        )
+
+
 def assert_decrypt_fails_with_patterns(
     decrypt_sdk: tdfs.SDK,
     ct_file: Path,
@@ -71,6 +78,7 @@ def test_key_mapping_multiple_mechanisms(
     global counter
 
     tdfs.skip_if_unsupported(encrypt_sdk, "key_management")
+    skip_dspx2457(encrypt_sdk)
     skip_dspx1153(encrypt_sdk, decrypt_sdk)
     if not in_focus & {encrypt_sdk, decrypt_sdk}:
         pytest.skip("Not in focus")
@@ -815,6 +823,7 @@ def test_autoconfigure_key_management_two_kas_two_keys(
         pytest.skip("Not in focus")
     tdfs.skip_if_unsupported(encrypt_sdk, "key_management")
     tdfs.skip_if_unsupported(encrypt_sdk, "autoconfigure")
+    skip_dspx2457(encrypt_sdk)
     pfs = tdfs.PlatformFeatureSet()
     tdfs.skip_connectrpc_skew(encrypt_sdk, decrypt_sdk, pfs)
     tdfs.skip_hexless_skew(encrypt_sdk, decrypt_sdk)

From 0fcfb4127242e28a987225a7035f0f98f4f35cb7 Mon Sep 17 00:00:00 2001
From: David Mihalcik <dmihalcik@virtru.com>
Date: Sat, 14 Feb 2026 14:46:08 -0500
Subject: [PATCH 4/4] Update test_abac.py

---
 xtest/test_abac.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xtest/test_abac.py b/xtest/test_abac.py
index 871cf05b..39e4ce0f 100644
--- a/xtest/test_abac.py
+++ b/xtest/test_abac.py
@@ -32,7 +32,7 @@ def skip_dspx1153(encrypt_sdk: tdfs.SDK, decrypt_sdk: tdfs.SDK):
 
 
 def skip_dspx2457(encrypt_sdk: tdfs.SDK):
-    if encrypt_sdk == "java":
+    if encrypt_sdk.sdk == "java":
         pytest.skip(
             "DSPX-2457 Java SDK unable to handle KAS grants with different types"
         )