Skip to content

feat(policy): Seed existing namespaces with standard actions#3228

Merged
elizabethhealy merged 4 commits into
mainfrom
dspx-2540-migrate-standard-actions-when-enabled
Apr 1, 2026
Merged

feat(policy): Seed existing namespaces with standard actions#3228
elizabethhealy merged 4 commits into
mainfrom
dspx-2540-migrate-standard-actions-when-enabled

Conversation

@elizabethhealy

@elizabethhealy elizabethhealy commented Mar 31, 2026

Copy link
Copy Markdown
Member

Proposed Changes

  • Database Migration: Added a new migration to retroactively seed standard CRUD actions into all existing namespaces.
  • Idempotency: Implemented the migration using ON CONFLICT DO NOTHING to ensure it can be safely run multiple times.

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

  • Chores
    • Seeded standard CRUD actions (create, read, update, delete) for all existing namespaces via a new migration.
  • Bug Fixes
    • Corrected fixture loading to only include namespace-scoped standard actions where appropriate.
  • Documentation
    • Added an ADR defining a backup-first rollback posture and guidance for safe database migrations.

@coderabbitai

coderabbitai Bot commented Mar 31, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

A migration seeds namespace-scoped standard CRUD actions for every existing namespace; the fixture loader now only reads global standard actions (where namespace_id IS NULL), and a new ADR formalizes backup-first rollback posture for database migrations.

Changes

Cohort / File(s) Summary
Fixture Query Update
service/internal/fixtures/fixtures.go
Change in loadMigratedStandardActions SQL filter to WHERE is_standard = TRUE AND namespace_id IS NULL, so only global (unnamespaced) standard actions are loaded.
Namespace-Scoped Actions Migration
service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.md, service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.sql
New Goose migration: idempotently inserts create, read, update, delete actions for each existing attribute_namespaces row with namespace_id IS NOT NULL; Down is a no-op.
Operational Decision Record
adr/decisions/2026-04-01-database-migration-backup-first-rollback.md
New ADR establishing backup/restore as the primary rollback mechanism for migrations and documenting expectations for Down scripts, validation, and runbooks.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • jakedoublev
  • alkalescent
  • c-r33d

Poem

🐰 I hopped through migrations, carrots in tow,
I planted actions where namespaces grow.
Global standards I left standing tall,
Each namespace now answers when you call.
Hooray for seeds — a bunny’s gentle code show!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title 'feat(policy): Seed existing namespaces with standard actions' directly and clearly summarizes the main change: adding a database migration that retroactively seeds standard CRUD actions into all existing namespaces.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dspx-2540-migrate-standard-actions-when-enabled

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a database migration to ensure that all existing namespaces are populated with the required standard CRUD actions. This change is necessary to support policy migration tooling that expects these actions to be present within each namespace scope, addressing a gap for namespaces created prior to the introduction of action namespacing.

Highlights

  • Database Migration: Added a new migration to retroactively seed standard CRUD actions into all existing namespaces.
  • Idempotency: Implemented the migration using ON CONFLICT DO NOTHING to ensure it can be safely run multiple times.
  • Fixture Update: Updated the fixture loading logic to specifically target global standard actions by filtering for NULL namespace IDs.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


The namespaces stood empty and bare, / With standard actions missing in there. / A migration was run, / The work is now done, / And consistency fills up the air.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions github-actions Bot added size/s comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) labels Mar 31, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a database migration to retroactively seed standard actions for existing namespaces and updates the test fixtures to correctly filter for global standard actions. A high-severity issue was identified in the migration's rollback script, which is overly destructive as it deletes all namespaced standard actions, including those created during normal system operation; it is recommended to change the rollback to a no-op to ensure system stability.

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 188.939397ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.374433ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 391.066332ms
Throughput 255.71 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.415034626s
Average Latency 402.41321ms
Throughput 123.72 requests/second

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
service/internal/fixtures/fixtures.go (1)

790-818: 🛠️ Refactor suggestion | 🟠 Major

Add a regression test for namespace_id IS NULL action loading.

Please add/update a test that proves loadMigratedStandardActions excludes namespaced standard actions when both global and namespaced records share the same action names. As per coding guidelines, "Run go test ./... or make test and ensure all existing tests pass; add tests for new functionality".

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@service/internal/fixtures/fixtures.go` around lines 790 - 818, The test suite
is missing a regression test ensuring loadMigratedStandardActions only loads
actions where namespace_id IS NULL even when a namespaced action has the same
name; add a unit/integration test that sets up the DB with two actions of the
same name (one with namespace_id NULL and one with a non-NULL namespace_id),
invokes Fixtures.loadMigratedStandardActions (via the existing Fixtures test
helper or creating a Fixtures instance), and asserts that
f.MigratedData.StandardActions contains the global action ID (and not the
namespaced one); make sure to clean up test rows or use a transaction/fixture
helper so go test ./... passes and follow existing test patterns for DB
setup/teardown.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.sql`:
- Around line 22-24: The down migration currently deletes all namespaced
standard actions via the DELETE FROM actions WHERE is_standard = TRUE AND
namespace_id IS NOT NULL statement, which will remove valid actions created
later by normal CreateNamespace() flow; change the down migration to be
explicitly irreversible instead of performing that broad DELETE — e.g., replace
the DELETE in this migration file
(20260331000000_seed_standard_actions_for_existing_namespaces.sql) with a
statement that raises an error/exception indicating the migration cannot be
reverted (so rollbacks fail safely), or alternatively implement a targeted
delete that only removes rows deterministically inserted by this migration
(using unique markers if available); reference the DELETE FROM actions clause
and the CreateNamespace() flow when making the change.

---

Outside diff comments:
In `@service/internal/fixtures/fixtures.go`:
- Around line 790-818: The test suite is missing a regression test ensuring
loadMigratedStandardActions only loads actions where namespace_id IS NULL even
when a namespaced action has the same name; add a unit/integration test that
sets up the DB with two actions of the same name (one with namespace_id NULL and
one with a non-NULL namespace_id), invokes Fixtures.loadMigratedStandardActions
(via the existing Fixtures test helper or creating a Fixtures instance), and
asserts that f.MigratedData.StandardActions contains the global action ID (and
not the namespaced one); make sure to clean up test rows or use a
transaction/fixture helper so go test ./... passes and follow existing test
patterns for DB setup/teardown.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 013dba12-e09e-4c15-9ee8-723c0ad03427

📥 Commits

Reviewing files that changed from the base of the PR and between 99a8147 and 98c8122.

📒 Files selected for processing (3)
  • service/internal/fixtures/fixtures.go
  • service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.md
  • service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.sql

@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 212.436298ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.902465ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 422.0255ms
Throughput 236.95 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 46.195171421s
Average Latency 460.492556ms
Throughput 108.24 requests/second

@elizabethhealy

elizabethhealy commented Mar 31, 2026

Copy link
Copy Markdown
Member Author

Rollback options:

Option 1: Destructive Down (Delete Namespaced Standard Actions)

  • What it does: Down removes all is_standard = TRUE rows where namespace_id IS NOT NULL.
  • Pros: Preserves strict up/down symmetry and “full reversal” semantics.
  • Pros: Can be useful in disposable/local environments where data loss is acceptable.
  • Cons: Deletes standard actions created by normal CreateNamespace behavior, not just migration-seeded rows.
  • Cons: Can break existing namespaces and policy references after rollback.
  • Cons: High production risk; rollback may succeed technically while leaving system functionally broken.

Option 2: Non-Destructive Down (No-Op) — Recommended

  • What it does: Down performs no data deletion; seeded namespaced standard actions remain.
  • Pros: Preserves namespace integrity and policy reference correctness during rollback operations.
  • Pros: Aligns with forward-only data evolution once namespaced actions are a core requirement.
  • Pros: Avoids accidental production outages/data loss from rollback scripts.
  • Cons: Down is no longer a true data reversal (migration-version rollback only).
  • Cons: Teams expecting fully reversible migrations may need explicit documentation/runbooks.
  • Cons: Can no longer rollback past 20260312000000_add_namespace_to_actions.sql since that will remove the namespace and still require UNIQUE (which will no longer be true since there will be many standard actions)

Decision Rationale

  • We choose Option 2 (No-Op Down) because namespaced standard actions are now foundational to correct policy behavior.
  • A destructive Down creates disproportionate operational risk versus the value of strict reversibility.
  • We document rollback limits explicitly (including rollback past 20260312000000_add_namespace_to_actions.sql requiring manual, potentially destructive remediation).

@github-actions

Copy link
Copy Markdown
Contributor

@elizabethhealy
elizabethhealy marked this pull request as ready for review March 31, 2026 15:44
@elizabethhealy
elizabethhealy requested review from a team as code owners March 31, 2026 15:44

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.md`:
- Around line 25-29: Add a concrete rollback preflight and remediation checklist
to the migration note in
20260331000000_seed_standard_actions_for_existing_namespaces.md: include exact
preflight SQL queries to detect conflicting rows in the actions table (e.g.,
SELECT name, array_agg(DISTINCT namespace) FROM actions WHERE name IN
('create','read','update','delete') GROUP BY name HAVING count(DISTINCT
namespace) > 1), criteria to identify safe-to-remove rows vs rows that require
manual merging, steps to back up affected rows (COPY or SELECT INTO), and
explicit manual cleanup commands/decision rules to restore the
pre-20260312000000 unique(name) constraint; reference the prior migration
20260312000000_add_namespace_to_actions.sql, the actions table, the name column,
and the standard action names so operators can run the checks and remediation
under incident pressure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7c5f080-210e-4d6a-a097-8939ed692aee

📥 Commits

Reviewing files that changed from the base of the PR and between 98c8122 and 0670a40.

📒 Files selected for processing (2)
  • service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.md
  • service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.sql

c-r33d
c-r33d previously approved these changes Mar 31, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@adr/decisions/2026-04-01-database-migration-backup-first-rollback.md`:
- Around line 42-44: Three consecutive bullets all start with "🟩 **Good**",
making the ADR repetitive; edit the three bullets that begin with "🟩 **Good**"
(the ones referencing deterministic operator recovery, reduced dependence on
rollback logic, and alignment with production practice) to be more concise and
varied — either combine closely related points (e.g., merge deterministic
recovery and alignment with practice into one succinct bullet) and rephrase the
other to highlight reduced reliance on risky rollback logic, or use different
openings (e.g., "Helps", "Reduces", "Aligns with") so the list scans quickly and
avoids repeated wording.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2dbb218b-bdbb-4dbc-9a89-0745456e2a3e

📥 Commits

Reviewing files that changed from the base of the PR and between 0670a40 and 23be066.

📒 Files selected for processing (1)
  • adr/decisions/2026-04-01-database-migration-backup-first-rollback.md

@github-actions

github-actions Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 198.768962ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.717053ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 385.548689ms
Throughput 259.37 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 41.186461554s
Average Latency 410.630496ms
Throughput 121.40 requests/second

@github-actions

github-actions Bot commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

@elizabethhealy
elizabethhealy added this pull request to the merge queue Apr 1, 2026
Merged via the queue into main with commit 12136b0 Apr 1, 2026
38 checks passed
@elizabethhealy
elizabethhealy deleted the dspx-2540-migrate-standard-actions-when-enabled branch April 1, 2026 20:48
JBCongdon pushed a commit to JBCongdon/platform that referenced this pull request May 24, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.14.0](opentdf/platform@service/v0.13.0...service/v0.14.0)
(2026-04-21)


### ⚠ BREAKING CHANGES

* **sdk:** reclassify KAS 400 errors — distinguish tamper from
misconfiguration
([opentdf#3166](opentdf#3166))
* **policy:** optional namespace for RRs
([opentdf#3165](opentdf#3165))
* **policy:** Namespace subject mappings and subject condition sets.
([opentdf#3143](opentdf#3143))
* **policy:** Optional namespace on actions protos, NamespacedPolicy
feature flag ([opentdf#3155](opentdf#3155))
* **policy:** add namespaced actions schema and namespace-aware action
queries ([opentdf#3154](opentdf#3154))
* **policy:** only require namespace on GetAction if no id provided
([opentdf#3144](opentdf#3144))
* **policy:** add namespace field to Actions proto
([opentdf#3130](opentdf#3130))
* **policy:** namespace Registered Resources
([opentdf#3111](opentdf#3111))
* **policy:** add namespace field to RegisteredResource proto
([opentdf#3110](opentdf#3110))

### Features

* **authz:** Namespaced policy in decisioning
([opentdf#3226](opentdf#3226))
([0355934](opentdf@0355934))
* **cli:** migrate otdfctl into platform monorepo
([opentdf#3205](opentdf#3205))
([5177bec](opentdf@5177bec))
* fix tracing ([opentdf#3242](opentdf#3242))
([57e5680](opentdf@57e5680))
* **policy:** add GetObligationTrigger RPC
([opentdf#3318](opentdf#3318))
([d68e39d](opentdf@d68e39d))
* **policy:** add namespace field to Actions proto
([opentdf#3130](opentdf#3130))
([bedc9b3](opentdf@bedc9b3))
* **policy:** add namespace field to RegisteredResource proto
([opentdf#3110](opentdf#3110))
([04fd85d](opentdf@04fd85d))
* **policy:** add namespaced actions schema and namespace-aware action
queries ([opentdf#3154](opentdf#3154))
([c0443f1](opentdf@c0443f1))
* **policy:** add sort ListSubjectMappings API
([opentdf#3255](opentdf#3255))
([9d5d757](opentdf@9d5d757))
* **policy:** Add sort support listregisteredresources api
([opentdf#3312](opentdf#3312))
([91a3ff3](opentdf@91a3ff3))
* **policy:** add sort support to ListAttributes API
([opentdf#3223](opentdf#3223))
([ec3312f](opentdf@ec3312f))
* **policy:** add sort support to ListKeyAccessServer
([opentdf#3287](opentdf#3287))
([7fae2d7](opentdf@7fae2d7))
* **policy:** Add sort support to ListNamespaces API
([opentdf#3192](opentdf#3192))
([aac86cd](opentdf@aac86cd))
* **policy:** add sort support to listobligations api
([opentdf#3300](opentdf#3300))
([9221cac](opentdf@9221cac))
* **policy:** add sort support to ListSubjectConditionSets API
([opentdf#3272](opentdf#3272))
([9010f12](opentdf@9010f12))
* **policy:** add SortField proto and update PageRequest for sort
support ([opentdf#3187](opentdf#3187))
([6cf1862](opentdf@6cf1862))
* **policy:** Enforce same namespace when actions referenced downstream
([opentdf#3206](opentdf#3206))
([4b5463a](opentdf@4b5463a))
* **policy:** namespace Registered Resources
([opentdf#3111](opentdf#3111))
([6db1883](opentdf@6db1883))
* **policy:** Namespace subject mappings and condition sets
([opentdf#3172](opentdf#3172))
([6deed50](opentdf@6deed50))
* **policy:** Namespace subject mappings and subject condition sets.
([opentdf#3143](opentdf#3143))
([3006780](opentdf@3006780))
* **policy:** optional namespace for RRs
([opentdf#3165](opentdf#3165))
([8948018](opentdf@8948018))
* **policy:** rollback migration strategy for namespaced actions
([opentdf#3235](opentdf#3235))
([f7e5e01](opentdf@f7e5e01))
* **policy:** Seed existing namespaces with standard actions
([opentdf#3228](opentdf#3228))
([12136b0](opentdf@12136b0))
* **policy:** Seed namespaces with standard actions on creation +
namespaced actions for obligation triggers
([opentdf#3161](opentdf#3161))
([984d76b](opentdf@984d76b))


### Bug Fixes

* **ci:** Upgrade toolchain version to 1.25.8
([opentdf#3116](opentdf#3116))
([e1b7882](opentdf@e1b7882))
* **core:** do not concat slashes directly in url/file paths
([opentdf#3290](opentdf#3290))
([114c2a7](opentdf@114c2a7))
* **deps:** bump github.com/jackc/pgx/v5 from 5.7.5 to 5.9.0 in /service
([opentdf#3316](opentdf#3316))
([017362e](opentdf@017362e))
* **deps:** bump github.com/opentdf/platform/lib/identifier from 0.2.0
to 0.3.0 in /service
([opentdf#3162](opentdf#3162))
([8bc5dcd](opentdf@8bc5dcd))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.16.0 to
0.17.0 in /service
([opentdf#3125](opentdf#3125))
([29fec61](opentdf@29fec61))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.17.0 to
0.21.0 in /service
([opentdf#3220](opentdf#3220))
([e63add2](opentdf@e63add2))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.21.0 to
0.22.0 in /service
([opentdf#3248](opentdf#3248))
([1ebce73](opentdf@1ebce73))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.22.0 to
0.23.0 in /service
([opentdf#3271](opentdf#3271))
([3338b8e](opentdf@3338b8e))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.23.0 to
0.24.0 in /service
([opentdf#3321](opentdf#3321))
([78e6022](opentdf@78e6022))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.24.0 to
0.25.0 in /service
([opentdf#3333](opentdf#3333))
([3940bf8](opentdf@3940bf8))
* **deps:** bump github.com/opentdf/platform/sdk from 0.13.0 to 0.16.0
in /service ([opentdf#3356](opentdf#3356))
([5617077](opentdf@5617077))
* **deps:** bump
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from
1.42.0 to 1.43.0 in /service
([opentdf#3282](opentdf#3282))
([046374a](opentdf@046374a))
* **deps:** bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in
/service ([opentdf#3281](opentdf#3281))
([56b33f2](opentdf@56b33f2))
* **deps:** bump google.golang.org/grpc from 1.77.0 to 1.79.3 in
/service ([opentdf#3176](opentdf#3176))
([3289502](opentdf@3289502))
* **deps:** remove direct github.com/docker/docker dependency
([opentdf#3229](opentdf#3229))
([2becb27](opentdf@2becb27))
* **deps:** upgrade testcontainers-go to resolve vulns
([opentdf#3299](opentdf#3299))
([72c6f9b](opentdf@72c6f9b))
* **ers:** include standard JWT claims in claims mode entity resolution
([opentdf#3196](opentdf#3196))
([6d50da1](opentdf@6d50da1))
* **ers:** ldap multi-strategy ers
([opentdf#3117](opentdf#3117))
([d3aaf1a](opentdf@d3aaf1a))
* **policy:** deprecate ListAttributeValues in favor of existing
GetAttribute ([opentdf#3108](opentdf#3108))
([7e17c2d](opentdf@7e17c2d))
* **policy:** make obligation trigger uniqueness client-aware
([opentdf#3114](opentdf#3114))
([9265bc3](opentdf@9265bc3))
* **policy:** omit empty attribute values from create responses
([opentdf#3193](opentdf#3193))
([d298378](opentdf@d298378))
* **policy:** only require namespace on GetAction if no id provided
([opentdf#3144](opentdf#3144))
([10d0c0f](opentdf@10d0c0f))
* **policy:** Optional namespace on actions protos, NamespacedPolicy
feature flag ([opentdf#3155](opentdf#3155))
([c20f039](opentdf@c20f039))
* **policy:** order List* results by created_at
([opentdf#3088](opentdf#3088))
([ea90ac2](opentdf@ea90ac2))
* **sdk:** normalize issuer URL before OIDC discovery
([opentdf#3261](opentdf#3261))
([61f98c9](opentdf@61f98c9))
* **sdk:** reclassify KAS 400 errors — distinguish tamper from
misconfiguration
([opentdf#3166](opentdf#3166))
([f04a385](opentdf@f04a385))
* **sdk:** remove testcontainers from consumer dependency graph
([opentdf#3129](opentdf#3129))
([f17dcdd](opentdf@f17dcdd))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants