Skip to content

feat(policy)!: optional namespace for RRs#3165

Merged
alkalescent merged 15 commits into
mainfrom
DSPX-2496-ns-optional
Mar 25, 2026
Merged

feat(policy)!: optional namespace for RRs#3165
alkalescent merged 15 commits into
mainfrom
DSPX-2496-ns-optional

Conversation

@alkalescent

@alkalescent alkalescent commented Mar 16, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

  • We made namespacing required for RRs. That decision caused breaking changes. This PR makes namespacing optional for RRs and introduces an enforcement flag for the namespaced policy objects change.

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

  • New Features

    • Registered resources can be created without specifying a namespace.
    • Action lookup is namespace-aware with a fallback to non-namespaced actions.
    • Non-namespaced and namespaced resources may coexist with the same name.
  • Behavior Change

    • When namespaced policy mode is enabled, creation requires a namespace; otherwise namespace is optional.
    • Ambiguous name lookups deterministically prefer non-namespaced matches.
  • Tests

    • Expanded integration tests covering namespace-optional flows, duplicates, lookup semantics, and listing.

@github-actions github-actions Bot added comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/s labels Mar 16, 2026
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a previous breaking change by making namespaces optional for Registered Resources (RRs) during creation. It introduces a configurable flag, EnforceNamespace, allowing administrators to control whether a namespace is required. This change provides greater flexibility in resource management while offering a mechanism to enforce stricter policy object creation when desired.

Highlights

  • Optional Namespaces for Registered Resources (RRs): The requirement for a namespace when creating Registered Resources has been made optional, reverting a previous breaking change.
  • Configurable Namespace Enforcement: A new configuration flag, EnforceNamespace, has been introduced. When set to true, it will re-enable the requirement for namespaces on policy object creation, providing a controlled transition.
  • Database and Service Logic Updates: The underlying database queries and Go service logic have been updated to correctly handle and persist Registered Resources that are created without an explicit namespace.
  • Protobuf Validation Relaxed: The Protobuf validation rules for CreateRegisteredResourceRequest have been adjusted to reflect that namespace_id or namespace_fqn are no longer strictly required by default.
  • Comprehensive Test Coverage: New integration and unit tests have been added to verify the successful creation, retrieval, and listing of Registered Resources when no namespace is provided.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • service/integration/registered_resources_test.go
    • Added new integration tests for creating registered resources without a namespace.
    • Added tests for retrieving registered resources by ID and name when no namespace is provided.
    • Added a test to ensure duplicate names without namespaces fail.
    • Added a test to verify that registered resources without namespaces are included in the general list.
  • service/policy/config/config.go
    • Added EnforceNamespace boolean field to the Config struct, defaulting to false.
  • service/policy/db/queries/registered_resources.sql
    • Modified the createRegisteredResource SQL query to allow namespace_id and namespace_fqn to be null during insertion.
    • Updated the SELECT clause to conditionally build the namespace JSON object, returning NULL if no namespace is associated.
    • Changed JOIN attribute_namespaces to LEFT JOIN attribute_namespaces.
  • service/policy/db/registered_resources.go
    • Updated CreateRegisteredResource to use hydrateNamespaceFromInterface which can handle a nil namespace.
  • service/policy/db/registered_resources.sql.go
    • Updated the generated createRegisteredResource SQL query to match the changes in registered_resources.sql.
    • Changed the Namespace field type in createRegisteredResourceRow from []byte to interface{} to accommodate NULL values.
  • service/policy/registeredresources/registered_resources.go
    • Added conditional logic in CreateRegisteredResource to check the EnforceNamespace config flag and return an InvalidArgument error if a namespace is missing when enforcement is enabled.
    • Imported the errors package.
  • service/policy/registeredresources/registered_resources.proto
    • Modified the CreateRegisteredResourceRequest message to make the namespace_id or namespace_fqn fields optional by setting required: false in the buf.validate.message option.
  • service/policy/registeredresources/registered_resources_test.go
    • Added a test case to TestCreateRegisteredResource_Valid_Succeeds for creating a resource without a namespace.
    • Removed the 'Missing Namespace' test case from TestCreateRegisteredResource_Invalid_Fails as it is no longer an invalid scenario by default.
Ignored Files
  • Ignored by pattern: protocol/**/* (1)
    • protocol/go/policy/registeredresources/registered_resources.pb.go
Activity
  • No human activity (comments, reviews, or progress updates) has been recorded on this pull request yet.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.


Namespace once firm, Now optional, a new path, Flexibility.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly makes namespaces optional for Registered Resources by introducing an enforce_namespace feature flag. The changes are consistently applied across the database layer, service logic, and API definitions, and are accompanied by a good set of tests. I've identified a potential ambiguity issue when retrieving resources by name where duplicates exist across namespaces and have suggested a new test case to highlight this. I've also suggested an additional test for completeness to ensure uniqueness constraints are handled correctly in mixed-namespace scenarios.

Comment thread service/integration/registered_resources_test.go
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 214.552173ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 112.093212ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 385.234898ms
Throughput 259.58 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.702277669s
Average Latency 405.309382ms
Throughput 122.84 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 192.611492ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 98.203703ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 387.332505ms
Throughput 258.18 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.068316787s
Average Latency 399.30112ms
Throughput 124.79 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 197.515964ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 92.844367ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 367.235891ms
Throughput 272.30 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 39.268139609s
Average Latency 390.297076ms
Throughput 127.33 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@alkalescent
alkalescent marked this pull request as ready for review March 17, 2026 17:15
@alkalescent
alkalescent requested review from a team as code owners March 17, 2026 17:15
Comment thread service/integration/registered_resources_test.go
@alkalescent alkalescent changed the title feat(policy): optional namespace for RRs feat(policy)!: optional namespace for RRs Mar 17, 2026
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 167.997504ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 85.704458ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 406.577308ms
Throughput 245.96 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.807196653s
Average Latency 386.277433ms
Throughput 128.84 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@strantalis

Copy link
Copy Markdown
Member

@CodeRabbit review

@coderabbitai

coderabbitai Bot commented Mar 19, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Mar 19, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Namespace support for registered resources was made optional across layers: proto validation relaxed, handler enforces namespace only when NamespacedPolicy is enabled, DB/SQL and generated Go accept NULL namespaces and prefer non‑namespaced results, action lookup became namespace‑aware with a non‑namespaced fallback, and tests were extended.

Changes

Cohort / File(s) Summary
Database SQL & Generated Go
service/policy/db/queries/registered_resources.sql, service/policy/db/registered_resources.sql.go
createRegisteredResource WHERE allows NULL namespace; attribute_namespaces JOIN → LEFT JOIN; namespace returned conditionally (JSON or NULL); getRegisteredResource uses ORDER BY r.namespace_id NULLS FIRST LIMIT 1 to prefer non‑namespaced rows; generated row type Namespace []byteinterface{}.
Database Go Logic
service/policy/db/registered_resources.go
Handle NULL namespace via hydrateNamespaceFromInterface; action lookup now passes NamespaceID and falls back to non‑namespaced lookup on db.ErrNotFound; added errors and pgtype imports.
API Layer: Proto & Handler
service/policy/registeredresources/registered_resources.proto, service/policy/registeredresources/registered_resources.go
Proto oneof validation for namespace_id/namespace_fqn changed from required → optional. Handler enforces namespace presence only when NamespacedPolicy is enabled and returns InvalidArgument if missing.
Integration & Unit Tests
service/integration/registered_resources_test.go, service/policy/registeredresources/registered_resources_test.go
Added numerous integration tests covering namespace‑optional creation, non‑namespaced values, duplicate‑name constraint, same‑name coexistence, deterministic name lookup; unit test updated to accept creation without namespace.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant API as Policy API
  participant DB as Database
  participant Action as Action Resolver

  Client->>API: CreateRegisteredResource(req with/without namespace)
  API->>API: validate request (proto oneof optional)
  alt NamespacedPolicy enabled and no namespace provided
    API-->>Client: InvalidArgument (namespace required)
  else proceed
    API->>DB: INSERT registered_resource (namespace may be NULL)
    DB-->>API: inserted row (namespace JSON or NULL)
    API->>Action: Resolve action by name (+ NamespaceID if present)
    alt namespaced lookup fails and NamespaceID was provided
      API->>Action: Resolve action by name (no NamespaceID fallback)
    end
    API-->>Client: return created resource (nullable namespace)
  end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Poem

🐰 I hopped through SQL, tidy and spry,
Namespaces optional — I gave it a try.
Lookups first local, then leap to the free,
NULLs and names now live calm with me.
One rabbit, two names — both sit happily.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(policy)!: optional namespace for RRs' clearly and specifically describes the main change: making namespace optional for registered resources.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch DSPX-2496-ns-optional

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 189.42843ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 95.510054ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 379.913673ms
Throughput 263.22 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.210528899s
Average Latency 399.618148ms
Throughput 124.35 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 187.414217ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 94.046674ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 387.47458ms
Throughput 258.08 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 39.838305982s
Average Latency 396.799859ms
Throughput 125.51 requests/second

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@service/policy/db/registered_resources.go`:
- Around line 595-601: The fallback branch that calls c.queries.getAction when
nsUUID.Valid and errors.Is(err, db.ErrNotFound) currently returns the raw query
error; update it to apply the same error normalization used for the initial
getAction call so driver/query errors are mapped to the repository sentinel
errors before returning. Specifically, after assigning a, err =
c.queries.getAction(ctx, actionParams) in the fallback, run the same
normalization logic that the first getAction call uses (the mapping that
converts driver/query errors into repo sentinel errors) and return that
normalized error instead of the raw err; ensure this uses the existing
error-mapping routine so behavior for nsUUID, actionParams, c.queries.getAction
and db.ErrNotFound is consistent.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 11faf3da-3662-4218-8279-14761c6b279d

📥 Commits

Reviewing files that changed from the base of the PR and between 1cd5cef and e447539.

📒 Files selected for processing (1)
  • service/policy/db/registered_resources.go

Comment thread service/policy/db/registered_resources.go
@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 208.009505ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.852323ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 382.084189ms
Throughput 261.72 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.06224794s
Average Latency 398.913506ms
Throughput 124.81 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@alkalescent
alkalescent enabled auto-merge March 25, 2026 15:58

@c-r33d c-r33d left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you change the title so this isn't marked as a breaking change

@alkalescent
alkalescent added this pull request to the merge queue Mar 25, 2026
Merged via the queue into main with commit 8948018 Mar 25, 2026
37 checks passed
@alkalescent
alkalescent deleted the DSPX-2496-ns-optional branch March 25, 2026 19:21
@alkalescent

alkalescent commented Mar 25, 2026

Copy link
Copy Markdown
Contributor Author

@c-r33d RIP, I enabled auto-merge before you commented

github-merge-queue Bot pushed a commit that referenced this pull request Mar 26, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.21.0](protocol/go/v0.20.0...protocol/go/v0.21.0)
(2026-03-26)


### Features

* **policy:** optional namespace for RRs
([#3165](#3165))
([8948018](8948018))


### Bug Fixes

* **deps:** bump google.golang.org/grpc from 1.67.1 to 1.79.3 in
/protocol/go ([#3173](#3173))
([447ece6](447ece6))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Co-authored-by: Krish Suchak <42231639+alkalescent@users.noreply.github.com>
JBCongdon pushed a commit to JBCongdon/platform that referenced this pull request May 24, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.14.0](opentdf/platform@service/v0.13.0...service/v0.14.0)
(2026-04-21)


### ⚠ BREAKING CHANGES

* **sdk:** reclassify KAS 400 errors — distinguish tamper from
misconfiguration
([opentdf#3166](opentdf#3166))
* **policy:** optional namespace for RRs
([opentdf#3165](opentdf#3165))
* **policy:** Namespace subject mappings and subject condition sets.
([opentdf#3143](opentdf#3143))
* **policy:** Optional namespace on actions protos, NamespacedPolicy
feature flag ([opentdf#3155](opentdf#3155))
* **policy:** add namespaced actions schema and namespace-aware action
queries ([opentdf#3154](opentdf#3154))
* **policy:** only require namespace on GetAction if no id provided
([opentdf#3144](opentdf#3144))
* **policy:** add namespace field to Actions proto
([opentdf#3130](opentdf#3130))
* **policy:** namespace Registered Resources
([opentdf#3111](opentdf#3111))
* **policy:** add namespace field to RegisteredResource proto
([opentdf#3110](opentdf#3110))

### Features

* **authz:** Namespaced policy in decisioning
([opentdf#3226](opentdf#3226))
([0355934](opentdf@0355934))
* **cli:** migrate otdfctl into platform monorepo
([opentdf#3205](opentdf#3205))
([5177bec](opentdf@5177bec))
* fix tracing ([opentdf#3242](opentdf#3242))
([57e5680](opentdf@57e5680))
* **policy:** add GetObligationTrigger RPC
([opentdf#3318](opentdf#3318))
([d68e39d](opentdf@d68e39d))
* **policy:** add namespace field to Actions proto
([opentdf#3130](opentdf#3130))
([bedc9b3](opentdf@bedc9b3))
* **policy:** add namespace field to RegisteredResource proto
([opentdf#3110](opentdf#3110))
([04fd85d](opentdf@04fd85d))
* **policy:** add namespaced actions schema and namespace-aware action
queries ([opentdf#3154](opentdf#3154))
([c0443f1](opentdf@c0443f1))
* **policy:** add sort ListSubjectMappings API
([opentdf#3255](opentdf#3255))
([9d5d757](opentdf@9d5d757))
* **policy:** Add sort support listregisteredresources api
([opentdf#3312](opentdf#3312))
([91a3ff3](opentdf@91a3ff3))
* **policy:** add sort support to ListAttributes API
([opentdf#3223](opentdf#3223))
([ec3312f](opentdf@ec3312f))
* **policy:** add sort support to ListKeyAccessServer
([opentdf#3287](opentdf#3287))
([7fae2d7](opentdf@7fae2d7))
* **policy:** Add sort support to ListNamespaces API
([opentdf#3192](opentdf#3192))
([aac86cd](opentdf@aac86cd))
* **policy:** add sort support to listobligations api
([opentdf#3300](opentdf#3300))
([9221cac](opentdf@9221cac))
* **policy:** add sort support to ListSubjectConditionSets API
([opentdf#3272](opentdf#3272))
([9010f12](opentdf@9010f12))
* **policy:** add SortField proto and update PageRequest for sort
support ([opentdf#3187](opentdf#3187))
([6cf1862](opentdf@6cf1862))
* **policy:** Enforce same namespace when actions referenced downstream
([opentdf#3206](opentdf#3206))
([4b5463a](opentdf@4b5463a))
* **policy:** namespace Registered Resources
([opentdf#3111](opentdf#3111))
([6db1883](opentdf@6db1883))
* **policy:** Namespace subject mappings and condition sets
([opentdf#3172](opentdf#3172))
([6deed50](opentdf@6deed50))
* **policy:** Namespace subject mappings and subject condition sets.
([opentdf#3143](opentdf#3143))
([3006780](opentdf@3006780))
* **policy:** optional namespace for RRs
([opentdf#3165](opentdf#3165))
([8948018](opentdf@8948018))
* **policy:** rollback migration strategy for namespaced actions
([opentdf#3235](opentdf#3235))
([f7e5e01](opentdf@f7e5e01))
* **policy:** Seed existing namespaces with standard actions
([opentdf#3228](opentdf#3228))
([12136b0](opentdf@12136b0))
* **policy:** Seed namespaces with standard actions on creation +
namespaced actions for obligation triggers
([opentdf#3161](opentdf#3161))
([984d76b](opentdf@984d76b))


### Bug Fixes

* **ci:** Upgrade toolchain version to 1.25.8
([opentdf#3116](opentdf#3116))
([e1b7882](opentdf@e1b7882))
* **core:** do not concat slashes directly in url/file paths
([opentdf#3290](opentdf#3290))
([114c2a7](opentdf@114c2a7))
* **deps:** bump github.com/jackc/pgx/v5 from 5.7.5 to 5.9.0 in /service
([opentdf#3316](opentdf#3316))
([017362e](opentdf@017362e))
* **deps:** bump github.com/opentdf/platform/lib/identifier from 0.2.0
to 0.3.0 in /service
([opentdf#3162](opentdf#3162))
([8bc5dcd](opentdf@8bc5dcd))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.16.0 to
0.17.0 in /service
([opentdf#3125](opentdf#3125))
([29fec61](opentdf@29fec61))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.17.0 to
0.21.0 in /service
([opentdf#3220](opentdf#3220))
([e63add2](opentdf@e63add2))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.21.0 to
0.22.0 in /service
([opentdf#3248](opentdf#3248))
([1ebce73](opentdf@1ebce73))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.22.0 to
0.23.0 in /service
([opentdf#3271](opentdf#3271))
([3338b8e](opentdf@3338b8e))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.23.0 to
0.24.0 in /service
([opentdf#3321](opentdf#3321))
([78e6022](opentdf@78e6022))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.24.0 to
0.25.0 in /service
([opentdf#3333](opentdf#3333))
([3940bf8](opentdf@3940bf8))
* **deps:** bump github.com/opentdf/platform/sdk from 0.13.0 to 0.16.0
in /service ([opentdf#3356](opentdf#3356))
([5617077](opentdf@5617077))
* **deps:** bump
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from
1.42.0 to 1.43.0 in /service
([opentdf#3282](opentdf#3282))
([046374a](opentdf@046374a))
* **deps:** bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in
/service ([opentdf#3281](opentdf#3281))
([56b33f2](opentdf@56b33f2))
* **deps:** bump google.golang.org/grpc from 1.77.0 to 1.79.3 in
/service ([opentdf#3176](opentdf#3176))
([3289502](opentdf@3289502))
* **deps:** remove direct github.com/docker/docker dependency
([opentdf#3229](opentdf#3229))
([2becb27](opentdf@2becb27))
* **deps:** upgrade testcontainers-go to resolve vulns
([opentdf#3299](opentdf#3299))
([72c6f9b](opentdf@72c6f9b))
* **ers:** include standard JWT claims in claims mode entity resolution
([opentdf#3196](opentdf#3196))
([6d50da1](opentdf@6d50da1))
* **ers:** ldap multi-strategy ers
([opentdf#3117](opentdf#3117))
([d3aaf1a](opentdf@d3aaf1a))
* **policy:** deprecate ListAttributeValues in favor of existing
GetAttribute ([opentdf#3108](opentdf#3108))
([7e17c2d](opentdf@7e17c2d))
* **policy:** make obligation trigger uniqueness client-aware
([opentdf#3114](opentdf#3114))
([9265bc3](opentdf@9265bc3))
* **policy:** omit empty attribute values from create responses
([opentdf#3193](opentdf#3193))
([d298378](opentdf@d298378))
* **policy:** only require namespace on GetAction if no id provided
([opentdf#3144](opentdf#3144))
([10d0c0f](opentdf@10d0c0f))
* **policy:** Optional namespace on actions protos, NamespacedPolicy
feature flag ([opentdf#3155](opentdf#3155))
([c20f039](opentdf@c20f039))
* **policy:** order List* results by created_at
([opentdf#3088](opentdf#3088))
([ea90ac2](opentdf@ea90ac2))
* **sdk:** normalize issuer URL before OIDC discovery
([opentdf#3261](opentdf#3261))
([61f98c9](opentdf@61f98c9))
* **sdk:** reclassify KAS 400 errors — distinguish tamper from
misconfiguration
([opentdf#3166](opentdf#3166))
([f04a385](opentdf@f04a385))
* **sdk:** remove testcontainers from consumer dependency graph
([opentdf#3129](opentdf#3129))
([f17dcdd](opentdf@f17dcdd))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants