000e9d2847
Adds ApacheOutboundHttpClientFactory (Apache HttpClient 5) that memoizes CloseableHttpClient instances keyed on effective TLS + timeout config, and OutboundHttpConfig (@ConfigurationProperties) that validates trusted CA paths at startup and exposes OutboundHttpClientFactory as a Spring bean. TRUST_ALL mode disables both cert validation (TrustAllManager in SslContextBuilder) and hostname verification (NoopHostnameVerifier on SSLConnectionSocketFactoryBuilder). WireMock HTTPS integration test covers trust-all bypass, system-default PKIX rejection, and client memoization. OIDC audit: OidcProviderHelper and OidcTokenExchanger use Nimbus SDK's own HTTP layer (DefaultResourceRetriever for JWKS, HTTPRequest.send() for token exchange) plus the bespoke InsecureTlsHelper for TLS skip-verify; neither uses OutboundHttpClientFactory. Retrofit deferred to a separate follow-up per plan §20. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>