Add Post-Quantum TLS (PQTLS) support

[vedant-jaiswal]

Description

Why is this change being made?

1. Enable Post-Quantum TLS (PQTLS) support for AWS Secrets Manager JDBC connections
2. Allow users to opt-in to PQTLS for future-proof database connections

What is changing?

1. Added aws-crt-client dependency for PQTLS support
2. Implemented getBooleanPropertyWithDefault() method in Config class
3. Enhanced JDBCSecretCacheBuilderProvider to enable PQTLS via drivers.postQuantumTlsEnabled=true
4. Added 8 new tests covering PQTLS scenarios and integrations
5. Updated README.md with PQTLS configuration documentation
6. PQTLS disabled by default for backward compatibility

Related Links

• Issue #, if available:

---

Testing

How was this tested?

1. Added 4 new test methods in ConfigTest.java for getBooleanPropertyWithDefault() covering: property set to true, property set to false, property not set (default), and invalid property value
2. Added 4 new test methods in JDBCSecretCacheBuilderProviderTest.java for PQTLS covering: enabled via config, disabled by default, with region configuration, and with VPC endpoint configuration
3. All new and existing tests pass with zero failures

When testing locally, provide testing artifact(s):

1. Build output: mvn clean install -> Tests run: 141, Failures: 0, Errors: 0, Skipped: 0

---

Reviewee Checklist

Update the checklist after submitting the PR

• I have reviewed, tested and understand all changes
  If not, why:
• I have filled out the Description and Testing sections above
  If not, why:
• Build and Unit tests are passing
  If not, why:
• Unit test coverage check is passing
  If not, why:
• I have ensured no sensitive information is leaking (i.e., no logging of sensitive fields, or otherwise)
  If not, why:
• I have added explanatory comments for complex logic, new classes/methods and new tests
  If not, why:
• I have updated README/documentation (if needed)
  If not, why:
• I have clearly called out breaking changes (if any)
  If not, why:

---

Reviewer Checklist

All reviewers please ensure the following are true before reviewing:

• Reviewee checklist has been accurately filled out
• Code changes align with stated purpose in description
• Test coverage adequately validates the changes

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.71%. Comparing base (16539a8) to head (f9134d9).

Additional details and impacted files

@@             Coverage Diff              @@
##                 v2     #318      +/-   ##
============================================
+ Coverage     82.24%   82.71%   +0.47%     
- Complexity      143      148       +5     
============================================
  Files            12       12              
  Lines           366      376      +10     
  Branches         45       48       +3     
============================================
+ Hits            301      311      +10     
  Misses           58       58              
  Partials          7        7              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[harsheejshah]

for the aws-crt-client dependency, consider making it since CRT natives add significant size for users who don't enable PQTLS, and strengthen the PQTLS tests to actually verify the CRT HTTP client is configured rather than just assertNotNull. Also please squash commits before merge.

[simonmarty]

Make sure to complete the PR checklist

[vedant-jaiswal]

Making the dependency optional would require using reflection to load the AwsCrtHttpClient class at runtime, which introduces unnecessary complexity and potential runtime errors that are much harder to troubleshoot than simple compile-time failures. The current approach keeps things straightforward - when someone enables PQTLS, they get guaranteed functionality, and users who don't need it simply won't use the CRT client.

[harsheejshah]

The CRT client pulls in platform specific native libraries (~10-15MB per platform). This is a JDBC driver library, most users will never enable PQTLS, and forcing them to ship CRT natives is a significant size penalty. The AWS SDK itself
follows this pattern: aws-crt-client is always an optional/opt-in dependency, never pulled transitively.
No reflection for instantiation is needed, we still use AwsCrtHttpClient directly.
Ref: Maven Optional Dependencies
Ref: AWS SDK CRT HTTP Client setup. Note: the SDK docs instruct users to explicitly add the CRT dependency themselves, it's not pulled transitively.

EDIT: offline conversations made me realize this is not supposed to be an optional feature, hence no need for this comment to be addressed. We should make the agent default to true without requiring customer configuration and that way this is not an overhead at all.

[harsheejshah]

order is wrong here as well, only address if a new rev is required

[simonmarty]

Order is correct for junit, it's (expected, actual) https://junit.org/junit4/javadoc/latest/org/junit/Assert.html#assertEquals(java.lang.Object,%20java.lang.Object)

It's the opposite for testng.

[harsheejshah]

(Non-blocking) this test and test_postQuantumTls_disabledByDefault are functionally identical both just assertNotNull(client). The "enabled" test doesn't prove PQTLS was actually configured. At minimum, add a verify() to confirm the config was read and the code path diverged:

verify(configProvider).getBooleanPropertyWithDefault(pqtlsPropertyName, false);

[simonmarty]

The CRT client pulls in platform specific native libraries (~10-15MB per platform). This is a JDBC driver library, most users will never enable PQTLS, and forcing them to ship CRT natives is a significant size penalty. The AWS SDK itself follows this pattern: aws-crt-client is always an optional/opt-in dependency, never pulled transitively. No reflection for instantiation is needed, we still use AwsCrtHttpClient directly. Ref: Maven Optional Dependencies Ref: AWS SDK CRT HTTP Client setup. Note: the SDK docs instruct users to explicitly add the CRT dependency themselves, it's not pulled transitively.

EDIT: offline conversations made me realize this is not supposed to be an optional feature, hence no need for this comment to be addressed. We should make the agent default to true without requiring customer configuration and that way this is not an overhead at all.

Subsequent discussions offline have made us reconsider making the CRT the default HTTP client for this library. One option we have is to mark the dependency as optional and require users that want to use the PQTLS setting to add the CRT to their dependency closure in their projects. So we're trading user experience for binary size.