Add OAuth client_credentials support for terminology server authentication

[dionmcm]

Purpose

The IG Publisher currently only supports authentication with terminology servers via a static OAuth token passed into the process. Users whose security policies enforce short token expiry (e.g. 30 minutes) find that the token expires before the publisher finishes, causing build failures. This PR addresses that by allowing configuration of OAuth 2.0 client_credentials flow directly, so the publisher can automatically acquire and refresh tokens as needed.

Depends on hapifhir/org.hl7.fhir.core#2348 in org.hl7.fhir.core, which the IG Publisher uses to perform FHIR operations on the terminology server.

Summary

• Adds CLI parameters (-tx-client-id, -tx-client-secret, -tx-token-endpoint) to authenticate with FHIR terminology servers using OAuth 2.0 client_credentials grant
• Includes input validation (missing params, whitespace-only values, flag-as-value detection, URL syntax/scheme checks) with clear error messages
• Normalizes TX server URL via makeSecureRef() and supports -devtx fallback when -tx is absent
• Updates removePassword() in both Publisher and PublicationProcess to mask -tx-client-secret values in log output

Test plan

• 14 integration tests covering: CLI arg parsing, full end-to-end token acquisition flow with MockWebServer, password masking, missing/blank/whitespace param validation, flag-as-value detection, no-op when OAuth args absent, default/devtx TX fallback, malformed URL rejection, non-HTTP scheme rejection
• Manual: run publisher with -tx-client-id, -tx-client-secret, -tx-token-endpoint against an OAuth-protected TX server

[grahamegrieve]

I don't understand why these are added as CLI parameters? And what's the point of -devtx?

[dionmcm]

I don't understand why these are added as CLI parameters?

In part for consistency because the IG Publisher is already configured via CLI params like -tx but I can't imagine many people running the publisher manually will want to specify the client credentials and token URL on the command line over the config file.

But the IG Publisher is often run from CI pipelines and CLI params make it easy to inject credentials from pipeline secrets without touching config files. So this is the main use case.

And what's the point of -devtx?
Good point.

I did it just out of an attempt at consistency, I was trying to ensure any possible URL was associated with the credentials because the TX URL can come from a few places. But realistically the -devtx is a static URL which is always open - so I removed that.

[dotasek]

This PR requires changes included in hapifhir/org.hl7.fhir.core#2348

However, that PR is not in a mergable state. Until that is resolved, this PR can't be approved either.