b-long · b-long · Sep 9, 2025 · Sep 8, 2025 · Sep 9, 2025 · Sep 9, 2025
diff --git a/.github/check_entitlements.sh b/.github/check_entitlements.sh
@@ -1,15 +1,11 @@
 #!/bin/bash
 
-
 # Derive additional environment variables
 TOKEN_URL="${OIDC_OP_TOKEN_ENDPOINT}"
 OTDF_HOST_AND_PORT="${OPENTDF_PLATFORM_HOST}"
 OTDF_CLIENT="${OPENTDF_CLIENT_ID}"
 OTDF_CLIENT_SECRET="${OPENTDF_CLIENT_SECRET}"
 
-# Enable debug mode
-DEBUG=1
-
 echo "🔧 Environment Configuration:"
 echo "   TOKEN_URL: ${TOKEN_URL}"
 echo "   OTDF_HOST_AND_PORT: ${OTDF_HOST_AND_PORT}"
@@ -28,6 +24,8 @@ get_token() {
 
 echo "🔐 Getting access token..."
 BEARER=$( get_token | jq -r '.access_token' )
+# NOTE: It's always okay to print this token, because it will
+# only be valid / available in dummy / dev scenarios
 [[ "${DEBUG:-}" == "1" ]] && echo "Got Access Token: ${BEARER}"
 echo ""
 

diff --git a/tests/integration/otdfctl_to_python/test_cli_comparison.py b/tests/integration/otdfctl_to_python/test_cli_comparison.py
@@ -8,7 +8,11 @@
 
 import pytest
 
-from tests.support_cli_args import get_platform_url
+from tests.support_cli_args import (
+    build_otdfctl_decrypt_command,
+    build_otdfctl_encrypt_command,
+    get_platform_url,
+)
 
 platform_url = get_platform_url()
 
@@ -35,20 +39,13 @@ def test_otdfctl_encrypt_python_decrypt(collect_server_logs, temp_credentials_fi
         cli_decrypt_output = temp_path / "decrypted-by-cli.txt"
 
         # Run otdfctl encrypt first to create a TDF file
-        otdfctl_encrypt_cmd = [
-            "otdfctl",
-            "encrypt",
-            "--host",
+        otdfctl_encrypt_cmd = build_otdfctl_encrypt_command(
             platform_url,
-            "--with-client-creds-file",
-            str(temp_credentials_file),
-            "--tls-no-verify",
-            "--mime-type",
+            temp_credentials_file,
+            input_file,
+            otdfctl_tdf_output,
             "text/plain",
-            str(input_file),
-            "-o",
-            str(otdfctl_tdf_output),
-        ]
+        )
 
         otdfctl_encrypt_result = subprocess.run(
             otdfctl_encrypt_cmd, capture_output=True, text=True, cwd=temp_path
@@ -63,18 +60,12 @@ def test_otdfctl_encrypt_python_decrypt(collect_server_logs, temp_credentials_fi
         assert otdfctl_tdf_output.stat().st_size > 0, "otdfctl created empty TDF file"
 
         # Now run otdfctl decrypt (this is the reference implementation)
-        otdfctl_decrypt_cmd = [
-            "otdfctl",
-            "decrypt",
-            "--host",
+        otdfctl_decrypt_cmd = build_otdfctl_decrypt_command(
             platform_url,
-            "--with-client-creds-file",
-            str(temp_credentials_file),
-            "--tls-no-verify",
-            str(otdfctl_tdf_output),
-            "-o",
-            str(otdfctl_decrypt_output),
-        ]
+            temp_credentials_file,
+            otdfctl_tdf_output,
+            otdfctl_decrypt_output,
+        )
 
         otdfctl_decrypt_result = subprocess.run(
             otdfctl_decrypt_cmd, capture_output=True, text=True, cwd=temp_path
@@ -203,20 +194,13 @@ def test_otdfctl_encrypt_otdfctl_decrypt(collect_server_logs, temp_credentials_f
         otdfctl_decrypt_output = temp_path / "otdfctl-roundtrip-decrypted.txt"
 
         # Run otdfctl encrypt
-        otdfctl_encrypt_cmd = [
-            "otdfctl",
-            "encrypt",
-            "--host",
+        otdfctl_encrypt_cmd = build_otdfctl_encrypt_command(
             platform_url,
-            "--with-client-creds-file",
-            str(temp_credentials_file),
-            "--tls-no-verify",
-            "--mime-type",
+            temp_credentials_file,
+            input_file,
+            otdfctl_tdf_output,
             "text/plain",
-            str(input_file),
-            "-o",
-            str(otdfctl_tdf_output),
-        ]
+        )
 
         otdfctl_encrypt_result = subprocess.run(
             otdfctl_encrypt_cmd, capture_output=True, text=True, cwd=temp_path
@@ -252,18 +236,12 @@ def test_otdfctl_encrypt_otdfctl_decrypt(collect_server_logs, temp_credentials_f
         assert tdf_header == b"PK\x03\x04", "otdfctl output is not a valid ZIP file"
 
         # Run otdfctl decrypt
-        otdfctl_decrypt_cmd = [
-            "otdfctl",
-            "decrypt",
-            "--host",
+        otdfctl_decrypt_cmd = build_otdfctl_decrypt_command(
             platform_url,
-            "--with-client-creds-file",
-            str(temp_credentials_file),
-            "--tls-no-verify",
-            str(otdfctl_tdf_output),
-            "-o",
-            str(otdfctl_decrypt_output),
-        ]
+            temp_credentials_file,
+            otdfctl_tdf_output,
+            otdfctl_decrypt_output,
+        )
 
         otdfctl_decrypt_result = subprocess.run(
             otdfctl_decrypt_cmd, capture_output=True, text=True, cwd=temp_path

diff --git a/tests/integration/otdfctl_to_python/test_cli_inspect.py b/tests/integration/otdfctl_to_python/test_cli_inspect.py
@@ -2,18 +2,11 @@
 Tests using target mode fixtures, for CLI integration testing.
 """
 
-import json
 import logging
-import subprocess
-import sys
-from pathlib import Path
 
 import pytest
 
-from tests.config_pydantic import CONFIG_TDF
-from tests.support_cli_args import (
-    get_cli_flags,
-)
+from tests.support_cli_args import run_cli_inspect
 
 logger = logging.getLogger(__name__)
 
@@ -33,10 +26,10 @@ def test_cli_inspect_v4_2_2_vs_v4_3_1(all_target_mode_tdf_files, temp_credential
         v4_3_1_tdf = v4_3_1_files[file_type]
 
         # Inspect v4.2.2 TDF
-        v4_2_2_result = _run_cli_inspect(v4_2_2_tdf, temp_credentials_file)
+        v4_2_2_result = run_cli_inspect(v4_2_2_tdf, temp_credentials_file)
 
         # Inspect v4.3.1 TDF
-        v4_3_1_result = _run_cli_inspect(v4_3_1_tdf, temp_credentials_file)
+        v4_3_1_result = run_cli_inspect(v4_3_1_tdf, temp_credentials_file)
 
         # Both should succeed
         assert v4_2_2_result is not None, f"Failed to inspect v4.2.2 {file_type} TDF"
@@ -109,7 +102,7 @@ def test_cli_inspect_different_file_types(
             tdf_path = tdf_files[file_type]
 
             # Inspect the TDF
-            result = _run_cli_inspect(tdf_path, temp_credentials_file)
+            result = run_cli_inspect(tdf_path, temp_credentials_file)
 
             assert result is not None, (
                 f"Failed to inspect {file_type} TDF, TDF version {version}"
@@ -126,46 +119,3 @@ def test_cli_inspect_different_file_types(
                     "keyAccess" in result["manifest"]
                     or "encryptionInformation" in result["manifest"]
                 )
-
-
-def _run_cli_inspect(tdf_path: Path, creds_file: Path) -> dict | None:
-    """
-    Helper function to run Python CLI inspect command and return parsed JSON result.
-
-    This demonstrates how the CLI inspect functionality could be tested
-    with the new fixtures.
-    """
-    # Determine platform flags
-    platform_url = CONFIG_TDF.OPENTDF_PLATFORM_URL
-    cli_flags = get_cli_flags()
-
-    # Build CLI command
-    cmd = [
-        sys.executable,
-        "-m",
-        "otdf_python.cli",
-        "--platform-url",
-        platform_url,
-        "--with-client-creds-file",
-        str(creds_file),
-        *cli_flags,
-        "inspect",
-        str(tdf_path),
-    ]
-
-    try:
-        # Run the CLI command
-        result = subprocess.run(
-            cmd,
-            capture_output=True,
-            text=True,
-            check=True,
-            cwd=Path(__file__).parent.parent.parent,  # Project root
-        )
-
-        # Parse JSON output
-        return json.loads(result.stdout)
-
-    except (subprocess.CalledProcessError, json.JSONDecodeError) as e:
-        logger.error(f"CLI inspect failed for {tdf_path}: {e}")
-        raise Exception(f"Failed to inspect TDF {tdf_path}: {e}") from e
diff --git a/tests/integration/otdfctl_to_python/test_tdf_reader_integration.py b/tests/integration/otdfctl_to_python/test_tdf_reader_integration.py
@@ -14,7 +14,7 @@
     TDFReader,
 )
 from tests.config_pydantic import CONFIG_TDF
-from tests.support_cli_args import get_platform_url
+from tests.support_cli_args import build_otdfctl_encrypt_command, get_platform_url
 
 platform_url = get_platform_url()
 
@@ -40,26 +40,19 @@ def test_read_otdfctl_created_tdf_structure(self, temp_credentials_file):
             otdfctl_output = temp_path / "test-reader.txt.tdf"
 
             # Run otdfctl encrypt
-            otdfctl_cmd = [
-                "otdfctl",
-                "encrypt",
-                "--host",
+            otdfctl_cmd = build_otdfctl_encrypt_command(
                 platform_url,
-                "--with-client-creds-file",
-                str(temp_credentials_file),
-                "--tls-no-verify",
-                "--mime-type",
+                temp_credentials_file,
+                input_file,
+                otdfctl_output,
                 "text/plain",
-                str(input_file),
-                "-o",
-                str(otdfctl_output),
-            ]
+            )
 
             otdfctl_encrypt_result = subprocess.run(
                 otdfctl_cmd, capture_output=True, text=True, cwd=temp_path
             )
 
-            # If otdfctl fails, skip the test (might be server issues)
+            # If otdfctl fails, fail fast
             if otdfctl_encrypt_result.returncode != 0:
                 raise Exception(
                     f"otdfctl encrypt failed: {otdfctl_encrypt_result.stderr}"
@@ -131,29 +124,20 @@ def test_read_otdfctl_tdf_with_attributes(self, temp_credentials_file):
             otdfctl_output = temp_path / "input.txt.tdf"
 
             # Run otdfctl encrypt with attributes
-            otdfctl_cmd = [
-                "otdfctl",
-                "encrypt",
-                "--host",
+            otdfctl_cmd = build_otdfctl_encrypt_command(
                 platform_url,
-                "--with-client-creds-file",
-                str(temp_credentials_file),
-                "--tls-no-verify",
-                "--mime-type",
+                temp_credentials_file,
+                input_file,
+                otdfctl_output,
                 "text/plain",
-                "--attr",
-                CONFIG_TDF.TEST_OPENTDF_ATTRIBUTE_1,
-                str(input_file),
-                "-o",
-                str(otdfctl_output),
-            ]
+                [CONFIG_TDF.TEST_OPENTDF_ATTRIBUTE_1],
+            )
 
             otdfctl_result = subprocess.run(
                 otdfctl_cmd, capture_output=True, text=True, cwd=temp_path
             )
 
-            # If otdfctl fails, skip the test
-            # assert otdfctl_result.returncode == 0, "otdfctl encrypt failed"
+            # If otdfctl fails, fail fast
             if otdfctl_result.returncode != 0:
                 raise Exception(
                     f"otdfctl encrypt with attributes failed: {otdfctl_result.stderr}"
@@ -240,20 +224,13 @@ def test_read_multiple_otdfctl_files(self, temp_credentials_file):
                     output_file = temp_path / f"{test_case['name']}.tdf"
 
                     # Run otdfctl encrypt
-                    otdfctl_cmd = [
-                        "otdfctl",
-                        "encrypt",
-                        "--host",
+                    otdfctl_cmd = build_otdfctl_encrypt_command(
                         platform_url,
-                        "--with-client-creds-file",
-                        str(temp_credentials_file),
-                        "--tls-no-verify",
-                        "--mime-type",
+                        temp_credentials_file,
+                        input_file,
+                        output_file,
                         test_case["mime_type"],
-                        str(input_file),
-                        "-o",
-                        str(output_file),
-                    ]
+                    )
 
                     otdfctl_result = subprocess.run(
                         otdfctl_cmd, capture_output=True, text=True, cwd=temp_path