feat(cli): SCS commit

[c-r33d]

Proposed Changes

1.) Commit subject-condition-sets
2.) Refactor code placement to avoid large execute.go file size.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for executing actions and subject condition sets within namespaced policy migrations
  • Enhanced execution result tracking with detailed failure diagnostics

• Refactor

  • Streamlined error naming conventions across migration execution flows
  • Optimized internal state caching for target resolution

• Tests

  • Expanded test coverage for policy execution and error handling scenarios

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d172b219-33e5-4b5f-97c7-4a1c03e97d03

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch step-4-commit-migrations-scs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the namespacedpolicy migration executor by introducing a modular architecture for handling different policy types. It specifically implements the execution logic for SubjectConditionSets, allowing the system to process and apply these policy elements during migrations. The changes enhance the clarity, maintainability, and extensibility of the migration tool by separating concerns and improving error reporting.

Highlights

• Modularization of Executor: The Executor now uses separate, dedicated files for handling the execution of different policy types (Actions, Subject Condition Sets, etc.), improving code organization and maintainability.
• Implementation of Subject Condition Set Execution: New functionality has been added to process and execute SubjectConditionSet plans, including creation, caching of target IDs, and robust error handling.
• Refactored Error Handling and Testing: Error variable names were clarified, and test files were reorganized and expanded to support the new modular structure and SubjectConditionSet execution.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

Code splits and grows, New sets of rules now flow, Order starts to bloom.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the namespaced policy migration executor by modularizing the execution logic for Actions and Subject Condition Sets (SCS). It updates the Executor struct to cache target plans, renames error constants for better clarity, and introduces shared test helpers. Key feedback includes addressing potential runtime panics when accessing nested maps in the action and SCS caches, and ensuring that TargetStatusExistingStandard is correctly handled during SCS execution to maintain consistency with the action execution flow.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	202.024008ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	88.220627ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	384.614036ms
Throughput	260.00 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.800452092s
Average Latency	396.203916ms
Throughput	125.63 requests/second

[github-actions]

X-Test Failure Report

test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformC39MNJ.dockerbuild
govulncheck-failure-3
govulncheck-failure-1
govulncheck-failure-8
govulncheck-failure-2
govulncheck-failure-0
govulncheck-failure-5

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	191.647212ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	102.608049ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	392.400538ms
Throughput	254.84 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.060934615s
Average Latency	408.753959ms
Throughput	121.77 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• otdfctl
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go-pull-3304
✅ go-v0.9.0
✅ java-pull-3304
✅ java-v0.9.0
✅ js-pull-3304
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatform719S3J.dockerbuild
govulncheck-failure-5
govulncheck-failure-8
govulncheck-failure-3
govulncheck-failure-0
govulncheck-failure-2
govulncheck-failure-1

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@otdfctl/migrations/namespacedpolicy/execute.go`:
- Around line 61-74: The Execute function is currently calling all phase helpers
unconditionally which lets planning-only loaded slices (e.g., registered
resources or obligation triggers loaded as reverse-dependency context) run;
change Execute to gate each phase dispatch by the plan scopes (or pass scopes
through) so only explicitly requested scopes run: call executeActions only if
plan.Scopes includes ScopeActions, call executeSubjectConditionSets only if
ScopeSubjectConditionSets is present, call executeSubjectMappings only if
ScopeSubjectMappings is present, and similarly guard executeRegisteredResources
and executeObligationTriggers (noting that requiresRegisteredResources() and
requiresObligationTriggers() may return true when ScopeActions is present for
planning—do not treat that as permission to execute those phases unless
plan.Scopes explicitly includes them). Ensure you reference the plan.Scopes set
(or thread scopes into per-phase APIs) and update the conditional checks around
executeActions, executeSubjectConditionSets, executeSubjectMappings,
executeRegisteredResources, and executeObligationTriggers accordingly.

In `@otdfctl/migrations/namespacedpolicy/subject_condition_sets_execute_test.go`:
- Around line 107-111: Add an assertion to this test to verify that when a
target is marked with TargetStatusAlreadyMigrated the executor cache is seeded:
after locating migratedTarget (plan.SubjectConditionSets[0].Targets[1]) and
confirming migratedTarget.Execution is nil, assert that
executor.cachedScsTargetID("scs-2", namespace1) equals the expected migrated
target ID (the same value used for the already-migrated target) so the test
covers the cache write performed for TargetStatusAlreadyMigrated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 47093f49-69b4-454f-9839-7a145429ec32

📥 Commits

Reviewing files that changed from the base of the PR and between 6fe9afe and 440c2e4.

📒 Files selected for processing (10)

• otdfctl/migrations/namespacedpolicy/actions_execute.go
• otdfctl/migrations/namespacedpolicy/actions_execute_test.go
• otdfctl/migrations/namespacedpolicy/execute.go
• otdfctl/migrations/namespacedpolicy/execute_test_helpers_test.go
• otdfctl/migrations/namespacedpolicy/obligation_triggers_execute.go
• otdfctl/migrations/namespacedpolicy/plan.go
• otdfctl/migrations/namespacedpolicy/registered_resources_execute.go
• otdfctl/migrations/namespacedpolicy/subject_condition_sets_execute.go
• otdfctl/migrations/namespacedpolicy/subject_condition_sets_execute_test.go
• otdfctl/migrations/namespacedpolicy/subject_mappings_execute.go