feat(authz): Namespaced policy in decisioning

[elizabethhealy]

Proposed Changes

This pull request introduces a namespaced policy evaluation model to the Policy Decision Point (PDP). The primary goal is to resolve ambiguities in access decisioning where action names might overlap across different namespaces. By threading a new NamespacedPolicy configuration through the PDP, the system can now enforce strict namespace equality for actions and subject mappings, ensuring a fail-closed and deterministic authorization process suitable for staged migration.

Highlights

• Namespaced Policy Enforcement: Introduced a NamespacedPolicy feature flag to enforce strict namespace ownership in access decisioning, preventing cross-namespace action matches.
• Deterministic Action Resolution: Implemented namespace-aware action matching logic that resolves actions within specific evaluation contexts, with explicit identity precedence (ID > Name+Namespace > Name).
• Subject Mapping Filtering: Added logic to filter out unnamespaced subject mappings when the NamespacedPolicy mode is enabled.
• Conflict Resolution: Added defensive logic to EvaluateSubjectMappingsWithActions to handle and log action name collisions deterministically.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

• New Features
  • Add optional strict, namespace-aware authorization (EnforceNamespacedEntitlements) enforcing per-namespace action matching with ID → name+namespace → name precedence and fail-closed behavior.
• Bug Fixes
  • Deterministic deduplication of conflicting actions to avoid silent overwrites; direct entitlements are merged rather than replaced.
• Documentation
  • Added ADR and deployment template describing namespaced decisioning.
• Tests
  • Expanded unit and BDD tests covering namespaced decisioning scenarios and matching semantics.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a feature-flagged namespaced subject-mapping decision model: config flag, PDP/JIT plumbing, namespaced indexing/filtering, namespace-aware action matching and merging, deduplication/logging for conflicting actions, tests, BDD scenarios, and an ADR documenting semantics and rollout.

Changes

Cohort / File(s)	Summary
Architecture ADR adr/decisions/2026-03-30-namespaced-subject-mappings-decisioning.md	New ADR specifying namespaced decisioning semantics, identity precedence (id → name+namespace → name), fail-closed rules, feature-flag behavior, and rollout notes.
Service config & wiring service/authorization/v2/config.go, service/authorization/v2/authorization.go	Added EnforceNamespacedEntitlements config field and threaded the flag into JustInTimePDP construction and logging.
PDP core & indexing service/internal/access/v2/pdp.go, service/internal/access/v2/just_in_time_pdp.go	PDP and JIT constructors accept namespaced flag; subject mappings filtered at build time, registered-resource values indexed by namespaced and legacy FQNs, direct entitlements merged (not overwritten) with namespace hydration, and namespaced-aware action deduplication added.
Evaluation logic service/internal/access/v2/evaluate.go	Resource evaluation now accepts namespacedPolicy; introduced isRequestedActionMatch, rule-scoped variants for ALL_OF/ANY_OF/HIERARCHY, and strict-mode fail-closed behavior when required namespaces cannot be resolved.
PDP & evaluation tests service/internal/access/v2/evaluate_test.go, service/internal/access/v2/pdp_test.go, service/internal/access/v2/helpers_test.go	Updated tests to pass namespaced flag, added extensive namespaced-mode unit tests, and small test fixture updates.
Subject mapping dedupe & tests service/internal/subjectmappingbuiltin/subject_mapping_builtin_actions.go, service/internal/subjectmappingbuiltin/subject_mapping_builtin_actions_test.go	Action deduplication now detects conflicts, logs warnings, and deterministically prefers actions (prefers non-empty IDs/namespaces); tests added/updated to validate behavior.
BDD & test resources tests-bdd/features/namespaced-decisioning.feature, tests-bdd/cukes/steps_subjectmappings.go, tests-bdd/cukes/resources/platform.namespaced_policy.template	Added BDD scenarios for strict namespaced decisioning, step helpers to create namespaced condition sets/mappings, and a platform template enabling namespaced entitlement enforcement.

Sequence Diagram(s)

sequenceDiagram
participant Client
participant AuthService as Authorization Service
participant JIT_PDP as JustInTimePDP
participant PDP
participant Registry as RegisteredResourceIndex
participant SubjectMapping as SubjectMappingsStore

Client->>AuthService: Decision request (action id/name, resource attrs)
AuthService->>JIT_PDP: NewJustInTimePDP(..., allowDirectEntitlements, namespacedPolicy)
AuthService->>JIT_PDP: GetDecision(request)
JIT_PDP->>PDP: Evaluate(resource, request, namespacedPolicy)
PDP->>Registry: Lookup registered-resource values (namespaced & legacy FQNs)
PDP->>SubjectMapping: Filter subject mappings (skip unnamespaced if strict)
PDP->>PDP: isRequestedActionMatch(action, requiredNamespace)
PDP-->>JIT_PDP: Decision (PERMIT/DENY)
JIT_PDP-->>AuthService: Decision
AuthService-->>Client: Response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat(policy): Enforce same namespace when actions referenced downstream #3206 — implements DB-level namespace-aware action resolution and enforcement; closely aligned with PDP/action-matching changes.
• feat(policy): Namespace subject mappings and condition sets #3172 — adds DB/schema and create/validation plumbing for namespaced subject mappings used by PDP decisioning.
• feat(policy): Seed namespaces with standard actions on creation + namespaced actions for obligation triggers #3161 — related changes preferring namespace-scoped actions over unscoped ones in action resolution.

Suggested labels

comp:policy, docs

Suggested reviewers

• c-r33d
• jakedoublev

Poem

🐰
I hopped through code with tiny paws,
Namespaces stitched into rules and laws.
Actions choose their proper home,
No more wandering places to roam.
Hooray — decisions find their cause!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: introducing a namespaced policy evaluation model to the authorization decisioning system, which is the core focus of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dspx-2753-namespaced-policy-decisioning

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a namespaced policy evaluation model to the Policy Decision Point (PDP). The primary goal is to resolve ambiguities in access decisioning where action names might overlap across different namespaces. By threading a new NamespacedPolicy configuration through the PDP, the system can now enforce strict namespace equality for actions and subject mappings, ensuring a fail-closed and deterministic authorization process suitable for staged migration.

Highlights

• Namespaced Policy Enforcement: Introduced a NamespacedPolicy feature flag to enforce strict namespace ownership in access decisioning, preventing cross-namespace action matches.
• Deterministic Action Resolution: Implemented namespace-aware action matching logic that resolves actions within specific evaluation contexts, with explicit identity precedence (ID > Name+Namespace > Name).
• Subject Mapping Filtering: Added logic to filter out unnamespaced subject mappings when the NamespacedPolicy mode is enabled.
• Conflict Resolution: Added defensive logic to EvaluateSubjectMappingsWithActions to handle and log action name collisions deterministically.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

Namespaces strict and clear, Policy doubts disappear. Actions matched with care, Security beyond compare.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	201.554433ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	108.047735ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	395.392321ms
Throughput	252.91 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.837164037s
Average Latency	407.036478ms
Throughput	122.44 requests/second

[gemini-code-assist]

Code Review

This pull request implements namespaced subject mapping decisioning in the PDP, as outlined in the newly added ADR. It introduces a NamespacedPolicy feature flag to control the enforcement of strict namespace ownership during access evaluation. The core logic includes a centralized action-matching helper and updated evaluation paths for attribute rules. Feedback focuses on the transition to uniform case-insensitive action name matching and suggests more robust logging or error handling when resolving action name collisions during subject mapping evaluation.

[github-actions]

X-Test Results

✅ go-pull-3226
✅ go-v0.9.0
✅ java-pull-3226
✅ java-v0.9.0
✅ js-pull-3226
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformPAY2S8.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	196.102058ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	97.046499ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	386.928477ms
Throughput	258.45 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.111521964s
Average Latency	399.3757ms
Throughput	124.65 requests/second

[github-actions]

X-Test Failure Report

opentdfplatformB2MWHF.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	195.114094ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	101.941112ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	399.245747ms
Throughput	250.47 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.721397139s
Average Latency	405.954345ms
Throughput	122.79 requests/second

[github-actions]

X-Test Results

✅ go-pull-3226
✅ go-v0.9.0
✅ java-pull-3226
✅ java-v0.9.0
✅ js-pull-3226
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformU2TKG8.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	196.070008ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	101.915101ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	393.140224ms
Throughput	254.36 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.796006383s
Average Latency	416.225723ms
Throughput	119.63 requests/second

[github-actions]

X-Test Results

✅ go-pull-3226
✅ java-pull-3226
✅ go-v0.9.0
✅ js-pull-3226
✅ java-v0.9.0
✅ js-v0.9.0
cukes-report
test-cases-mapping-report
bats-test-results
opentdfplatformNEZUOY.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	206.206272ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	99.347417ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	380.864314ms
Throughput	262.56 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.471782036s
Average Latency	412.725819ms
Throughput	120.56 requests/second

[github-actions]

X-Test Results

✅ go-pull-3226
✅ go-v0.9.0
✅ java-pull-3226
✅ js-pull-3226
✅ java-v0.9.0
✅ js-v0.9.0
cukes-report
test-cases-mapping-report
bats-test-results
opentdfplatformX7NZ6X.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	203.173319ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	102.323047ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	383.684246ms
Throughput	260.63 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.367541483s
Average Latency	411.964684ms
Throughput	120.87 requests/second

[github-actions]

X-Test Results

✅ go-pull-3226
✅ java-pull-3226
✅ go-v0.9.0
✅ js-pull-3226
✅ java-v0.9.0
✅ js-v0.9.0
test-cases-mapping-report
cukes-report
bats-test-results
opentdfplatformV7N220.dockerbuild

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

service/internal/access/v2/pdp.go (2)

297-326: ⚠️ Potential issue | 🟠 Major

Keep registered-resource action candidates ID/namespace-aware here too.

This loop still filters on GetName() and deduplicates by name, but the common matcher now supports Action.Id and namespace-aware comparisons. Requests that identify the action by ID, or registered-resource values that carry same-name actions in multiple namespaces, can be denied based on iteration order before getResourceDecision ever runs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@service/internal/access/v2/pdp.go` around lines 297 - 326, The loop that
builds entitledFQNsToActions deduplicates and matches actions only by name
(using aav.GetAction().GetName() and slices.ContainsFunc comparing GetName()),
which ignores Action.Id and namespaces and can produce wrong ordering/denials;
update the matching and deduplication to be ID+namespace-aware: when reading
aav.GetAction() (aavAction) and comparing to the Decision Request action
(action), compare both Id and namespace (or use a composite key like
action.GetId()+":"+action.GetNamespace()) instead of GetName(); likewise replace
the slices.ContainsFunc check with a comparison on Id+namespace (or maintain
actionsList as a map keyed by that composite key and convert back to
[]*policy.Action) so entitledFQNsToActions stores unique actions by ID+namespace
before calling getResourceDecision (preserve use of entitledFQNsToActions,
getResourceDecision, entityRegisteredResourceValue.GetActionAttributeValues,
aav.GetAction, action, and p.namespacedPolicy in your changes).

---

102-157: ⚠️ Potential issue | 🟠 Major

Don't mutate caller-owned Value.SubjectMappings while building the PDP index.

The builder stores references to policy objects returned from the store/cache and then mutates their SubjectMappings fields in place. When using EntitlementPolicyCache, the cache returns the same slice and object references across builds; mutations persist in the cached data. A prior non-strict build can leave legacy mappings attached to cached values, and a later strict build will evaluate stale mappings that should have been skipped. Clone the value or clear SubjectMappings before populating the lookup to ensure each PDP build operates on independent data.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@service/internal/access/v2/pdp.go` around lines 102 - 157, The code mutates
caller-owned policy.Value objects (specifically Value.SubjectMappings) while
building the PDP index (see allEntitleableAttributesByValueFQN, mappedValue, and
the block that appends to SubjectMappings), which can leak into cached data; fix
by cloning the attribute value (or creating a fresh value instance) before
assigning or clearing SubjectMappings and before appending mappings so you never
modify objects returned from the store/cache; update the branch that handles
existing entries and the branch that calls getDefinition to use the cloned value
(or reset SubjectMappings) and attach the clone to the new
attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue entry to ensure each
PDP build has independent SubjectMappings.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@adr/decisions/2026-03-30-namespaced-subject-mappings-decisioning.md`:
- Around line 30-36: The ADR currently contradicts itself about whether the
request action is unnamespaced: update the decision text so there is a single
normative request-action contract and remove the conflicting statement; choose
one model (either keep "request action remains unnamespaced" and restrict the
precedence list to contextual/derived matching, or adopt the explicit request
shapes `action.id`, `action.name + action.namespace`, `action.name` as the
normative request contract) and rewrite the paragraph around "Request-action
identity precedence" to match that single choice, ensuring all references to
action.id, action.name, and action.namespace in the document are consistent with
the chosen contract.

In `@service/internal/access/v2/evaluate.go`:
- Around line 82-91: The loop that computes requiredNamespaceID for each
regResValue AAV uses accessibleAttributeValues (a filtered map) and leaves
requiredNamespaceID empty when an AAV isn’t present, allowing
isRequestedActionMatch(...) to silently skip instead of denying in strict mode;
fix by resolving the namespace from the unfiltered value→attribute lookup used
elsewhere (the full value->attribute map) when computing requiredNamespaceID for
regResValue.GetActionAttributeValues(), and if that lookup still fails while the
AAV is otherwise a candidate for the requested action and
namespacedPolicy/strict mode is enabled, return a deny (fail-closed) rather than
continuing; update the logic around requiredNamespaceID,
isRequestedActionMatch(action, requiredNamespaceID, aav.GetAction(),
namespacedPolicy), and the strict-mode path accordingly and add a mixed-AAV
strict-mode regression test that ensures a resource with multiple AAVs is denied
when any AAV’s namespace cannot be resolved.

In `@service/internal/access/v2/helpers_test.go`:
- Around line 396-399: The fixture `valueRestricted` is inconsistent because its
SubjectMapping uses `exampleSecretFQN` instead of the intended
`exampleRestrictedFQN`; update the call to `createSimpleSubjectMapping` inside
the `valueRestricted` declaration so the subject FQN argument is
`exampleRestrictedFQN` (not `exampleSecretFQN`) to correctly represent the
restricted fixture and ensure `populateHigherValuesIfHierarchy` tests exercise
the intended hierarchy.

In `@service/internal/subjectmappingbuiltin/subject_mapping_builtin_actions.go`:
- Around line 147-159: The current selection only checks presence of a Namespace
but doesn't prefer the one with an ID (Namespace.Id) when both have namespaces;
update the logic around existingNS/candidateNS so that if both existingHasNS and
candidateHasNS are true you choose the action whose Namespace.GetId() is
non-empty (prefer candidate if it has an ID, otherwise prefer existing if it has
an ID, otherwise fall back to existing); adjust the branch that returns
existing/candidate to inspect Namespace.GetId() before returning to ensure the
action with an actual namespace ID is chosen.

---

Outside diff comments:
In `@service/internal/access/v2/pdp.go`:
- Around line 297-326: The loop that builds entitledFQNsToActions deduplicates
and matches actions only by name (using aav.GetAction().GetName() and
slices.ContainsFunc comparing GetName()), which ignores Action.Id and namespaces
and can produce wrong ordering/denials; update the matching and deduplication to
be ID+namespace-aware: when reading aav.GetAction() (aavAction) and comparing to
the Decision Request action (action), compare both Id and namespace (or use a
composite key like action.GetId()+":"+action.GetNamespace()) instead of
GetName(); likewise replace the slices.ContainsFunc check with a comparison on
Id+namespace (or maintain actionsList as a map keyed by that composite key and
convert back to []*policy.Action) so entitledFQNsToActions stores unique actions
by ID+namespace before calling getResourceDecision (preserve use of
entitledFQNsToActions, getResourceDecision,
entityRegisteredResourceValue.GetActionAttributeValues, aav.GetAction, action,
and p.namespacedPolicy in your changes).
- Around line 102-157: The code mutates caller-owned policy.Value objects
(specifically Value.SubjectMappings) while building the PDP index (see
allEntitleableAttributesByValueFQN, mappedValue, and the block that appends to
SubjectMappings), which can leak into cached data; fix by cloning the attribute
value (or creating a fresh value instance) before assigning or clearing
SubjectMappings and before appending mappings so you never modify objects
returned from the store/cache; update the branch that handles existing entries
and the branch that calls getDefinition to use the cloned value (or reset
SubjectMappings) and attach the clone to the new
attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue entry to ensure each
PDP build has independent SubjectMappings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 40e86ab6-c264-4bb2-9f3a-45f77facf7bb

📥 Commits

Reviewing files that changed from the base of the PR and between 99a8147 and 26740fd.

📒 Files selected for processing (15)

• adr/decisions/2026-03-30-namespaced-subject-mappings-decisioning.md
• docs/namespaced-subject-mappings-decisioning-plan.md
• service/authorization/v2/authorization.go
• service/authorization/v2/config.go
• service/internal/access/v2/evaluate.go
• service/internal/access/v2/evaluate_test.go
• service/internal/access/v2/helpers_test.go
• service/internal/access/v2/just_in_time_pdp.go
• service/internal/access/v2/pdp.go
• service/internal/access/v2/pdp_test.go
• service/internal/subjectmappingbuiltin/subject_mapping_builtin_actions.go
• service/internal/subjectmappingbuiltin/subject_mapping_builtin_actions_test.go
• tests-bdd/cukes/resources/platform.namespaced_policy.template
• tests-bdd/cukes/steps_subjectmappings.go
• tests-bdd/features/namespaced-decisioning.feature

[github-actions]

X-Test Failure Report

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	192.176089ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	97.047772ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	425.711707ms
Throughput	234.90 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	42.165398514s
Average Latency	419.919515ms
Throughput	118.58 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	194.763155ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	99.847303ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	386.503988ms
Throughput	258.73 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.769552371s
Average Latency	396.022769ms
Throughput	125.72 requests/second

[github-actions]

X-Test Failure Report

✅ go-pull-3226
✅ go-v0.9.0
✅ java-pull-3226
✅ java-v0.9.0
✅ js-pull-3226
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformJPBN1J.dockerbuild
govulncheck-failure-7
govulncheck-failure-4
govulncheck-failure-2
govulncheck-failure-0
govulncheck-failure-1

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	201.952907ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	98.296541ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	400.509993ms
Throughput	249.68 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.138271322s
Average Latency	399.242392ms
Throughput	124.57 requests/second

[github-actions]

X-Test Results

✅ go-pull-3226
test-cases-mapping-report
bats-test-results
✅ java-pull-3226
✅ go-v0.9.0
✅ js-pull-3226
✅ java-v0.9.0
✅ js-v0.9.0
cukes-report
opentdfplatformMWGOZ2.dockerbuild
govulncheck-failure-2
govulncheck-failure-7
govulncheck-failure-0
govulncheck-failure-1
govulncheck-failure-4

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	201.951931ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.603873ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	409.494013ms
Throughput	244.20 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	42.255434758s
Average Latency	420.431907ms
Throughput	118.33 requests/second

[github-actions]

X-Test Results

✅ go-pull-3226
✅ java-pull-3226
✅ go-v0.9.0
✅ js-pull-3226
✅ java-v0.9.0
test-cases-mapping-report
bats-test-results
✅ js-v0.9.0
cukes-report
opentdfplatform0C6TYS.dockerbuild
govulncheck-failure-7
govulncheck-failure-2
govulncheck-failure-0
govulncheck-failure-1
govulncheck-failure-4

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	143.655196ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	67.938174ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	333.513464ms
Throughput	299.84 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	33.091414223s
Average Latency	329.332064ms
Throughput	151.10 requests/second

[github-actions]

X-Test Failure Report

✅ java-pull-3226
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
opentdfplatformSKJ7NU.dockerbuild
govulncheck-failure-7
govulncheck-failure-2
govulncheck-failure-1
govulncheck-failure-0
govulncheck-failure-4

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	189.781962ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	97.234299ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	400.154609ms
Throughput	249.90 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	42.4788976s
Average Latency	423.450194ms
Throughput	117.71 requests/second

[github-actions]

X-Test Failure Report

test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformMKED55.dockerbuild
govulncheck-failure-7
govulncheck-failure-2
govulncheck-failure-4
govulncheck-failure-0
govulncheck-failure-1

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	136.718189ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	72.849012ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	331.85787ms
Throughput	301.33 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	34.041389204s
Average Latency	338.990036ms
Throughput	146.88 requests/second

[github-actions]

X-Test Failure Report

cukes-report
opentdfplatformR6OBBL.dockerbuild
govulncheck-failure-7
govulncheck-failure-2
govulncheck-failure-1
govulncheck-failure-0
govulncheck-failure-4

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	157.783675ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	71.902833ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	340.587951ms
Throughput	293.61 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	34.57162463s
Average Latency	343.461723ms
Throughput	144.63 requests/second

[github-actions]

X-Test Failure Report

test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformVD54FA.dockerbuild
govulncheck-failure-7
govulncheck-failure-1
govulncheck-failure-2
govulncheck-failure-0
govulncheck-failure-4

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	180.468676ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	93.934149ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	439.947736ms
Throughput	227.30 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	43.509419881s
Average Latency	433.024833ms
Throughput	114.92 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go-pull-3226
✅ go-v0.9.0
✅ java-v0.9.0
✅ java-pull-3226
✅ js-v0.9.0
✅ js-pull-3226
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformPNZZSL.dockerbuild
govulncheck-failure-7
govulncheck-failure-0
govulncheck-failure-2
govulncheck-failure-1
govulncheck-failure-4

[jakedoublev]

merge conflict?

[jakedoublev]

Looks like some otel stuff got removed? 79e3a29