docs(authz): add v2 Authorization API request validation limits

[marythought]

Summary

• Add a Request Validation Limits section to the v2 Authorization Service documentation, documenting all hard-coded protovalidate constraints
• Include a note about the effective attribute values limit being lower than 20 due to system-added attributes (tagging service, default attributes)
• Add performant and protovalidate to the Vale vocabulary

Limits documented

Field	Min	Max	Endpoints
EntityIdentifier.entity_chain.entities	1	10	GetDecision, GetDecisionMultiResource, GetDecisionBulk, GetEntitlements
Resource.attribute_values.fqns	1	20	GetDecision, GetDecisionMultiResource, GetDecisionBulk
fulfillable_obligation_fqns	0	50	GetDecision, GetDecisionMultiResource
GetDecisionMultiResourceRequest.resources	1	1,000	GetDecisionMultiResource, GetDecisionBulk
GetDecisionBulkRequest.decision_requests	1	200	GetDecisionBulk

All limits verified against the v2 authorization proto.

Context

A customer encountered the 20-attribute-value limit when using Virtru for Microsoft Outlook with 19 user-defined attribute values — the PEP added system attributes that pushed the total over 20. An audit of all v2 Authorization API validation limits confirmed that none were documented in prose documentation.

Related

• Document and evaluate the 20-attribute-value limit on Resource in v2 Authorization API platform#3500 — Resource attribute_values limit of 20
• Document and evaluate batch size limits in v2 Authorization API platform#3501 — Batch request sizes
• Document and evaluate the 10-entity limit on EntityChain in v2 Authorization API platform#3502 — Entity chain entities limit of 10
• Document and evaluate the 50-fulfillable-obligation-FQN limit in v2 Authorization API platform#3503 — Fulfillable obligation FQNs limit of 50

Test plan

• Verify npm run build passes
• Verify the new section renders correctly on the authorization service page
• Confirm the :::note admonition renders as expected

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@marythought has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 47 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e95a94cb-49e6-40c0-812c-ce55cb546eff

📥 Commits

Reviewing files that changed from the base of the PR and between bf42337 and d36623e.

📒 Files selected for processing (1)

• docs/components/authorization.md

📝 Walkthrough

Walkthrough

Adds v2 Authorization Service documentation for protovalidate-enforced request validation limits and updates the Vale vocabulary to accept the terms performant and protovalidate.

Changes

v2 Authorization Request Validation

Layer / File(s)	Summary
Vale vocabulary configuration .github/vale-styles/config/vocabularies/Opentdf/accept.txt	Added performant and protovalidate to the accepted vocabulary list to prevent lint warnings.
v2 Authorization Service validation limits documentation docs/components/authorization.md	Added v2-only "Request Validation Limits" for GetDecision, GetDecisionMultiResource, GetDecisionBulk, and GetEntitlements; added explicit v2 bounds for Entity Identifier (1–10 entities per chain) and Resource attribute value FQNs (1–20); noted effective attribute_values may be lower due to automatic FQN additions and linked to the v2 proto for full definitions.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly Related Issues

• Document and evaluate the 20-attribute-value limit on Resource in v2 Authorization API platform#3500: Documents the 1–20 Resource.attribute_values FQN limit now recorded in the validation limits section.
• Document and evaluate the 10-entity limit on EntityChain in v2 Authorization API platform#3502: Documents the 1–10 EntityChain size limit now included in the v2 request constraints.

Suggested Reviewers

• elizabethhealy
• eugenioenko
• jp-ayyappan

Poem

🐰 I hopped through docs to make things clear,
Protovalidate boundaries now appear,
Two words accepted, no linting fright,
Requests constrained, all tidy and tight. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly and accurately summarizes the main change: adding v2 Authorization API request validation limits documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DSPX-3319-authz-validation-limits

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces documentation for v2 Authorization API request validation limits and updates the project's vocabulary list. Review feedback focuses on improving the documentation's accuracy and readability by defining the PEP acronym, ensuring consistent formatting with backticks, and correcting the list of endpoints affected by specific validation limits.

[github-actions]

📄 Preview deployed to https://opentdf-docs-pr-325.surge.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/components/authorization.md`:
- Line 158: The documentation is inconsistent: the table row for
`fulfillable_obligation_fqns` lists `GetDecision`, `GetDecisionMultiResource`,
and `GetDecisionBulk`, but the endpoint breakdown only documents it for
`GetDecision` and `GetDecisionMultiResource`; update the docs so both places
match—either add `GetDecisionBulk` to the endpoint breakdown or remove it from
the table row—by editing the `fulfillable_obligation_fqns` entries so the list
of endpoints (`GetDecision`, `GetDecisionMultiResource`, `GetDecisionBulk`) is
consistent across the `fulfillable_obligation_fqns` field documentation and the
endpoint breakdown.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1492429e-964f-4268-8383-2dda5f50597c

📥 Commits

Reviewing files that changed from the base of the PR and between a0742fc and bf42337.

📒 Files selected for processing (2)

• .github/vale-styles/config/vocabularies/Opentdf/accept.txt
• docs/components/authorization.md

✅ Files skipped from review due to trivial changes (1)

• .github/vale-styles/config/vocabularies/Opentdf/accept.txt

[jp-ayyappan]

lgtm