Add reject_if grant cancellation support

[alan-lee-12]

Description

• Add reject_if grant provisioning checks that cancel matching grants before any grant mutations run.

[linear-code]

FDE-222

[github-actions]

🟡 Suggestion: These vendor files (rejected.go and annotation_grant_rejected.pb.go) don't exist in baton-sdk v0.9.20 (the version in go.mod), nor on the SDK's main branch. Running go mod vendor will remove them. If the SDK feature is being developed in parallel, consider pointing go.mod at the SDK commit/branch that contains these types, or document the manual-vendor intent so a future go mod tidy && go mod vendor doesn't silently break the build.

[github-actions]

🟡 Suggestion: The RejectIf.Query SQL is validated for variable references here, but the RejectIf.Reason CEL expression is not validated at startup. A syntax error in the Reason expression would only surface at runtime when a grant is actually rejected. Consider adding a CEL parse/check call here so misconfigured expressions fail early during validation.

[github-actions]

Connector PR Review: Add reject_if grant cancellation support

Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0
Review mode: full
View review run

Review Summary

This PR adds a reject_if configuration option for grant provisioning that cancels a grant before mutations run when a policy query returns rows. The implementation is clean: the reject check runs inside the transaction boundary, the CEL reason expression is evaluated against the first returned row (callback correctly breaks after one row), validation covers the new query's variables, and existing ErrQueryAffectedZeroRows / GrantAlreadyExists behavior is preserved. Three focused tests cover the match, no-match, and backward-compatibility paths. No issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

None.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.