feat(xtest): add exp-go-sdk using experimental TDF writer

.github/workflows/xtest.yml

@@ -27,7 +27,7 @@ on:
         required: false
         type: string
         default: all
-        description: "The SDK to focus on (go, js, java, all)"
+        description: "The SDK to focus on (go, js, java, exp-go-sdk, all)"
   workflow_call:
     inputs:
       platform-ref:
@@ -84,8 +84,8 @@ jobs:
         env:
           FOCUS_SDK_INPUT: ${{ inputs.focus-sdk }}
         run: |-
-          if [[ ! "all go java js" =~ (^|[[:space:]])${FOCUS_SDK_INPUT}($|[[:space:]]) ]]; then
-            echo "Invalid focus-sdk input: ${FOCUS_SDK_INPUT}. Must be one of: all, go, java, js." >> "$GITHUB_STEP_SUMMARY"
+          if [[ ! "all go java js exp-go-sdk" =~ (^|[[:space:]])${FOCUS_SDK_INPUT}($|[[:space:]]) ]]; then
+            echo "Invalid focus-sdk input: ${FOCUS_SDK_INPUT}. Must be one of: all, go, java, js, exp-go-sdk." >> "$GITHUB_STEP_SUMMARY"
             exit 1
           fi
       - name: Default Versions depend on context
@@ -224,7 +224,7 @@ jobs:
       fail-fast: false
       matrix:
         platform-tag: ${{ fromJSON(needs.resolve-versions.outputs.platform-tag-list) }}
-        sdk: ["go", "java", "js"]
+        sdk: ["go", "java", "js", "exp-go-sdk"]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -341,6 +341,22 @@ jobs:
           make
         working-directory: otdftests/xtest/sdk/go
 
+      ######## SETUP EXP-GO-SDK #############
+      - name: Replace exp-go-sdk go.mod packages
+        env:
+          PLATFORM_WORKING_DIR: ${{ steps.run-platform.outputs.platform-working-dir }}
+        run: |-
+          PLATFORM_DIR_ABS="$(pwd)/${PLATFORM_WORKING_DIR}"
+          cd otdftests/xtest/sdk/exp-go-sdk
+          for m in lib/fixtures lib/ocrypto protocol/go sdk; do
+            go mod edit -replace "github.com/opentdf/platform/$m=${PLATFORM_DIR_ABS}/$m"
+          done
+          go mod tidy
+
+      - name: Build exp-go-sdk
+        run: make
+        working-directory: otdftests/xtest/sdk/exp-go-sdk
+
       ####### CHECKOUT JAVA SDK ##############
 
       - name: Configure java-sdk

xtest/sdk/Makefile

@@ -1,9 +1,9 @@
 # Makefile
 
 # Targets
-.PHONY: all js go java
+.PHONY: all js go java exp-go-sdk
 
-all: js go java
+all: js go java exp-go-sdk
 	@echo "Setup all sdk clis"
 
 js:
@@ -20,3 +20,8 @@ java:
 	@echo "Building Java SDK..."
 	@cd java && make all
 	@echo "Java SDK built successfully"
+
+exp-go-sdk:
+	@echo "Building Experimental Go SDK..."
+	@cd exp-go-sdk && make all
+	@echo "Experimental Go SDK built successfully"

xtest/sdk/exp-go-sdk/Makefile

@@ -0,0 +1,15 @@
+.PHONY: all clean
+
+all: dist/main/cli.sh dist/main/exp-go-sdk
+
+dist/main/exp-go-sdk: main.go go.mod go.sum
+	mkdir -p dist/main
+	go build -o dist/main/exp-go-sdk .
+
+dist/main/cli.sh: cli.sh
+	mkdir -p dist/main
+	cp cli.sh dist/main/cli.sh
+	chmod +x dist/main/cli.sh
+
+clean:
+	rm -rf dist

xtest/sdk/exp-go-sdk/cli.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+#
+# Common shell wrapper used to interface to SDK implementation.
+#
+# Usage: ./cli.sh <encrypt | decrypt> <src-file> <dst-file> <fmt>
+#
+# Extended Utilities:
+#
+# ./cli.sh supports <feature>
+#   Check if the SDK supports a specific feature.
+#
+# Extended Configuration:
+#  XT_WITH_ECDSA_BINDING [boolean] - Use ECDSA binding for encryption
+#  XT_WITH_ECWRAP [boolean] - Use EC wrap for encryption/decryption
+#  XT_WITH_VERIFY_ASSERTIONS [boolean] - Verify assertions during decryption
+#  XT_WITH_ASSERTIONS [string] - Path to assertions file, or JSON encoded as string
+#  XT_WITH_ASSERTION_VERIFICATION_KEYS [string] - Path to assertion verification private key file
+#  XT_WITH_ATTRIBUTES [string] - Attributes to be used for encryption
+#  XT_WITH_MIME_TYPE [string] - MIME type for the encrypted file
+#
+SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
+
+cmd="$SCRIPT_DIR/exp-go-sdk"
+if [ ! -f "$cmd" ]; then
+  echo "exp-go-sdk binary not found at $cmd"
+  exit 1
+fi
+
+if [ "$1" == "supports" ]; then
+  "$cmd" supports "$2"
+  exit $?
+fi
+
+XTEST_DIR="$SCRIPT_DIR"
+while [ ! -f "$XTEST_DIR/test.env" ] && [ "$(basename "$XTEST_DIR")" != "xtest" ]; do
+  XTEST_DIR=$(dirname "$XTEST_DIR")
+done
+
+if [ -f "$XTEST_DIR/test.env" ]; then
+  # shellcheck disable=SC1091
+  source "$XTEST_DIR/test.env"
+else
+  echo "test.env not found, stopping at xtest directory."
+  exit 1
+fi
+
+if [ "$4" != "ztdf" ]; then
+  echo "Unsupported container format: $4"
+  exit 2
+fi
+
+args=(
+  --output "$3"
+  --platform-endpoint "$PLATFORMURL"
+  --client-id "$CLIENTID"
+  --client-secret "$CLIENTSECRET"
+)
+
+if [ "$1" == "encrypt" ]; then
+  if [ -n "$XT_WITH_MIME_TYPE" ]; then
+    args+=(--mime-type "$XT_WITH_MIME_TYPE")
+  fi
+
+  if [ -n "$XT_WITH_ATTRIBUTES" ]; then
+    args+=(--attributes "$XT_WITH_ATTRIBUTES")
+  fi
+
+  if [ -n "$XT_WITH_ASSERTIONS" ]; then
+    args+=(--assertions "$XT_WITH_ASSERTIONS")
+  fi
+
+  if [ "$XT_WITH_ECWRAP" == "true" ]; then
+    args+=(--ecwrap)
+  fi
+
+  echo "$cmd" encrypt "${args[@]}" "$2"
+  "$cmd" encrypt "${args[@]}" "$2"
+elif [ "$1" == "decrypt" ]; then
+  if [ -n "$XT_WITH_ASSERTION_VERIFICATION_KEYS" ]; then
+    args+=(--assertion-verification-keys "$XT_WITH_ASSERTION_VERIFICATION_KEYS")
+  fi
+  if [ "$XT_WITH_VERIFY_ASSERTIONS" == 'false' ]; then
+    args+=(--no-verify-assertions)
+  fi
+  if [ -n "$XT_WITH_KAS_ALLOWLIST" ]; then
+    args+=(--kas-allowlist "$XT_WITH_KAS_ALLOWLIST")
+  fi
+  if [ "$XT_WITH_IGNORE_KAS_ALLOWLIST" == "true" ]; then
+    args+=(--ignore-kas-allowlist)
+  fi
+
+  echo "$cmd" decrypt "${args[@]}" "$2"
+  "$cmd" decrypt "${args[@]}" "$2"
+else
+  echo "Incorrect argument provided"
+  exit 1
+fi

xtest/sdk/exp-go-sdk/go.mod

@@ -0,0 +1,40 @@
+module github.com/opentdf/tests/xtest/sdk/exp-go-sdk
+
+go 1.25.0
+
+require (
+	github.com/opentdf/platform/protocol/go v0.15.0
+	github.com/opentdf/platform/sdk v0.12.0
+)
+
+require (
+	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250603165357-b52ab10f4468.1 // indirect
+	connectrpc.com/connect v1.19.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gowebpki/jcs v1.0.1 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.6 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/jwx/v2 v2.1.6 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/opentdf/platform/lib/ocrypto v0.9.0 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
+	google.golang.org/grpc v1.77.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
+)