Reuse PlatformClient instead of creating ephemeral instances per request

[eugenioenko]

Context

In the web-sdk, several internal functions create a new PlatformClient instance for every request. Each call constructs a new Connect RPC transport, new interceptor chain, and new service clients — all to make a single RPC call and then throw the client away.

Where this happens

• access-rpc.ts — fetchWrappedKey() and fetchKeyAccessServers() each create a new PlatformClient()
• policy/discovery.ts — listAttributes(), validateAttributes(), attributeExists(), attributeValueExists() each create a new PlatformClient()
• policy/api.ts — attributeFQNsAsValues() and getRootCertsFromNamespace() each create a new PlatformClient()

A single decrypt operation can trigger multiple rewrap calls (one per KAS in a split-key policy), each creating its own PlatformClient.

Proposal

OpenTDF should own a single PlatformClient instance and pass it down to TDF3Client → tdf.ts → access.ts → access-rpc.ts and the policy functions.

This would:

• Avoid redundant object allocation on every request
• Enable connection reuse if the transport supports it
• Simplify the internal API — functions receive a client rather than auth config + URL and constructing their own
• Make the ownership model clear — OpenTDF owns the client lifecycle

What it would look like

Internal functions would change from:

export async function fetchWrappedKey(url, signedRequestToken, auth, ...) {
  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
  return platform.v1.access.rewrap(...);
}

To:

export async function fetchWrappedKey(platform, signedRequestToken, ...) {
  return platform.v1.access.rewrap(...);
}

Considerations

• The legacy fetch fallback path in access-fetch.ts doesn't use PlatformClient, so it would still need auth config separately
• Functions like fetchKasPubKey and fetchKasBasePubKey create unauthenticated PlatformClient instances (no auth needed for public key endpoints) — these could stay as-is or use a shared unauthenticated client
• This is a follow-up to the interceptor pattern work in feat(sdk): deprecate AuthProvider in favor of Interceptor pattern web-sdk#899 which made the per-request client creation more visible by threading AuthConfig through the layers