feat(policy): ADR namespaces for all policy primitives

[jrschumacher]

Adds ADR-0005 proposing namespace scoping for all policy constructs: Registered Resources, Subject Mappings, Subject Condition Sets, and Actions.

Key Decisions

• Schema: Add namespace_id column directly to tables (not junction tables)
• Standard Actions: Remain global with nullable namespace_id
• Cross-namespace references: Allowed (required for federation)
• Migration: Auto-assign if single namespace exists; interactive CLI tooling if multiple
• FQNs: Only Registered Resources need namespace-prefixed FQNs
• Proto versioning: No version bump; validation handled in service layer

Open Decision

• GetDecisions behavior: How should cross-namespace Subject Mappings be queried? Options documented, requires team input.

Estimated LOE

~18-24 days including migrations, service layer, CLI, SDKs, testing, and documentation.

Related

• Supports multi-authority federation
• Enables namespace-scoped uniqueness constraints
• Aligns with existing Attribute Definition namespace pattern

[gemini-code-assist]

Summary of Changes

Hello @jrschumacher, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new Architectural Decision Record (ADR-0005) that proposes and details the implementation of namespace scoping for key policy constructs, including Registered Resources, Subject Mappings, Subject Condition Sets, and Actions. The primary goal is to enhance support for multi-authority federation, prevent naming collisions, and provide clearer organizational boundaries. The ADR outlines a comprehensive plan covering schema changes, API modifications, and a phased migration strategy, while also identifying an important open decision regarding cross-namespace query behavior for entitlement decisions.

Highlights

• Namespace Scoping for Policy Constructs: Introduces namespace scoping for Registered Resources, Subject Mappings, Subject Condition Sets, and Actions to support federation and prevent naming collisions.
• Direct namespace_id Column: The chosen implementation adds a namespace_id column directly to the relevant database tables, simplifying ownership and uniqueness constraints.
• Cross-Namespace References Allowed: Explicitly permits Subject Mappings and Registered Resources to reference Attribute Values from other namespaces, crucial for federation.
• Comprehensive Migration Strategy: Outlines a multi-phase migration plan, including nullable namespace_id addition, data migration with CLI tooling for interactive or automatic assignment, and subsequent constraint enforcement.
• Open Decision on GetDecisions Behavior: Identifies an open decision regarding how GetDecisions should query Subject Mappings across namespaces, with a recommendation for 'Query All Accessible' with an optional filter.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Namespaces now divide, Policies in order reside, Federation's tide.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces ADR-0005, a comprehensive proposal to add namespace scoping to several key policy constructs like Registered Resources, Subject Mappings, and Actions. The ADR is exceptionally well-detailed, covering schema changes, API impact, a phased migration strategy, and a thorough breakdown of the work involved.

My review focuses on ensuring the technical proposals are robust. I've identified a potential issue with the proposed unique constraint on the actions table that could fail to enforce global uniqueness for standard actions and have suggested an alternative using partial unique indexes. I also recommended a minor clarification regarding how Registered Resource Values are namespaced to improve the document's clarity.

Overall, this is an excellent and well-thought-out ADR that lays a solid foundation for this important feature.

[gemini-code-assist]

The proposed unique constraint UNIQUE(namespace_id, name) for the actions table might not correctly enforce global uniqueness for standard actions.

In PostgreSQL, NULL values are not considered equal in unique constraints. This means if namespace_id is NULL for standard actions, you could insert multiple rows with the same name (e.g., multiple 'read' actions with namespace_id = NULL), which would violate the goal of having globally unique standard actions.

To correctly enforce the desired constraints, I suggest using two separate partial unique indexes:

• One for standard actions to ensure name is unique when namespace_id is NULL.
• One for custom actions to ensure (namespace_id, name) is unique when namespace_id is NOT NULL.

This approach would correctly implement the uniqueness rules described in the ADR for both standard and custom actions.

Suggested change

	ALTER TABLE actions
	DROP CONSTRAINT actions_name_key;
	ALTER TABLE actions
	ADD CONSTRAINT actions_namespace_name_unique
	UNIQUE(namespace_id, name);
	ALTER TABLE actions
	DROP CONSTRAINT actions_name_key;
	-- For standard actions (global uniqueness on name)
	CREATE UNIQUE INDEX actions_standard_name_unique
	ON actions(name)
	WHERE namespace_id IS NULL;
	-- For custom actions (uniqueness on namespace_id + name)
	CREATE UNIQUE INDEX actions_custom_namespace_name_unique
	ON actions(namespace_id, name)
	WHERE namespace_id IS NOT NULL;

[gemini-code-assist]

This list correctly identifies Registered Resource Values as a policy construct that will become namespaced. However, the "Schema Changes" section below does not explicitly mention any changes to the registered_resource_values table.

While it's implied that these values become namespaced through their foreign key relationship with the now-namespaced registered_resources table, the ADR would be clearer if this was explicitly stated.

Consider adding a brief note in the "Schema Changes" section under "Registered Resources" to confirm that registered_resource_values are implicitly namespaced and no direct schema change is needed for them. This would help avoid any ambiguity for the engineers implementing this ADR.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	197.856175ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	103.871308ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	369.877371ms
Throughput	270.36 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.973938783s
Average Latency	407.971232ms
Throughput	122.03 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	29.286755756s
Average Latency	292.000125ms
Throughput	170.73 requests/second

[github-actions]

X-Test Failure Report

opentdfplatformLAEO87.dockerbuild
✅ js-v0.4.34
cukes-report
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ java-pull-3008
✅ go-pull-3008