feat(policy)!: DSPX-2998 add namespace fields to resource mapping protos

[alkalescent]

Proposed Changes

First PR in a stacked series for DSPX-2998 (Resource Mappings & Resource Mapping Groups should be optionally namespaced). This PR adds the proto contract only; the service implementation and otdfctl/migration support follow in stacked PRs.

• Add a hydrated policy.Namespace namespace field to the ResourceMapping message.
• Add optional namespace_id / namespace_fqn to CreateResourceMappingRequest and UpdateResourceMappingRequest.
• Add optional namespace_id / namespace_fqn filters to ListResourceMappingsRequest, and namespace_fqn parity to ListResourceMappingGroupsRequest (which already had namespace_id).
• Regenerate protocol/go, OpenAPI/gRPC docs, and SDK connect wrappers.
• Add proto validation unit tests for the new fields.

This mirrors the namespacing pattern established for Registered Resources (#3110/#3111/#3165). Adding optional fields is wire-compatible; marked ! per the RR proto-PR convention.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

cd service && go test ./policy/resourcemapping/...

Related

• Jira: https://virtru.atlassian.net/browse/DSPX-2998

Summary by CodeRabbit

• New Features

  • Enhanced resource mapping operations with optional namespace ownership and filtering. Create, list, and update resource mappings now support namespace scoping via ID or fully-qualified name, enabling better organization and control within specific namespaces.

• Documentation

  • Updated API documentation to reflect new namespace-related parameters and their usage in resource mapping workflows.

[coderabbitai]

Warning

Review limit reached

@alkalescent, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 7 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1a03257d-b8a5-45cc-b3fa-8d07730503a0

📥 Commits

Reviewing files that changed from the base of the PR and between 36ba6c5 and a410810.

📒 Files selected for processing (1)

• service/policy/resourcemapping/resource_mapping_test.go

📝 Walkthrough

Walkthrough

This PR extends resource mapping functionality with namespace ownership and filtering capabilities. The core proto message gains a namespace field, request schemas across all OpenAPI definitions are updated with namespace filtering parameters (UUID and URI variants), CEL validation rules are added for the new fields, and test coverage validates the complete namespace field lifecycle in list, create, and update operations.

Changes

Namespace Ownership for Resource Mappings

Layer / File(s)	Summary
ResourceMapping Message Definition service/policy/objects.proto	ResourceMapping gains optional namespace field (field 6) documenting how the namespace may own the mapping independently from the mapped attribute's namespace.
Request Schema Extensions docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml	ResourceMapping schema adds namespace property; CreateResourceMappingRequest, ListResourceMappingGroupsRequest, ListResourceMappingsRequest, and UpdateResourceMappingRequest each gain namespaceId (UUID) and/or namespaceFqn (URI) fields for namespace ownership specification and filtering.
Namespace Validation Rules service/policy/resourcemapping/resource_mapping.proto	CEL validation expressions updated across five request message types to validate optional namespace UUID identifiers (using anchored hexadecimal regex) and URI format strings for namespace filtering and ownership fields.
OpenAPI Schema Consistency docs/openapi/policy/{actions,attributes,objects,obligations,registeredresources,subjectmapping,unsafe}/...openapi.yaml	Seven OpenAPI specification files consistently add namespace property to policy.ResourceMapping schema, all referencing policy.Namespace type with aligned ownership documentation.
Generated Documentation and Formatting docs/grpc/index.html, docs/openapi/authorization/authorization.openapi.yaml, docs/openapi/policy/{objects,subjectmapping}/...openapi.yaml	gRPC HTML documentation tables updated with namespace field descriptions for ResourceMapping and request schemas; minor formatting (blank lines) applied to OpenAPI YAML descriptions without changing operation signatures.
Namespace Field Validation Tests service/policy/resourcemapping/resource_mapping_test.go	Four new test functions (Test_ListResourceMappingsRequest_NamespaceFilters, Test_ListResourceMappingGroupsRequest_NamespaceFilters, Test_CreateResourceMappingRequest_NamespaceFields, Test_UpdateResourceMappingRequest_NamespaceFields) validate namespace filter acceptance, UUID/URI format rejection, and anchored regex enforcement.

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• elizabethhealy
• c-r33d

---

🐰 Namespaces now own these mappings so fair,
With filters and UUIDs laid bare,
Proto and schema aligned,
Validation refined,
Tests prove the ownership care! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding namespace fields to resource mapping protos, which is confirmed across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DSPX-2998-optional-namespace-resource-mappings

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces optional namespace support for Resource Mappings and Resource Mapping Groups. By adding namespace fields to the proto definitions, the system gains the ability to associate resources with specific namespaces, facilitating better organization and filtering. This change is wire-compatible and serves as the foundational proto contract for upcoming service-level implementations.

Highlights

• Namespace Support: Added optional namespace fields (namespace_id and namespace_fqn) to ResourceMapping and related request objects.
• Validation: Implemented CEL-based validation for the new namespace fields to ensure correct UUID and URI formats.
• Testing: Added comprehensive unit tests to verify the validation logic for the new namespace fields across various request types.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: docs/openapi/**/* (9)
  • docs/openapi/authorization/authorization.openapi.yaml
  • docs/openapi/policy/actions/actions.openapi.yaml
  • docs/openapi/policy/attributes/attributes.openapi.yaml
  • docs/openapi/policy/objects.openapi.yaml
  • docs/openapi/policy/obligations/obligations.openapi.yaml
  • docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
  • docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
  • docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
  • docs/openapi/policy/unsafe/unsafe.openapi.yaml
• Ignored by pattern: protocol/**/* (2)
  • protocol/go/policy/objects.pb.go
  • protocol/go/policy/resourcemapping/resource_mapping.pb.go

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

The namespace fields now take their place, / To bring some order to the space. / With validation strict and tight, / The resource mappings look just right.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	174.848884ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.44189ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	420.918235ms
Throughput	237.58 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	44.571321978s
Average Latency	444.515427ms
Throughput	112.18 requests/second

[gemini-code-assist]

Code Review

This pull request introduces optional namespace fields (namespace_id and namespace_fqn) to several resource mapping messages and requests, along with updating the generated documentation and adding unit tests. The review feedback highlights a validation issue where the regular expressions used for UUID validation on namespace_id lack start (^) and end ($) anchors, which allows partial substring matches. Adding these anchors is recommended to ensure strict UUID validation.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[github-actions]

X-Test Results

✅ go@main-pull-3565
✅ go@main-v0.9.0
✅ java@main-pull-3565
✅ java@main-v0.9.0
✅ js@main-pull-3565
cukes-report
✅ js@main-v0.9.0
opentdfplatform7DRH8B.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	191.195649ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.364414ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	432.547787ms
Throughput	231.19 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	44.90737253s
Average Latency	447.193123ms
Throughput	111.34 requests/second

[github-actions]

X-Test Results

✅ go@main-pull-3565
✅ go@main-v0.9.0
✅ js@main-v0.9.0
✅ js@main-pull-3565
✅ java@main-pull-3565
✅ java@main-v0.9.0
cukes-report
opentdfplatform5MCVAC.dockerbuild
govulncheck-failure-3
govulncheck-failure-2
govulncheck-failure-0
govulncheck-failure-1
govulncheck-failure-8
govulncheck-failure-5

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@service/policy/resourcemapping/resource_mapping_test.go`:
- Around line 170-183: In Test_ListResourceMappingGroupsRequest_NamespaceFilters
add the missing negative-case for NamespaceId by creating a request with an
invalid NamespaceId (e.g., not-a-uuid) while leaving NamespaceFqn valid, call
v.Validate(req) and assert an error contains the UUID validation message
(errMessageOptionalUUID); likewise, update the complementary test in this file
that currently asserts invalid NamespaceId to also assert the invalid
NamespaceFqn path by creating a request with NamespaceFqn set to a non-URI and
asserting v.Validate(req) returns an error containing errMessageOptionalURI —
use the same validator call (v.Validate) and error assertion pattern as the
existing NamespaceFqn negative test to keep consistency.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c4c063d1-0d91-4792-86c0-31c127626604

📥 Commits

Reviewing files that changed from the base of the PR and between 79ab34f and 36ba6c5.

⛔ Files ignored due to path filters (2)

• protocol/go/policy/objects.pb.go is excluded by !**/*.pb.go
• protocol/go/policy/resourcemapping/resource_mapping.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (13)

• docs/grpc/index.html
• docs/openapi/authorization/authorization.openapi.yaml
• docs/openapi/policy/actions/actions.openapi.yaml
• docs/openapi/policy/attributes/attributes.openapi.yaml
• docs/openapi/policy/objects.openapi.yaml
• docs/openapi/policy/obligations/obligations.openapi.yaml
• docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
• docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
• docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
• docs/openapi/policy/unsafe/unsafe.openapi.yaml
• service/policy/objects.proto
• service/policy/resourcemapping/resource_mapping.proto
• service/policy/resourcemapping/resource_mapping_test.go

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	191.136879ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	101.287171ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	451.208992ms
Throughput	221.63 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	46.355194581s
Average Latency	461.725437ms
Throughput	107.86 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• otdfctl
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go@main-pull-3565
✅ go@main-v0.9.0
✅ java@main-pull-3565
✅ java@main-v0.9.0
✅ js@main-pull-3565
✅ js@main-v0.9.0
cukes-report
opentdfplatformW7PIOJ.dockerbuild
govulncheck-failure-8
govulncheck-failure-0
govulncheck-failure-3
govulncheck-failure-1
govulncheck-failure-2
govulncheck-failure-5