Skip to content

feat(cli): migrate otdfctl into platform monorepo#3205

Merged
alkalescent merged 22 commits into
mainfrom
DSPX-2655-migrate-otdfctl
Apr 21, 2026
Merged

feat(cli): migrate otdfctl into platform monorepo#3205
alkalescent merged 22 commits into
mainfrom
DSPX-2655-migrate-otdfctl

Conversation

@alkalescent

@alkalescent alkalescent commented Mar 23, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

  • Base PR for the otdfctl migration stack (DSPX-2654 epic)
  • Merge opentdf/otdfctl into otdfctl/ via git subtree add, preserving full git history and tags
  • Rewrite Go module path and integrate with go.work workspace

DSPX-2655: Subtree merge + cleanup

  • Subtree merge of latest otdfctl main (v0.30.0, includes namespace refactor and dependency bumps)
  • Remove files handled at platform root (.github/, .golangci.yaml, CONTRIBUTING.md, LICENSE)
  • Keep otdfctl/CHANGELOG.md for historical reference
  • Update root .gitignore, CODEOWNERS, pr-checks scope
  • Import tags as otdfctl/* prefix (e.g., otdfctl/v0.26.2)

DSPX-2656: Module path rewrite

  • Rewrite module path: github.com/opentdf/otdfctlgithub.com/opentdf/platform/otdfctl
  • Update all Go import statements (~54 files)
  • Add otdfctl to go.work workspace
  • Update Dockerfile

DSPX-2657: Makefile and build scripts

  • Update root and otdfctl Makefiles for monorepo integration
  • Restore build scripts from original otdfctl repo

DSPX-2658: CI matrix

  • Add otdfctl to checks.yaml go job matrix
  • govulncheck, golangci-lint, unit tests, go fmt/tidy checks

PR Stack (DSPX-2654)

  1. This PR (feat(cli): migrate otdfctl into platform monorepo #3205) — Subtree merge + module path rewrite (DSPX-2655, DSPX-2656)
  2. feat(cli): Makefile and build scripts #3208 — Makefile and build scripts (DSPX-2657)
  3. feat(cli): add otdfctl to platform CI matrix #3221 — CI workflows (DSPX-2658)
  4. (future) — e2e tests (DSPX-2659)

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

  • git log --oneline --follow -M otdfctl/cmd/root.go shows pre-merge history
  • git tag | grep otdfctl/v0.26 confirms tags imported
  • go build ./otdfctl/... succeeds

@coderabbitai

coderabbitai Bot commented Mar 23, 2026

Copy link
Copy Markdown

Important

Review skipped

Too many files!

This PR contains 298 files, which is 148 over the limit of 150.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b077646f-7dbb-4a65-a2ed-eb3523d714e0

📥 Commits

Reviewing files that changed from the base of the PR and between 0f8db5e and c90740d.

⛔ Files ignored due to path filters (2)
  • go.work is excluded by !**/*.work
  • otdfctl/go.sum is excluded by !**/*.sum
📒 Files selected for processing (298)
  • .github/dependabot.yml
  • .github/release-please/release-please-config.main.json
  • .github/release-please/release-please-config.otdfctl.json
  • .github/release-please/release-please-manifest.json
  • .github/workflows/checks.yaml
  • .github/workflows/nightly-checks.yaml
  • .github/workflows/pr-checks.yaml
  • .github/workflows/release-otdfctl.yaml
  • .gitignore
  • .golangci.yaml
  • CODEOWNERS
  • Dockerfile
  • Makefile
  • adr/decisions/2026-03-24-otdfctl-migration.md
  • otdfctl/CHANGELOG.md
  • otdfctl/Makefile
  • otdfctl/README.md
  • otdfctl/adr/0000-use-adr-dir-for-adr.md
  • otdfctl/adr/0001-printing-with-json.md
  • otdfctl/cmd/auth/auth.go
  • otdfctl/cmd/auth/clearCachedCredentials.go
  • otdfctl/cmd/auth/clientCredentials.go
  • otdfctl/cmd/auth/login.go
  • otdfctl/cmd/auth/logout.go
  • otdfctl/cmd/auth/printAccessToken.go
  • otdfctl/cmd/common/common.go
  • otdfctl/cmd/config/config.go
  • otdfctl/cmd/dev/dev.go
  • otdfctl/cmd/dev/selectors.go
  • otdfctl/cmd/execute.go
  • otdfctl/cmd/execute_test.go
  • otdfctl/cmd/interactive.go
  • otdfctl/cmd/migrate/migrate.go
  • otdfctl/cmd/migrate/namespaced_policy.go
  • otdfctl/cmd/migrate/prune/namespacedPolicy.go
  • otdfctl/cmd/migrate/prune/prune.go
  • otdfctl/cmd/migrate/registeredResources.go
  • otdfctl/cmd/policy/actions.go
  • otdfctl/cmd/policy/attributeValues.go
  • otdfctl/cmd/policy/attributes.go
  • otdfctl/cmd/policy/baseKeys.go
  • otdfctl/cmd/policy/kasGrants.go
  • otdfctl/cmd/policy/kasKeys.go
  • otdfctl/cmd/policy/kasRegistry.go
  • otdfctl/cmd/policy/keyManagement.go
  • otdfctl/cmd/policy/keyManagementProvider.go
  • otdfctl/cmd/policy/namespaces.go
  • otdfctl/cmd/policy/obligations.go
  • otdfctl/cmd/policy/policy.go
  • otdfctl/cmd/policy/registeredResources.go
  • otdfctl/cmd/policy/resourceMappingGroups.go
  • otdfctl/cmd/policy/resourceMappings.go
  • otdfctl/cmd/policy/subjectConditionSets.go
  • otdfctl/cmd/policy/subjectMappings.go
  • otdfctl/cmd/profile.go
  • otdfctl/cmd/root.go
  • otdfctl/cmd/tdf/decrypt.go
  • otdfctl/cmd/tdf/encrypt.go
  • otdfctl/cmd/tdf/inspect.go
  • otdfctl/cmd/tdf/tdf.go
  • otdfctl/docs/README.md
  • otdfctl/docs/main.go
  • otdfctl/docs/man/_index.md
  • otdfctl/docs/man/auth/_index.md
  • otdfctl/docs/man/auth/clear-client-credentials.md
  • otdfctl/docs/man/auth/client-credentials.md
  • otdfctl/docs/man/auth/login.md
  • otdfctl/docs/man/auth/logout.md
  • otdfctl/docs/man/auth/print-access-token.md
  • otdfctl/docs/man/config/_index.md
  • otdfctl/docs/man/config/output.md
  • otdfctl/docs/man/decrypt/_index.md
  • otdfctl/docs/man/dev/_index.md
  • otdfctl/docs/man/dev/design-system.md
  • otdfctl/docs/man/dev/selectors/_index.md
  • otdfctl/docs/man/dev/selectors/generate.md
  • otdfctl/docs/man/dev/selectors/test.md
  • otdfctl/docs/man/encrypt/_index.md
  • otdfctl/docs/man/example.xmd
  • otdfctl/docs/man/inspect/_index.md
  • otdfctl/docs/man/interactive.md
  • otdfctl/docs/man/migrate/_index.md
  • otdfctl/docs/man/migrate/namespaced-policy.md
  • otdfctl/docs/man/migrate/prune/_index.md
  • otdfctl/docs/man/migrate/prune/namespaced-policy.md
  • otdfctl/docs/man/policy/_index.md
  • otdfctl/docs/man/policy/actions/_index.md
  • otdfctl/docs/man/policy/actions/create.md
  • otdfctl/docs/man/policy/actions/delete.md
  • otdfctl/docs/man/policy/actions/get.md
  • otdfctl/docs/man/policy/actions/list.md
  • otdfctl/docs/man/policy/actions/update.md
  • otdfctl/docs/man/policy/attributes/_index.md
  • otdfctl/docs/man/policy/attributes/create.md
  • otdfctl/docs/man/policy/attributes/deactivate.md
  • otdfctl/docs/man/policy/attributes/get.md
  • otdfctl/docs/man/policy/attributes/key/_index.md
  • otdfctl/docs/man/policy/attributes/key/assign.md
  • otdfctl/docs/man/policy/attributes/key/remove.md
  • otdfctl/docs/man/policy/attributes/list.md
  • otdfctl/docs/man/policy/attributes/unsafe/_index.md
  • otdfctl/docs/man/policy/attributes/unsafe/delete.md
  • otdfctl/docs/man/policy/attributes/unsafe/reactivate.md
  • otdfctl/docs/man/policy/attributes/unsafe/update.md
  • otdfctl/docs/man/policy/attributes/update.md
  • otdfctl/docs/man/policy/attributes/values/_index.md
  • otdfctl/docs/man/policy/attributes/values/create.md
  • otdfctl/docs/man/policy/attributes/values/deactivate.md
  • otdfctl/docs/man/policy/attributes/values/get.md
  • otdfctl/docs/man/policy/attributes/values/key/_index.md
  • otdfctl/docs/man/policy/attributes/values/key/assign.md
  • otdfctl/docs/man/policy/attributes/values/key/remove.md
  • otdfctl/docs/man/policy/attributes/values/list.md
  • otdfctl/docs/man/policy/attributes/values/unsafe/_index.md
  • otdfctl/docs/man/policy/attributes/values/unsafe/delete.md
  • otdfctl/docs/man/policy/attributes/values/unsafe/reactivate.md
  • otdfctl/docs/man/policy/attributes/values/unsafe/update.md
  • otdfctl/docs/man/policy/attributes/values/update.md
  • otdfctl/docs/man/policy/kas-grants/_index.md
  • otdfctl/docs/man/policy/kas-grants/assign.md
  • otdfctl/docs/man/policy/kas-grants/list.md
  • otdfctl/docs/man/policy/kas-grants/unassign.md
  • otdfctl/docs/man/policy/kas-registry/_index.md
  • otdfctl/docs/man/policy/kas-registry/create.md
  • otdfctl/docs/man/policy/kas-registry/delete.md
  • otdfctl/docs/man/policy/kas-registry/get.md
  • otdfctl/docs/man/policy/kas-registry/key/_index.md
  • otdfctl/docs/man/policy/kas-registry/key/base/_index.md
  • otdfctl/docs/man/policy/kas-registry/key/base/get.md
  • otdfctl/docs/man/policy/kas-registry/key/base/set.md
  • otdfctl/docs/man/policy/kas-registry/key/create.md
  • otdfctl/docs/man/policy/kas-registry/key/get.md
  • otdfctl/docs/man/policy/kas-registry/key/import.md
  • otdfctl/docs/man/policy/kas-registry/key/list-mappings.md
  • otdfctl/docs/man/policy/kas-registry/key/list.md
  • otdfctl/docs/man/policy/kas-registry/key/rotate.md
  • otdfctl/docs/man/policy/kas-registry/key/unsafe/_index.md
  • otdfctl/docs/man/policy/kas-registry/key/unsafe/delete.md
  • otdfctl/docs/man/policy/kas-registry/key/update.md
  • otdfctl/docs/man/policy/kas-registry/list.md
  • otdfctl/docs/man/policy/kas-registry/update.md
  • otdfctl/docs/man/policy/key-management/_index.md
  • otdfctl/docs/man/policy/key-management/provider/_index.md
  • otdfctl/docs/man/policy/key-management/provider/create.md
  • otdfctl/docs/man/policy/key-management/provider/delete.md
  • otdfctl/docs/man/policy/key-management/provider/get.md
  • otdfctl/docs/man/policy/key-management/provider/list.md
  • otdfctl/docs/man/policy/key-management/provider/update.md
  • otdfctl/docs/man/policy/namespaces/_index.md
  • otdfctl/docs/man/policy/namespaces/create.md
  • otdfctl/docs/man/policy/namespaces/deactivate.md
  • otdfctl/docs/man/policy/namespaces/get.md
  • otdfctl/docs/man/policy/namespaces/key/_index.md
  • otdfctl/docs/man/policy/namespaces/key/assign.md
  • otdfctl/docs/man/policy/namespaces/key/remove.md
  • otdfctl/docs/man/policy/namespaces/list.md
  • otdfctl/docs/man/policy/namespaces/unsafe/_index.md
  • otdfctl/docs/man/policy/namespaces/unsafe/delete.md
  • otdfctl/docs/man/policy/namespaces/unsafe/reactivate.md
  • otdfctl/docs/man/policy/namespaces/unsafe/update.md
  • otdfctl/docs/man/policy/namespaces/update.md
  • otdfctl/docs/man/policy/obligations/_index.md
  • otdfctl/docs/man/policy/obligations/create.md
  • otdfctl/docs/man/policy/obligations/delete.md
  • otdfctl/docs/man/policy/obligations/get.md
  • otdfctl/docs/man/policy/obligations/list.md
  • otdfctl/docs/man/policy/obligations/triggers/_index.md
  • otdfctl/docs/man/policy/obligations/triggers/create.md
  • otdfctl/docs/man/policy/obligations/triggers/delete.md
  • otdfctl/docs/man/policy/obligations/triggers/list.md
  • otdfctl/docs/man/policy/obligations/update.md
  • otdfctl/docs/man/policy/obligations/values/_index.md
  • otdfctl/docs/man/policy/obligations/values/create.md
  • otdfctl/docs/man/policy/obligations/values/delete.md
  • otdfctl/docs/man/policy/obligations/values/get.md
  • otdfctl/docs/man/policy/obligations/values/update.md
  • otdfctl/docs/man/policy/registered-resources/_index.md
  • otdfctl/docs/man/policy/registered-resources/create.md
  • otdfctl/docs/man/policy/registered-resources/delete.md
  • otdfctl/docs/man/policy/registered-resources/get.md
  • otdfctl/docs/man/policy/registered-resources/list.md
  • otdfctl/docs/man/policy/registered-resources/update.md
  • otdfctl/docs/man/policy/registered-resources/values/_index.md
  • otdfctl/docs/man/policy/registered-resources/values/create.md
  • otdfctl/docs/man/policy/registered-resources/values/delete.md
  • otdfctl/docs/man/policy/registered-resources/values/get.md
  • otdfctl/docs/man/policy/registered-resources/values/list.md
  • otdfctl/docs/man/policy/registered-resources/values/update.md
  • otdfctl/docs/man/policy/resource-mapping-groups/_index.md
  • otdfctl/docs/man/policy/resource-mapping-groups/create.md
  • otdfctl/docs/man/policy/resource-mapping-groups/delete.md
  • otdfctl/docs/man/policy/resource-mapping-groups/get.md
  • otdfctl/docs/man/policy/resource-mapping-groups/list.md
  • otdfctl/docs/man/policy/resource-mapping-groups/update.md
  • otdfctl/docs/man/policy/resource-mappings/_index.md
  • otdfctl/docs/man/policy/resource-mappings/create.md
  • otdfctl/docs/man/policy/resource-mappings/delete.md
  • otdfctl/docs/man/policy/resource-mappings/get.md
  • otdfctl/docs/man/policy/resource-mappings/list.md
  • otdfctl/docs/man/policy/resource-mappings/update.md
  • otdfctl/docs/man/policy/subject-condition-sets/_index.md
  • otdfctl/docs/man/policy/subject-condition-sets/create.md
  • otdfctl/docs/man/policy/subject-condition-sets/delete.md
  • otdfctl/docs/man/policy/subject-condition-sets/get.md
  • otdfctl/docs/man/policy/subject-condition-sets/list.md
  • otdfctl/docs/man/policy/subject-condition-sets/prune.md
  • otdfctl/docs/man/policy/subject-condition-sets/update.md
  • otdfctl/docs/man/policy/subject-mappings/_index.md
  • otdfctl/docs/man/policy/subject-mappings/create.md
  • otdfctl/docs/man/policy/subject-mappings/delete.md
  • otdfctl/docs/man/policy/subject-mappings/get.md
  • otdfctl/docs/man/policy/subject-mappings/list.md
  • otdfctl/docs/man/policy/subject-mappings/match.md
  • otdfctl/docs/man/policy/subject-mappings/update.md
  • otdfctl/e2e/action.yaml
  • otdfctl/e2e/actions.bats
  • otdfctl/e2e/attributes.bats
  • otdfctl/e2e/auth.bats
  • otdfctl/e2e/encrypt-decrypt.bats
  • otdfctl/e2e/kas-grants.bats
  • otdfctl/e2e/kas-keys-mappings.bats
  • otdfctl/e2e/kas-keys.bats
  • otdfctl/e2e/kas-registry.bats
  • otdfctl/e2e/key-base.bats
  • otdfctl/e2e/logging.bats
  • otdfctl/e2e/migrate-namespaced-policy.bats
  • otdfctl/e2e/namespaces.bats
  • otdfctl/e2e/obligations.bats
  • otdfctl/e2e/otdfctl-utils.sh
  • otdfctl/e2e/profile.bats
  • otdfctl/e2e/provider-config.bats
  • otdfctl/e2e/registered-resources.bats
  • otdfctl/e2e/resize_terminal.sh
  • otdfctl/e2e/resource-mapping-groups.bats
  • otdfctl/e2e/resource-mapping.bats
  • otdfctl/e2e/setup_suite.bash
  • otdfctl/e2e/subject-condition-sets.bats
  • otdfctl/e2e/subject-mapping.bats
  • otdfctl/e2e/teardown_suite.bash
  • otdfctl/e2e/testrail-integration/samples-for-virtru-instance/testname-to-testrail-id.virtru.json
  • otdfctl/e2e/testrail-integration/samples-for-virtru-instance/testrail-virtru.config.json
  • otdfctl/e2e/testrail-integration/testname-to-testrail-id.example.json
  • otdfctl/e2e/testrail-integration/testrail.config.example.json
  • otdfctl/e2e/testrail-integration/upload-bats-test-results-to-testrail.sh
  • otdfctl/go.mod
  • otdfctl/main.go
  • otdfctl/migrations/artifact/artifact.go
  • otdfctl/migrations/artifact/artifact_test.go
  • otdfctl/migrations/artifact/metadata/metadata.go
  • otdfctl/migrations/artifact/v1/schema.go
  • otdfctl/migrations/artifact/v1/schema_test.go
  • otdfctl/migrations/namespacedpolicy/actions_execute.go
  • otdfctl/migrations/namespacedpolicy/actions_execute_test.go
  • otdfctl/migrations/namespacedpolicy/canonical.go
  • otdfctl/migrations/namespacedpolicy/canonical_test.go
  • otdfctl/migrations/namespacedpolicy/derived.go
  • otdfctl/migrations/namespacedpolicy/derived_test.go
  • otdfctl/migrations/namespacedpolicy/execute.go
  • otdfctl/migrations/namespacedpolicy/execute_test_helpers_test.go
  • otdfctl/migrations/namespacedpolicy/finalize_plan.go
  • otdfctl/migrations/namespacedpolicy/finalize_plan_test.go
  • otdfctl/migrations/namespacedpolicy/interactive_prompt.go
  • otdfctl/migrations/namespacedpolicy/interactive_review.go
  • otdfctl/migrations/namespacedpolicy/interactive_review_test.go
  • otdfctl/migrations/namespacedpolicy/obligation_triggers_execute.go
  • otdfctl/migrations/namespacedpolicy/obligation_triggers_execute_test.go
  • otdfctl/migrations/namespacedpolicy/plan.go
  • otdfctl/migrations/namespacedpolicy/plan_test.go
  • otdfctl/migrations/namespacedpolicy/planner.go
  • otdfctl/migrations/namespacedpolicy/planner_test.go
  • otdfctl/migrations/namespacedpolicy/reduce.go
  • otdfctl/migrations/namespacedpolicy/reduce_test.go
  • otdfctl/migrations/namespacedpolicy/registered_resources_execute.go
  • otdfctl/migrations/namespacedpolicy/registered_resources_execute_test.go
  • otdfctl/migrations/namespacedpolicy/resolved.go
  • otdfctl/migrations/namespacedpolicy/resolved_test.go
  • otdfctl/migrations/namespacedpolicy/retrieve.go
  • otdfctl/migrations/namespacedpolicy/retrieve_test.go
  • otdfctl/migrations/namespacedpolicy/scopes.go
  • otdfctl/migrations/namespacedpolicy/scopes_test.go
  • otdfctl/migrations/namespacedpolicy/subject_condition_sets_execute.go
  • otdfctl/migrations/namespacedpolicy/subject_condition_sets_execute_test.go
  • otdfctl/migrations/namespacedpolicy/subject_mappings_execute.go
  • otdfctl/migrations/namespacedpolicy/subject_mappings_execute_test.go
  • otdfctl/migrations/namespacedpolicy/test_helpers_test.go
  • otdfctl/migrations/registered-resources.go
  • otdfctl/migrations/registered-resources_test.go
  • otdfctl/migrations/styles.go
  • otdfctl/pkg/auth/auth.go
  • otdfctl/pkg/auth/errors.go
  • otdfctl/pkg/cli/cli.go
  • otdfctl/pkg/cli/clioptions.go
  • otdfctl/pkg/cli/confirm.go
  • otdfctl/pkg/cli/errors.go
  • otdfctl/pkg/cli/flagValues.go
  • otdfctl/pkg/cli/messages.go
  • otdfctl/pkg/cli/pipe.go
  • otdfctl/pkg/cli/printer.go

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch DSPX-2655-migrate-otdfctl

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added the comp:ci Github Actions Work label Mar 23, 2026
Comment thread otdfctl/e2e/action.yaml Dismissed
Comment thread otdfctl/e2e/action.yaml Dismissed
Comment thread otdfctl/e2e/action.yaml Dismissed
Comment thread otdfctl/e2e/action.yaml Fixed
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on preparing the repository for the migration of the otdfctl CLI tool. It involves copying files, updating configurations, and adjusting code ownership to ensure a smooth transition and proper maintenance of the CLI within the new repository structure.

Highlights

  • File Copying: This PR copies necessary files from the otdfctl directory to prepare for repository migration.
  • Configuration Updates: The PR updates configuration files to align with the new file locations and project structure.
  • Ignoring Artifacts: The .gitignore file is updated to ignore otdfctl specific files and directories, such as binaries, test artifacts, and Hugo-related files.
  • Code Ownership: The CODEOWNERS file is updated to assign ownership of the /otdfctl/ directory to the @opentdf/cli team.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/pr-checks.yaml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


A CLI's new home, Files copied, configs set, Migration's begun.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request represents a significant architectural shift for the otdfctl CLI, moving it to a dedicated repository and introducing a wealth of new features. The primary focus is on expanding policy management capabilities, offering granular control over various policy entities and cryptographic keys. This refactor also brings a new testing framework and comprehensive documentation, laying a solid foundation for future development and improved user interaction.

Highlights

  • CLI Migration and Restructuring: The otdfctl CLI has been migrated to its own repository, involving extensive file copying and configuration updates. This includes a new Makefile for streamlined build processes and a comprehensive README for user guidance.
  • Enhanced Policy Management Commands: Introduced a full suite of CRUD (Create, Read, Update, Delete) operations for various policy components, including actions, attributes, attribute values, namespaces, obligations, registered resources, resource mappings, subject condition sets, and subject mappings. This significantly expands the CLI's capability to manage OpenTDF policies.
  • Advanced Key Management Features: Implemented detailed commands for managing KAS (Key Access Server) keys, including creation, rotation, import, and listing of key mappings. This also includes functionality for managing KAS registry entries and provider configurations, offering granular control over cryptographic keys.
  • Comprehensive End-to-End Testing: Added a robust set of Bats-based end-to-end tests covering all new and existing CLI commands, ensuring the stability and correctness of the new features and the overall CLI functionality. This also includes integration with TestRail for test result reporting.
  • Improved Documentation and User Experience: Integrated extensive Markdown documentation for all commands and subcommands, which drives the CLI's help system and supports internationalization. This aims to provide a clearer and more consistent user experience.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/pr-checks.yaml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


Files copied with care, New home, new purpose they bear, CLI now takes flight.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 153.800181ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 80.043308ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 402.237532ms
Throughput 248.61 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.904339054s
Average Latency 387.897018ms
Throughput 128.52 requests/second

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the otdfctl CLI by copying a large number of files into the repository. The changes include Go source code for the CLI commands, Makefiles, documentation, and end-to-end tests. My review focused on the overall structure and patterns in the newly added code. I've identified a few areas for improvement related to consistency in deprecation handling and potential performance issues with client-side pagination. Overall, the code seems well-structured, but these minor issues should be addressed to improve usability and maintainability.

Comment thread otdfctl/cmd/policy/kasGrants.go
Comment thread otdfctl/cmd/policy/kasRegistry.go
Comment thread otdfctl/cmd/policy/attributeValues.go

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the otdfctl CLI tool by copying over a large number of files. The changes include the CLI's command structure, handlers, documentation, and end-to-end tests. My review focuses on potential issues in the newly added code. I've identified a bug in the Makefile's version handling, a significant performance issue related to client-side pagination, and a minor maintainability issue with flag parsing. Addressing these will improve the robustness and efficiency of the new CLI tool.

Comment thread otdfctl/Makefile
Comment thread otdfctl/cmd/policy/attributeValues.go
Comment thread otdfctl/cmd/policy/kasKeys.go
@github-actions

Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a significant number of files by copying the otdfctl CLI tool into the repository. My review focuses on the newly added code, identifying opportunities for improvement in terms of maintainability, correctness, and efficiency. I've pointed out areas with duplicated code that could be refactored, potential performance bottlenecks, and minor issues in test files and configuration. Overall, the changes are substantial and form a good basis for the CLI within this repository.

Comment thread .gitignore
Comment thread otdfctl/Makefile
Comment thread otdfctl/Makefile
Comment thread otdfctl/README.md
Comment thread otdfctl/cmd/policy/attributeValues.go
Comment thread otdfctl/cmd/policy/kasKeys.go
Comment thread otdfctl/cmd/policy/subjectConditionSets.go
Comment thread otdfctl/e2e/attributes.bats
Comment thread otdfctl/e2e/kas-grants.bats
@alkalescent
alkalescent marked this pull request as ready for review March 24, 2026 15:30
@alkalescent
alkalescent requested review from a team as code owners March 24, 2026 15:30
@alkalescent

Copy link
Copy Markdown
Contributor Author

Dismissing all automated comments and alerts since this PR's purpose is to migrate not change app + CI code.

@marythought

Copy link
Copy Markdown
Contributor

is there an ADR for this change? I'm aware of the benefits but unclear on the tradeoffs of this approach, if any. Downloading the latest otdfctl package is a part of the quickstart guide: https://github.com/opentdf/docs/blob/main/static/quickstart/install.sh#L132. Is it just a matter of changing the location for where to find this, or will the whole build/release process need to change as a subcomponent of platform?

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 190.343037ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.78324ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 371.600238ms
Throughput 269.11 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 39.903301218s
Average Latency 396.94069ms
Throughput 125.30 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

marythought
marythought previously approved these changes Mar 25, 2026
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 205.69506ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 102.845014ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 415.139414ms
Throughput 240.88 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 41.553236078s
Average Latency 413.951419ms
Throughput 120.33 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 182.701644ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 87.360151ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 407.643175ms
Throughput 245.31 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.499239757s
Average Latency 403.503632ms
Throughput 123.46 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@alkalescent
alkalescent force-pushed the DSPX-2655-migrate-otdfctl branch from 01cff81 to d66bd5b Compare March 26, 2026 22:46
@alkalescent alkalescent changed the title feat(cli): copy otdfctl files feat(cli): migrate otdfctl into platform monorepo Mar 26, 2026
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 166.485556ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 78.668892ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 396.099222ms
Throughput 252.46 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.288281356s
Average Latency 401.603829ms
Throughput 124.11 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

@alkalescent
alkalescent force-pushed the DSPX-2655-migrate-otdfctl branch from d66bd5b to fc2fac5 Compare March 27, 2026 00:07
### Proposed Changes

* resolve lint issue in stacked PR branch

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 191.931712ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.610073ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 400.615738ms
Throughput 249.62 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.184490331s
Average Latency 440.519601ms
Throughput 113.16 requests/second

## Summary

This PR tightens the namespacedpolicy planner so registered resources
are the only construct that can remain soft-unresolved during planning.
All other policy constructs now fail fast when their target namespace or
required dependencies cannot be derived.

It also cleans up resolver guard behavior so parent resolver functions
own nil/source validation, while child helpers focus on namespace and
existing-target resolution. For registered resources, unresolved state
is now represented internally as a typed object
  with a machine-checkable reason code plus a human-readable message.

In addition, we have merged in changes for interactively handling
`Registered Resources` that are unresolved. [RR
Interactive](#3317)

  ## What Changed

- Removed top-level Unresolved handling from actions, subject condition
sets, subject mappings, and obligation triggers.
- Kept registered resources as the only planner construct with soft
unresolved behavior.
  - Added a typed RR unresolved model with:
      - Reason
      - Message
- Preserved the existing artifact shape by continuing to emit the
unresolved message as a string in the finalized plan.
- Simplified action, subject condition set, and subject mapping resolver
guard logic so invalid derived entries fail fast in the parent resolver.
- Removed stale unresolved dependency/result handling from subject
mapping dependency resolution.
- Skipped registered resources with no AAVs during derivation and
documented that behavior inline.

  ## Why

The planner had accumulated multiple soft-unresolved paths that no
longer matched the intended contract. This made the resolution flow
harder to reason about and made tests rely on string matching for
unresolved behavior.

  This change makes the model stricter and simpler:

  - non-RR derivation/resolution failures are hard failures
  - RR namespace conflicts remain the only reviewable unresolved case
- tests can now assert a typed unresolved reason instead of brittle
strings
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 190.155366ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 103.6302ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 411.452526ms
Throughput 243.04 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 42.298859911s
Average Latency 420.933006ms
Throughput 118.21 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 194.537302ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 93.346732ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 397.070122ms
Throughput 251.84 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 42.275479005s
Average Latency 419.925615ms
Throughput 118.27 requests/second

c-r33d added 2 commits April 21, 2026 07:15
### Proposed Changes

1.) Add E2E tests for migrating namespaced policy.
2.) Breakup namespaced policy migration tests from original suite
invocation, due to parallelization complications and migration logic.
3.) Add the ability to choose whether or not the startup action should
provision fixtures or not. Default to true, but require false for
otdfctl tests.

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions



<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Tests**
* Added comprehensive test suite for namespaced policy migration
covering actions, subject-condition-sets, and subject-mappings with
idempotency validation.
* Improved test execution workflow with staged test execution and
aggregated result reporting.

* **Chores**
* Updated test fixture provisioning to be configurable via workflow
input.
  * Enhanced ignore patterns for credential files.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
### Proposed Changes

1.) Reorder the interactive RR review steps. Originally we would modify
the resolved actions to include ones that were needed by a RR after
manual intervention. This did not account for an edge case where a RR is
already created, which would then require the executor and the review
code to perform more logic than necessary. Fix this by checking if RR
already exists, if so do not modify resolved actions.
2.) Add better unit testing for RR interactive reviews.

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions
@github-actions

Copy link
Copy Markdown
Contributor

X-Test Failure Report

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 192.763496ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.397999ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 406.525737ms
Throughput 245.99 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 42.969021156s
Average Latency 427.630922ms
Throughput 116.36 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 187.319656ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 103.455996ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 407.954977ms
Throughput 245.13 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 46.477953547s
Average Latency 462.814283ms
Throughput 107.58 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

@alkalescent
alkalescent enabled auto-merge April 21, 2026 14:14

@ttschampel ttschampel left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving building on @biscoe916 's previous approval of the main changes + new changes since this approval looking good

@alkalescent
alkalescent added this pull request to the merge queue Apr 21, 2026
Merged via the queue into main with commit 5177bec Apr 21, 2026
42 checks passed
@alkalescent
alkalescent deleted the DSPX-2655-migrate-otdfctl branch April 21, 2026 15:08
JBCongdon pushed a commit to JBCongdon/platform that referenced this pull request May 24, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.14.0](opentdf/platform@service/v0.13.0...service/v0.14.0)
(2026-04-21)


### ⚠ BREAKING CHANGES

* **sdk:** reclassify KAS 400 errors — distinguish tamper from
misconfiguration
([opentdf#3166](opentdf#3166))
* **policy:** optional namespace for RRs
([opentdf#3165](opentdf#3165))
* **policy:** Namespace subject mappings and subject condition sets.
([opentdf#3143](opentdf#3143))
* **policy:** Optional namespace on actions protos, NamespacedPolicy
feature flag ([opentdf#3155](opentdf#3155))
* **policy:** add namespaced actions schema and namespace-aware action
queries ([opentdf#3154](opentdf#3154))
* **policy:** only require namespace on GetAction if no id provided
([opentdf#3144](opentdf#3144))
* **policy:** add namespace field to Actions proto
([opentdf#3130](opentdf#3130))
* **policy:** namespace Registered Resources
([opentdf#3111](opentdf#3111))
* **policy:** add namespace field to RegisteredResource proto
([opentdf#3110](opentdf#3110))

### Features

* **authz:** Namespaced policy in decisioning
([opentdf#3226](opentdf#3226))
([0355934](opentdf@0355934))
* **cli:** migrate otdfctl into platform monorepo
([opentdf#3205](opentdf#3205))
([5177bec](opentdf@5177bec))
* fix tracing ([opentdf#3242](opentdf#3242))
([57e5680](opentdf@57e5680))
* **policy:** add GetObligationTrigger RPC
([opentdf#3318](opentdf#3318))
([d68e39d](opentdf@d68e39d))
* **policy:** add namespace field to Actions proto
([opentdf#3130](opentdf#3130))
([bedc9b3](opentdf@bedc9b3))
* **policy:** add namespace field to RegisteredResource proto
([opentdf#3110](opentdf#3110))
([04fd85d](opentdf@04fd85d))
* **policy:** add namespaced actions schema and namespace-aware action
queries ([opentdf#3154](opentdf#3154))
([c0443f1](opentdf@c0443f1))
* **policy:** add sort ListSubjectMappings API
([opentdf#3255](opentdf#3255))
([9d5d757](opentdf@9d5d757))
* **policy:** Add sort support listregisteredresources api
([opentdf#3312](opentdf#3312))
([91a3ff3](opentdf@91a3ff3))
* **policy:** add sort support to ListAttributes API
([opentdf#3223](opentdf#3223))
([ec3312f](opentdf@ec3312f))
* **policy:** add sort support to ListKeyAccessServer
([opentdf#3287](opentdf#3287))
([7fae2d7](opentdf@7fae2d7))
* **policy:** Add sort support to ListNamespaces API
([opentdf#3192](opentdf#3192))
([aac86cd](opentdf@aac86cd))
* **policy:** add sort support to listobligations api
([opentdf#3300](opentdf#3300))
([9221cac](opentdf@9221cac))
* **policy:** add sort support to ListSubjectConditionSets API
([opentdf#3272](opentdf#3272))
([9010f12](opentdf@9010f12))
* **policy:** add SortField proto and update PageRequest for sort
support ([opentdf#3187](opentdf#3187))
([6cf1862](opentdf@6cf1862))
* **policy:** Enforce same namespace when actions referenced downstream
([opentdf#3206](opentdf#3206))
([4b5463a](opentdf@4b5463a))
* **policy:** namespace Registered Resources
([opentdf#3111](opentdf#3111))
([6db1883](opentdf@6db1883))
* **policy:** Namespace subject mappings and condition sets
([opentdf#3172](opentdf#3172))
([6deed50](opentdf@6deed50))
* **policy:** Namespace subject mappings and subject condition sets.
([opentdf#3143](opentdf#3143))
([3006780](opentdf@3006780))
* **policy:** optional namespace for RRs
([opentdf#3165](opentdf#3165))
([8948018](opentdf@8948018))
* **policy:** rollback migration strategy for namespaced actions
([opentdf#3235](opentdf#3235))
([f7e5e01](opentdf@f7e5e01))
* **policy:** Seed existing namespaces with standard actions
([opentdf#3228](opentdf#3228))
([12136b0](opentdf@12136b0))
* **policy:** Seed namespaces with standard actions on creation +
namespaced actions for obligation triggers
([opentdf#3161](opentdf#3161))
([984d76b](opentdf@984d76b))


### Bug Fixes

* **ci:** Upgrade toolchain version to 1.25.8
([opentdf#3116](opentdf#3116))
([e1b7882](opentdf@e1b7882))
* **core:** do not concat slashes directly in url/file paths
([opentdf#3290](opentdf#3290))
([114c2a7](opentdf@114c2a7))
* **deps:** bump github.com/jackc/pgx/v5 from 5.7.5 to 5.9.0 in /service
([opentdf#3316](opentdf#3316))
([017362e](opentdf@017362e))
* **deps:** bump github.com/opentdf/platform/lib/identifier from 0.2.0
to 0.3.0 in /service
([opentdf#3162](opentdf#3162))
([8bc5dcd](opentdf@8bc5dcd))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.16.0 to
0.17.0 in /service
([opentdf#3125](opentdf#3125))
([29fec61](opentdf@29fec61))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.17.0 to
0.21.0 in /service
([opentdf#3220](opentdf#3220))
([e63add2](opentdf@e63add2))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.21.0 to
0.22.0 in /service
([opentdf#3248](opentdf#3248))
([1ebce73](opentdf@1ebce73))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.22.0 to
0.23.0 in /service
([opentdf#3271](opentdf#3271))
([3338b8e](opentdf@3338b8e))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.23.0 to
0.24.0 in /service
([opentdf#3321](opentdf#3321))
([78e6022](opentdf@78e6022))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.24.0 to
0.25.0 in /service
([opentdf#3333](opentdf#3333))
([3940bf8](opentdf@3940bf8))
* **deps:** bump github.com/opentdf/platform/sdk from 0.13.0 to 0.16.0
in /service ([opentdf#3356](opentdf#3356))
([5617077](opentdf@5617077))
* **deps:** bump
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from
1.42.0 to 1.43.0 in /service
([opentdf#3282](opentdf#3282))
([046374a](opentdf@046374a))
* **deps:** bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in
/service ([opentdf#3281](opentdf#3281))
([56b33f2](opentdf@56b33f2))
* **deps:** bump google.golang.org/grpc from 1.77.0 to 1.79.3 in
/service ([opentdf#3176](opentdf#3176))
([3289502](opentdf@3289502))
* **deps:** remove direct github.com/docker/docker dependency
([opentdf#3229](opentdf#3229))
([2becb27](opentdf@2becb27))
* **deps:** upgrade testcontainers-go to resolve vulns
([opentdf#3299](opentdf#3299))
([72c6f9b](opentdf@72c6f9b))
* **ers:** include standard JWT claims in claims mode entity resolution
([opentdf#3196](opentdf#3196))
([6d50da1](opentdf@6d50da1))
* **ers:** ldap multi-strategy ers
([opentdf#3117](opentdf#3117))
([d3aaf1a](opentdf@d3aaf1a))
* **policy:** deprecate ListAttributeValues in favor of existing
GetAttribute ([opentdf#3108](opentdf#3108))
([7e17c2d](opentdf@7e17c2d))
* **policy:** make obligation trigger uniqueness client-aware
([opentdf#3114](opentdf#3114))
([9265bc3](opentdf@9265bc3))
* **policy:** omit empty attribute values from create responses
([opentdf#3193](opentdf#3193))
([d298378](opentdf@d298378))
* **policy:** only require namespace on GetAction if no id provided
([opentdf#3144](opentdf#3144))
([10d0c0f](opentdf@10d0c0f))
* **policy:** Optional namespace on actions protos, NamespacedPolicy
feature flag ([opentdf#3155](opentdf#3155))
([c20f039](opentdf@c20f039))
* **policy:** order List* results by created_at
([opentdf#3088](opentdf#3088))
([ea90ac2](opentdf@ea90ac2))
* **sdk:** normalize issuer URL before OIDC discovery
([opentdf#3261](opentdf#3261))
([61f98c9](opentdf@61f98c9))
* **sdk:** reclassify KAS 400 errors — distinguish tamper from
misconfiguration
([opentdf#3166](opentdf#3166))
([f04a385](opentdf@f04a385))
* **sdk:** remove testcontainers from consumer dependency graph
([opentdf#3129](opentdf#3129))
([f17dcdd](opentdf@f17dcdd))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
JBCongdon pushed a commit to JBCongdon/platform that referenced this pull request May 24, 2026
### Proposed Changes

* Add an `otdfctl)` case to `.github/scripts/work-init.sh` so the script
no longer fails with `unknown component [otdfctl]` on the release-please
branch for otdfctl. The new case mirrors the `examples)` handler —
otdfctl is a leaf consumer with no in-workspace dependents, so the
partial `go.work` only needs `./otdfctl`.

`otdfctl` was migrated into the monorepo in opentdf#3205 and added to the `go`
CI matrix and release-please configs, but `work-init.sh` was not
updated. The `chore(main): release otdfctl 0.31.0` release-please PR
fails every matrix job at the `prevent depending on unreleased upstream
changes` step until this is fixed.

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Local dry-run:

```
GITHUB_HEAD_REF=release-please--branches--main--components--otdfctl \
  ./.github/scripts/work-init.sh
```

Expected: exits 0 and writes a `go.work` containing only `./otdfctl`.

End-to-end: once merged, the next release-please otdfctl PR should pass
the `go` matrix checks (the `prevent depending on unreleased upstream
changes` step in `.github/workflows/checks.yaml`).

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated development environment initialization to support additional
component configuration.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
JBCongdon pushed a commit to JBCongdon/platform that referenced this pull request May 24, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.31.0](opentdf/platform@otdfctl/v0.30.0...otdfctl/v0.31.0)
(2026-04-22)


### Features

* **cli:** Add e2e tests and fix bugs.
([opentdf#3353](opentdf#3353))
([213d843](opentdf@213d843))
* **cli:** Add E2E tests for namespaced policy.
([opentdf#3363](opentdf#3363))
([e46f07d](opentdf@e46f07d))
* **cli:** Interactive confirmation
([opentdf#3360](opentdf#3360))
([cd931d9](opentdf@cd931d9))
* **cli:** migrate otdfctl into platform monorepo
([opentdf#3205](opentdf#3205))
([5177bec](opentdf@5177bec))


### Bug Fixes

* **deps:** bump github.com/opentdf/platform/sdk from 0.15.0 to 0.16.0
in /otdfctl ([opentdf#3357](opentdf#3357))
([d829184](opentdf@d829184))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Co-authored-by: Krish Suchak <42231639+alkalescent@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:ci Github Actions Work size/xl

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants