✨ Add URI-based repository methods to support federated architecture

[CalebGerman]

Pull Request Summary: URI-Based Repository Methods & Federated Architecture Support

Overview

This PR adds URI-based repository methods and secure HTTP 302 redirect handling to support Bentley's federated API architecture. Client code can now seamlessly work with distributed repository services across different backend systems.

🎯 Key Features

1. URI-Based Repository Methods

Three new methods accept capability URIs directly from repository metadata:

• getRepositoryResourcesByUri() - Retrieve multiple resources with OData support
• getRepositoryResourceByUri() - Retrieve single resource
• getResourceGraphicsByUri() - Retrieve graphics metadata

const repo = await client.getRepository(token, iTwinId, repositoryId);
const uri = repo.data?.repository.capabilities?.resources?.uri;

// Use URI directly - handles redirects automatically
const resources = await client.getRepositoryResourcesByUri(token, uri);

2. HTTP 302 Redirect Support

Repository resource endpoints now automatically follow redirects:

• ✅ getRepositoryResource()
• ✅ getRepositoryResources()
• ✅ getResourceGraphics()
• ✅ All URI-based methods

3. Secure Redirect Handling

Security features ensure safe credential forwarding within Bentley's trust boundary:

• Domain Whitelisting - Only api.bentley.com and subdomains allowed
• HTTPS Enforcement - Prevents protocol downgrade attacks
• Authentication Forwarding - Original headers forwarded through redirect chain
• Loop Prevention - Maximum 5 redirects per request

// ✅ Valid redirects
https://api.bentley.com → https://dev-api.bentley.com/uds

// ❌ Blocked redirects
https://api.bentley.com → https://evil.com (untrusted domain)
https://api.bentley.com → http://api.bentley.com (protocol downgrade)

🏗️ Architecture

Federated routing enables specialized services for different resource types:

Client → api.bentley.com → (302) → dev-api.bentley.com/uds → Response

All Bentley subdomains share the same trust boundary with consistent token validation.

📝 API Changes

Added abstract methods to BaseITwinsApiClient and fixed updateRepository signature to use proper Partial type.

🔒 Security

Implements OWASP best practices:

• SSRF prevention via domain whitelist
• Protocol downgrade protection
• Redirect loop protection
• 27 comprehensive security test cases

🚀 Usage

// URI-based approach (recommended)
const repo = await client.getRepository(token, iTwinId, repositoryId);
const uri = repo.data?.repository.capabilities?.resources?.uri;
const resources = await client.getRepositoryResourcesByUri(token, uri,
  { search: "Building", top: 10 }, "representation");

// ID-based approach (also supports redirects)
const resource = await client.getRepositoryResource(
  token, iTwinId, repositoryId, resourceId, "representation");

📊 Benefits

• Developers: Simplified API, transparent routing, type safety
• Operations: Service scalability, geographic distribution, zero-downtime migration
• Security: Defense in depth, credential protection, OWASP compliance

✅ Summary

• Three URI-based methods for federated architecture
• Redirect support for repository resource endpoints
• Comprehensive security validation (SSRF, protocol downgrade, loop prevention)
• No breaking changes

---

Type: ✨ Feature | Breaking Changes: None | Security: Enhanced

[davidbryant222]

I just had one comment. Other than that it looks good.