feat(policy): DSPX-2541 implement GetKeyMappingsByFqns

[alkalescent]

Proposed Changes

• Implement GetKeyMappingsByFqns, the client-side key-split read API defined in feat(policy): DSPX-2541 add narrow attribute read APIs #3627. Per requested attribute value FQN it returns the governing attribute rule and the effective KAS keys, resolved server-side with value > definition > namespace precedence over the SimpleKasKey model, mirroring the client-side resolution in sdk/granter.go (newGranterFromService).
• Add resolveEffectiveKasKeys and the GetKeyMappingsByFqns DB method (a projection over the existing GetAttributesByValueFqns retrieval).
• Stub GetEntitleableAttributesByFqns as Unimplemented; it lands in the decisioning-migration PR (it needs new SQL to fetch subject mappings, which the FQN attribute query does not return).

Stacked on #3627 (base branch DSPX-2541-policy-key-mapping-apis). It uses the new protocol/go types via the workspace; once #3627 merges and protocol/go is released, this rebases onto main with a protocol/go dependency bump.

Limitation: values configured only with legacy KeyAccessServer grants (no kas_keys) return an empty key set. kas_keys is the forward model; legacy-grant handling is reconciled with the SDK migration.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

• go test ./service/policy/db/ -run TestResolveEffectiveKasKeys — precedence unit test.
• go test ./service/integration/ -run TestAttributesSuite/Test_GetKeyMappingsByFqns — DB integration test (passes against Postgres).
• golangci-lint run ./policy/db/... ./policy/attributes/... ./integration/... — 0 issues.

Related

• DSPX-2541
• Proto PR: feat(policy): DSPX-2541 add narrow attribute read APIs #3627

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces the GetKeyMappingsByFqns API, enabling client-side key-split reads by resolving governing attribute rules and effective KAS keys. The implementation follows a hierarchical precedence model to ensure consistent key resolution across the service, mirroring existing client-side logic. Additionally, it includes a stub for a future endpoint and expands the test suite to cover the new resolution logic and database integration.

Highlights

• New API Implementation: Implemented the GetKeyMappingsByFqns API endpoint to retrieve attribute rules and effective KAS keys for specific FQNs.
• Key Resolution Logic: Added resolveEffectiveKasKeys to handle hierarchical key resolution (value > definition > namespace) for KAS keys.
• Testing: Added comprehensive unit tests for key resolution logic and a new integration test for the GetKeyMappingsByFqns API.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

Keys are mapped with care and grace, / Finding rules in every place. / Value, definition, namespace too, / Resolving keys for all of you.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6311cf85-ba17-4d61-9131-3efa9206d868

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DSPX-2541-attribute-read-api-handlers

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request implements the GetKeyMappingsByFqns endpoint to resolve effective KAS keys using value, definition, and namespace precedence, alongside a stub for GetEntitleableAttributesByFqns. It also includes corresponding integration and unit tests. Feedback recommends optimizing structured logging by using slog.Any instead of string formatting for slices, and adding an early return in the database client when the input FQNs slice is empty to prevent unnecessary database queries.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Using fmt.Sprintf("%v", req.Msg.GetFqns()) inside slog.String formats the slice as a Go-specific string representation (e.g., "[fqn1 fqn2]"), which is less ideal for structured logging systems. Using slog.Any with the slice directly allows structured loggers (like JSON formatters) to serialize it as a proper JSON array, making log querying and analysis much cleaner.

Suggested change

	return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.String("fqns", fmt.Sprintf("%v", req.Msg.GetFqns())))
	return nil, db.StatusifyError(ctx, s.logger, err, db.ErrTextGetRetrievalFailed, slog.Any("fqns", req.Msg.GetFqns()))

[gemini-code-assist]

If r.GetFqns() is empty, calling GetAttributesByValueFqns will result in an unnecessary database query and potential SQL errors. Adding an early return for empty input avoids an unnecessary DB roundtrip and improves performance.

Suggested change

	pairs, err := c.GetAttributesByValueFqns(ctx, &attributes.GetAttributeValuesByFqnsRequest{Fqns: r.GetFqns()})
	if len(r.GetFqns()) == 0 {
	return make(map[string]*attributes.GetKeyMappingsByFqnsResponse_AttributeKeyMapping), nil
	}
	pairs, err := c.GetAttributesByValueFqns(ctx, &attributes.GetAttributeValuesByFqnsRequest{Fqns: r.GetFqns()})

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	186.001897ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.330312ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	610.171425ms
Throughput	163.89 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	42.787713314s
Average Latency	427.040726ms
Throughput	116.86 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• otdfctl
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go@main-v0.9.0
✅ go@main-pull-3628
✅ java@main-pull-3628
✅ java@main-v0.9.0
✅ js@main-pull-3628
✅ js@main-v0.9.0
cukes-report
opentdfplatformND2DJH.dockerbuild
govulncheck-failure-8
govulncheck-failure-3
govulncheck-failure-0
govulncheck-failure-1
govulncheck-failure-2
govulncheck-failure-5

[alkalescent]

Superseded by the collapsed per-API PRs #3632 (GetKeyMappingsByFqns) and #3633 (GetEntitleableAttributesByFqns). Restructured so each new RPC ships with its proto, generated code, and handler in one PR, matching repo convention (e.g. 4c3d53d) and removing the need for the Unimplemented-handler embed.