feat(main): update proto GIT_TAG to service/v0.14.0

otdf-python-proto/.gitattributes

@@ -0,0 +1,2 @@
+src/otdf_python_proto/**/__init__.py linguist-generated=true
+src/otdf_python_proto/__init__.py linguist-generated=true

otdf-python-proto/proto-files/policy/actions/actions.proto

@@ -12,6 +12,8 @@ import "policy/selectors.proto";
 */
 
 message GetActionRequest {
+  option (buf.validate.message).oneof = { fields: ["namespace_id", "namespace_fqn"], required: false };
+
   // Required
   oneof identifier {
     option (buf.validate.oneof).required = true;
@@ -25,6 +27,22 @@ message GetActionRequest {
       }
     ];
   }
+
+  // Optional namespace ID to scope name-based lookup.
+  // If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions.
+  string namespace_id = 3 [
+    (buf.validate.field).ignore = IGNORE_IF_ZERO_VALUE,
+    (buf.validate.field).string.uuid = true
+  ];
+  // Optional namespace FQN to scope name-based lookup.
+  // If omitted for name-based lookup, action search is limited to legacy (namespace_id = NULL) actions.
+  string namespace_fqn = 4 [
+    (buf.validate.field).ignore = IGNORE_IF_ZERO_VALUE,
+    (buf.validate.field).string = {
+      min_len : 1
+      uri : true
+    }
+  ];
 }
 message GetActionResponse {
   policy.Action action = 1;
@@ -34,6 +52,21 @@ message GetActionResponse {
 }
 
 message ListActionsRequest {
+  // Optional
+  option (buf.validate.message).oneof = { fields: ["namespace_id", "namespace_fqn"], required: false };
+
+  // ID of the namespace to scope results. If omitted, returns actions across namespaces.
+  string namespace_id = 1 [
+    (buf.validate.field).string.uuid = true
+  ];
+  // FQN of the namespace to scope results. If omitted, returns actions across namespaces.
+  string namespace_fqn = 2 [
+    (buf.validate.field).string = {
+      min_len : 1
+      uri : true
+    }
+  ];
+
   // Optional
   policy.PageRequest pagination = 10;
 }
@@ -47,6 +80,9 @@ message ListActionsResponse {
 // Create a new Custom action name with optional metadata.
 // Creation of Standard actions is not supported.
 message CreateActionRequest {
+  // Optional
+  option (buf.validate.message).oneof = { fields: ["namespace_id", "namespace_fqn"], required: false };
+
   // Required
   string name = 1 [
     (buf.validate.field).required = true,
@@ -58,6 +94,18 @@ message CreateActionRequest {
     }
   ];
 
+  // Optional namespace ID for the custom action.
+  // If omitted, create targets legacy (namespace_id = NULL) behavior unless enforced by server config.
+  string namespace_id = 2 [(buf.validate.field).string.uuid = true];
+  // Optional namespace FQN for the custom action.
+  // If omitted, create targets legacy (namespace_id = NULL) behavior unless enforced by server config.
+  string namespace_fqn = 3 [
+    (buf.validate.field).string = {
+      min_len : 1
+      uri : true
+    }
+  ];
+
   // Optional
   common.MetadataMutable metadata = 100;
 }

otdf-python-proto/proto-files/policy/attributes/attributes.proto

@@ -63,6 +63,18 @@ message ValueKey {
    Attribute Service Definitions
 */
 
+enum SortAttributesType {
+  SORT_ATTRIBUTES_TYPE_UNSPECIFIED = 0;
+  SORT_ATTRIBUTES_TYPE_NAME = 1;
+  SORT_ATTRIBUTES_TYPE_CREATED_AT = 2;
+  SORT_ATTRIBUTES_TYPE_UPDATED_AT = 3;
+}
+
+message AttributesSort {
+  SortAttributesType field = 1;
+  policy.SortDirection direction = 2;
+}
+
 message ListAttributesRequest {
   // Optional
   // ACTIVE by default when not specified
@@ -73,6 +85,8 @@ message ListAttributesRequest {
 
   // Optional
   policy.PageRequest pagination = 10;
+  // Optional - CONSTRAINT: max 1 item
+  repeated AttributesSort sort = 11 [(buf.validate.field).repeated.max_items = 1];
 }
 message ListAttributesResponse {
   repeated policy.Attribute attributes = 1;
@@ -412,7 +426,10 @@ service AttributesService {
   rpc ListAttributes(ListAttributesRequest) returns (ListAttributesResponse) {
     option idempotency_level = NO_SIDE_EFFECTS;
   }
+  // Deprecated
+  // Use GetAttribute
   rpc ListAttributeValues(ListAttributeValuesRequest) returns (ListAttributeValuesResponse) {
+    option deprecated = true;
     option idempotency_level = NO_SIDE_EFFECTS;
   }
 

otdf-python-proto/proto-files/policy/kasregistry/key_access_server_registry.proto

@@ -43,9 +43,26 @@ message GetKeyAccessServerResponse {
   KeyAccessServer key_access_server = 1;
 }
 
+enum SortKeyAccessServersType {
+  SORT_KEY_ACCESS_SERVERS_TYPE_UNSPECIFIED = 0;
+  SORT_KEY_ACCESS_SERVERS_TYPE_NAME = 1;
+  SORT_KEY_ACCESS_SERVERS_TYPE_URI = 2;
+  SORT_KEY_ACCESS_SERVERS_TYPE_CREATED_AT = 3;
+  SORT_KEY_ACCESS_SERVERS_TYPE_UPDATED_AT = 4;
+}
+
+message KeyAccessServersSort {
+  SortKeyAccessServersType field = 1;
+  policy.SortDirection direction = 2;
+}
+
 message ListKeyAccessServersRequest {
   // Optional
   policy.PageRequest pagination = 10;
+  // Optional - CONSTRAINT: max 1 item
+  // Default ordering when omitted or when the first entry's field is UNSPECIFIED:
+  // created_at DESC, then id ASC (tie-breaker).
+  repeated KeyAccessServersSort sort = 11 [(buf.validate.field).repeated.max_items = 1];
 }
 message ListKeyAccessServersResponse {
   repeated KeyAccessServer key_access_servers = 1;

otdf-python-proto/proto-files/policy/namespaces/namespaces.proto

@@ -78,13 +78,29 @@ message GetNamespaceResponse {
   policy.Namespace namespace = 1;
 }
 
+enum SortNamespacesType {
+  SORT_NAMESPACES_TYPE_UNSPECIFIED = 0;
+  SORT_NAMESPACES_TYPE_NAME = 1;
+  SORT_NAMESPACES_TYPE_FQN = 2;
+  SORT_NAMESPACES_TYPE_CREATED_AT = 3;
+  SORT_NAMESPACES_TYPE_UPDATED_AT = 4;
+}
+
+message NamespacesSort {
+  SortNamespacesType field = 1;
+  policy.SortDirection direction = 2;
+}
+
 message ListNamespacesRequest {
   // Optional
   // ACTIVE by default when not specified
   common.ActiveStateEnum state = 1;
 
   // Optional
   policy.PageRequest pagination = 10;
+
+  // Optional
+  repeated NamespacesSort sort = 11 [(buf.validate.field).repeated.max_items = 1];
 }
 message ListNamespacesResponse {
   repeated policy.Namespace namespaces = 1;
@@ -172,46 +188,6 @@ message RemovePublicKeyFromNamespaceResponse {
   NamespaceKey namespace_key = 1;
 }
 
-/*
-   Certificates
-*/
-
-// Maps a namespace to a certificate (similar to NamespaceKey pattern)
-message NamespaceCertificate {
-  // Required - namespace identifier (id or fqn)
-  common.IdFqnIdentifier namespace = 1 [(buf.validate.field).required = true];
-  // Required (The id from the Certificate object)
-  string certificate_id = 2 [
-    (buf.validate.field).string.uuid = true,
-    (buf.validate.field).required = true
-  ];
-}
-
-message AssignCertificateToNamespaceRequest {
-  // Required - namespace identifier (id or fqn)
-  common.IdFqnIdentifier namespace = 1 [(buf.validate.field).required = true];
-  // Required - PEM format certificate
-  string pem = 2 [(buf.validate.field).required = true];
-  // Optional
-  common.MetadataMutable metadata = 100;
-}
-
-message AssignCertificateToNamespaceResponse {
-  // The mapping of the namespace to the certificate.
-  NamespaceCertificate namespace_certificate = 1;
-  policy.Certificate certificate = 2; // Return the full certificate object for convenience
-}
-
-message RemoveCertificateFromNamespaceRequest {
-  // The namespace and certificate to unassign.
-  NamespaceCertificate namespace_certificate = 1 [(buf.validate.field).required = true];
-}
-
-message RemoveCertificateFromNamespaceResponse {
-  // The unassigned namespace and certificate.
-  NamespaceCertificate namespace_certificate = 1;
-}
-
 service NamespaceService {
   rpc GetNamespace(GetNamespaceRequest) returns (GetNamespaceResponse) {
     option idempotency_level = NO_SIDE_EFFECTS;
@@ -243,8 +219,4 @@ service NamespaceService {
    *---------------------------------------*/
   rpc AssignPublicKeyToNamespace(AssignPublicKeyToNamespaceRequest) returns (AssignPublicKeyToNamespaceResponse) {}
   rpc RemovePublicKeyFromNamespace(RemovePublicKeyFromNamespaceRequest) returns (RemovePublicKeyFromNamespaceResponse) {}
-
-  // Namespace <> Certificate RPCs
-  rpc AssignCertificateToNamespace(AssignCertificateToNamespaceRequest) returns (AssignCertificateToNamespaceResponse) {}
-  rpc RemoveCertificateFromNamespace(RemoveCertificateFromNamespaceRequest) returns (RemoveCertificateFromNamespaceResponse) {}
 }

otdf-python-proto/proto-files/policy/objects.proto

@@ -48,18 +48,6 @@ message Namespace {
 
   // Keys for the namespace
   repeated SimpleKasKey kas_keys = 7;
-
-  // Root certificates for chain of trust
-  repeated Certificate root_certs = 8;
-}
-
-message Certificate {
-  // generated uuid in database
-  string id = 1;
-  // PEM format certificate
-  string pem = 2;
-  // Optional metadata.
-  common.Metadata metadata = 3;
 }
 
 message Attribute {
@@ -164,6 +152,9 @@ message Action {
 
   string name = 4;
 
+  // Namespace context for this action
+  Namespace namespace = 5;
+
   common.Metadata metadata = 100;
 }
 
@@ -205,6 +196,11 @@ message SubjectMapping {
   // The actions permitted by subjects in this mapping
   repeated Action actions = 4;
 
+  // the namespace containing this subject mapping
+  // possible this is empty. If so that means
+  // the Subject Mapping has not been migrated to a namespace.
+  Namespace namespace = 5;
+
   common.Metadata metadata = 100;
 }
 
@@ -256,6 +252,11 @@ message SubjectSet {
 message SubjectConditionSet {
   string id = 1;
 
+  // the namespace containing this subject condition set
+  // possible this is empty in the case a subject condition set
+  // has not been migrated to a namespace.
+  Namespace namespace = 2;
+
   repeated SubjectSet subject_sets = 3 [(buf.validate.field).repeated.min_items = 1];
 
   common.Metadata metadata = 100;
@@ -452,6 +453,8 @@ message RegisteredResource {
 
   repeated RegisteredResourceValue values = 3;
 
+  Namespace namespace = 4;
+
   // Common metadata
   common.Metadata metadata = 100;
 }

otdf-python-proto/proto-files/policy/obligations/obligations.proto

@@ -12,6 +12,20 @@ import "buf/validate/validate.proto";
 ///
 
 // Definitions
+
+enum SortObligationsType {
+    SORT_OBLIGATIONS_TYPE_UNSPECIFIED = 0;
+    SORT_OBLIGATIONS_TYPE_NAME = 1;
+    SORT_OBLIGATIONS_TYPE_FQN = 2;
+    SORT_OBLIGATIONS_TYPE_CREATED_AT = 3;
+    SORT_OBLIGATIONS_TYPE_UPDATED_AT = 4;
+}
+
+message ObligationsSort {
+    SortObligationsType field = 1;
+    policy.SortDirection direction = 2;
+}
+
 message GetObligationRequest {
     option (buf.validate.message).oneof = { fields: ["id", "fqn"], required: true };
     string id = 1 [(buf.validate.field).string.uuid = true];
@@ -150,6 +164,11 @@ message ListObligationsRequest {
 
     // Optional
     policy.PageRequest pagination = 10;
+
+    // Optional - CONSTRAINT: max 1 item
+    // Default ordering when omitted or when the first entry's field is UNSPECIFIED:
+    // created_at DESC, then id ASC (tie-breaker).
+    repeated ObligationsSort sort = 11 [(buf.validate.field).repeated.max_items = 1];
 }
 
 message ListObligationsResponse {
@@ -272,6 +291,15 @@ message DeleteObligationValueResponse {
 }
 
 // Triggers
+message GetObligationTriggerRequest {
+    // Required
+    string id = 1 [(buf.validate.field).string.uuid = true];
+}
+
+message GetObligationTriggerResponse {
+    policy.ObligationTrigger trigger = 1;
+}
+
 message AddObligationTriggerRequest {
     // Required
     common.IdFqnIdentifier obligation_value = 1 [(buf.validate.field).required = true];
@@ -393,6 +421,10 @@ service Service {
    /*--------------------------------------*
     * Trigger RPCs
     *--------------------------------------*/
+
+    rpc GetObligationTrigger(GetObligationTriggerRequest) returns (GetObligationTriggerResponse) {
+        option idempotency_level = NO_SIDE_EFFECTS;
+    }
 
     rpc AddObligationTrigger(AddObligationTriggerRequest) returns (AddObligationTriggerResponse) {}
 
@@ -409,4 +441,4 @@ service Service {
     // rpc AddObligationFulfiller(AddObligationFulfillerRequest) returns (AddObligationFulfillerResponse) {}
 
     // rpc RemoveObligationFulfiller(RemoveObligationFulfillerRequest) returns (RemoveObligationFulfillerResponse) {}   
-}
+}