From 837592a2dc8346099b4e16c2ec5761d889af7a59 Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Thu, 14 May 2026 11:24:41 -0700 Subject: [PATCH 1/3] feat(docs): document WithPolicyFrom re-wrap helper MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a tdf.mdx section for sdk.WithPolicyFrom, the option-builder helper landing as part of DSPX-2603. The function returns a TDFOption that binds the source TDF's policy (attribute FQNs) to a new TDF being created — useful in re-wrap pipelines where the policy should carry forward without callers handling base64+JSON manifest encoding. Demo output of the /docs-drift skill — example block is mined verbatim from the function's godoc, no inference. Section placed after IsValidTdf since both are re-wrap-flavored helpers. Skill's name-only sniff proposed a new with-policy-from.mdx file; placement overridden manually to match the existing tdf.mdx structure. Not for merge until the underlying sdk.WithPolicyFrom function lands in opentdf/platform. Co-Authored-By: Claude Opus 4.7 (1M context) Signed-off-by: Mary Dickson --- docs/sdks/tdf.mdx | 49 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/sdks/tdf.mdx b/docs/sdks/tdf.mdx index 9baa9727..7c64150b 100644 --- a/docs/sdks/tdf.mdx +++ b/docs/sdks/tdf.mdx @@ -600,6 +600,55 @@ A non-nil error (Go) or `IOException` (Java) indicates an I/O failure reading th --- +## WithPolicyFrom + +Returns a `TDFOption` that binds the source TDF's policy — its attribute value FQNs — to the new TDF being created. Use this in re-wrap pipelines to preserve the source policy without having to know about the manifest's base64 + JSON encoding. + +**Signature** + + + + + + +```go +func WithPolicyFrom(r *Reader) TDFOption +``` + +This is a package-level function in the `sdk` package, not a method on the client. + + + + +**Parameters** + +| Parameter | Required | Description | +|-----------|----------|-------------| +| `r` | Required | An initialized `*sdk.Reader`, typically returned by [`LoadTDF`](#loadtdf). Must have `Init(ctx)` called before being passed here — `Reader.DataAttributes` requires the policy field to be parsed. | + +**Example** + + + + +```go +if ok, _ := sdk.IsValidTdf(file); !ok { + // pass through unchanged +} +reader, _ := s.LoadTDF(file) +_ = reader.Init(ctx) +_, _ = s.CreateTDF(out, transformed, sdk.WithPolicyFrom(reader)) +``` + + + + +**Returns** + +A `TDFOption` that, when applied to a `TDFConfig` via [`CreateTDF`](#createtdf), binds all attribute value FQNs from the source TDF's policy to the new TDF. Returns an error during config application if the source `Reader` is nil or its `DataAttributes` cannot be read. + +--- + ## BulkDecrypt Decrypts multiple TDFs in a single operation, batching KAS key rewrap requests to reduce round-trip overhead. From 18221fc3cad92444e7bf982f219f85ae035ec868 Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Wed, 20 May 2026 11:35:25 -0700 Subject: [PATCH 2/3] fix(sdk): correct WithPolicyFrom example and parameter docs - Reader.Init is not required; DataAttributes reads from the manifest which LoadTDF already populated. Calling Init triggers an unnecessary KAS rewrap. - Add missing return after IsValidTdf check - Add error handling for LoadTDF - Use `client` instead of `s` for consistency with the rest of the page Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Mary Dickson --- docs/sdks/tdf.mdx | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/sdks/tdf.mdx b/docs/sdks/tdf.mdx index 7c64150b..db632c3f 100644 --- a/docs/sdks/tdf.mdx +++ b/docs/sdks/tdf.mdx @@ -624,7 +624,7 @@ This is a package-level function in the `sdk` package, not a method on the clien | Parameter | Required | Description | |-----------|----------|-------------| -| `r` | Required | An initialized `*sdk.Reader`, typically returned by [`LoadTDF`](#loadtdf). Must have `Init(ctx)` called before being passed here — `Reader.DataAttributes` requires the policy field to be parsed. | +| `r` | Required | A `*sdk.Reader` returned by [`LoadTDF`](#loadtdf). `Reader.Init` is not required — [`DataAttributes`](#dataattributes) reads the policy from the manifest, which `LoadTDF` has already populated. | **Example** @@ -633,11 +633,13 @@ This is a package-level function in the `sdk` package, not a method on the clien ```go if ok, _ := sdk.IsValidTdf(file); !ok { - // pass through unchanged + return // pass through unchanged } -reader, _ := s.LoadTDF(file) -_ = reader.Init(ctx) -_, _ = s.CreateTDF(out, transformed, sdk.WithPolicyFrom(reader)) +reader, err := client.LoadTDF(file) +if err != nil { + return err +} +_, err = client.CreateTDF(out, transformed, sdk.WithPolicyFrom(reader)) ``` From c6fc6c71be27914b06ff5dcb633e597da435394c Mon Sep 17 00:00:00 2001 From: Mary Dickson Date: Wed, 20 May 2026 11:43:08 -0700 Subject: [PATCH 3/3] fix(sdk): add missing SdkVersion import to tdf.mdx Co-Authored-By: Claude Opus 4.6 (1M context) Signed-off-by: Mary Dickson --- docs/sdks/tdf.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/sdks/tdf.mdx b/docs/sdks/tdf.mdx index db632c3f..a0c04ae6 100644 --- a/docs/sdks/tdf.mdx +++ b/docs/sdks/tdf.mdx @@ -9,6 +9,7 @@ import EncryptOptions from '../../code_samples/tdf/encrypt_options.mdx' import DecryptOptions from '../../code_samples/tdf/decrypt_options.mdx' import AssertionExamples from '../../code_samples/tdf/assertion_examples.mdx' import JsAuthNote from '../../code_samples/js_auth_note.mdx' +import SdkVersion from '@site/src/components/SdkVersion' # TDF