feat(policy): add GetObligationTrigger RPC

[jakedoublev]

Proposed Changes

• Add GetObligationTrigger RPC

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

Summary by CodeRabbit

• New Features

  • Added a new API method to retrieve a single obligation trigger by its ID.

• Documentation

  • Updated API documentation to clarify sort direction handling in list operations, including behavior for unspecified or omitted sort parameters.

[coderabbitai]

Warning

Rate limit exceeded

@jakedoublev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 43 minutes and 28 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 43 minutes and 28 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 22cd04c3-212b-427c-9e22-be56e1b48c0d

📥 Commits

Reviewing files that changed from the base of the PR and between fcf2711 and 15f18a8.

📒 Files selected for processing (2)

• service/policy/db/obligations.go
• service/policy/obligations/obligations_test.go

📝 Walkthrough

Walkthrough

A new GetObligationTrigger RPC endpoint is added to the policy obligations service, including proto message definitions, database query implementation with shared hydration logic, service handler, Connect client/server stubs, SDK wrapper, integration tests, and OpenAPI documentation updates.

Changes

Cohort / File(s)	Summary
Proto & API Definitions service/policy/obligations/obligations.proto, docs/grpc/index.html	Added GetObligationTriggerRequest and GetObligationTriggerResponse message definitions with GetObligationTrigger RPC marked as NO_SIDE_EFFECTS idempotent; updated generated HTML documentation.
Database Query Layer service/policy/db/queries/obligations.sql, service/policy/db/obligations.sql.go	Added new SQL query getObligationTrigger that fetches a single obligation trigger by ID, returning trigger and metadata JSON fields with nested joins to obligations, actions, and attributes.
Database Service Layer service/policy/db/obligations.go	Introduced hydrateObligationTrigger helper to centralize unmarshalling and FQN reconstruction; added GetObligationTrigger method with UUID validation; refactored CreateObligationTrigger and ListObligationTriggers to use the new helper, eliminating duplicated logic.
Service Handler & SDK Wrapper service/policy/obligations/obligations.go, sdk/sdkconnect/obligations.go, protocol/go/policy/obligations/obligationsconnect/obligations.connect.go	Added GetObligationTrigger service handler, SDK wrapper method, and Connect client/server procedure with idempotency configuration and HTTP routing.
OpenAPI Documentation docs/openapi/policy/obligations/obligations.openapi.yaml, docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml	Added new POST endpoint schema and request/response components for GetObligationTrigger; updated SortDirection enum description across APIs; removed stale description from AddObligationTriggerRequest.
Test Coverage service/policy/obligations/obligations_test.go, service/integration/obligation_triggers_test.go	Added request validation test with table-driven cases for valid UUID, invalid UUID, and missing ID; added integration tests for successful retrieval and not-found error scenarios.
Schema Documentation service/policy/db/schema_erd.md	Removed entire ERD Mermaid diagram content (entity blocks and relationships).

Sequence Diagram

sequenceDiagram
    participant Client
    participant ServiceHandler as Service Handler
    participant DBClient as DB Client
    participant SQLQuery as SQL Query
    participant DB as Database

    Client->>ServiceHandler: GetObligationTrigger(id)
    ServiceHandler->>DBClient: GetObligationTrigger(ctx, req)
    DBClient->>DBClient: Validate UUID
    DBClient->>SQLQuery: Execute getObligationTrigger
    SQLQuery->>DB: SELECT ... JOIN ... WHERE id = ?
    DB-->>SQLQuery: Return trigger JSON, metadata JSON
    SQLQuery-->>DBClient: getObligationTriggerRow
    DBClient->>DBClient: hydrateObligationTrigger()
    DBClient->>DBClient: Unmarshal trigger & metadata
    DBClient->>DBClient: Reconstruct ObligationValue.Fqn
    DBClient-->>ServiceHandler: *policy.ObligationTrigger, error
    ServiceHandler-->>Client: GetObligationTriggerResponse{Trigger}, error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat(policy): Enforce same namespace when actions referenced downstream #3206: Modifies service/policy/db/obligations.go with action/namespace resolution and validation in CreateObligationTrigger, intersecting with this PR's refactoring of trigger hydration logic.

Suggested labels

comp:db, comp:policy, size/m, docs

Suggested reviewers

• elizabethhealy
• c-r33d
• alkalescent

Poem

🐰 A trigger is fetched with graceful delight,
By ID through the database's dark night,
Hydration flows swift, metadata gleams,
New queries and handlers fulfill API dreams! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(policy): add GetObligationTrigger RPC' directly and clearly describes the main change: adding a new RPC method called GetObligationTrigger to the policy service, which aligns perfectly with the changeset's primary objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/DSPX-2931

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new RPC endpoint to the policy service, enabling clients to retrieve specific obligation triggers by their unique identifier. The changes span the entire stack, including protocol buffer definitions, service implementation, database query logic, and corresponding test coverage to ensure robust functionality.

Highlights

• New RPC Method: Added the GetObligationTrigger RPC method to the obligations service to allow retrieval of specific obligation triggers by ID.
• Database Layer Updates: Implemented the necessary SQL query and database client logic to fetch obligation trigger details, including hydration of related metadata.
• Testing and Validation: Added comprehensive unit tests for request validation and integration tests to verify successful retrieval and error handling for non-existent triggers.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: docs/openapi/**/* (2)
  • docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml
  • docs/openapi/policy/obligations/obligations.openapi.yaml
• Ignored by pattern: protocol/**/* (3)
  • protocol/go/policy/obligations/obligations.pb.go
  • protocol/go/policy/obligations/obligations_grpc.pb.go
  • protocol/go/policy/obligations/obligationsconnect/obligations.connect.go

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

A trigger sought by ID so clear, To fetch the data drawing near. With SQL joined and tests in place, It finds its home within the space.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

X-Test Failure Report

opentdfplatformRIUDLJ.dockerbuild
govulncheck-failure-7
govulncheck-failure-2
govulncheck-failure-4
govulncheck-failure-0
govulncheck-failure-1

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	200.803762ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	103.371385ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	404.980885ms
Throughput	246.93 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	44.92286768s
Average Latency	446.678744ms
Throughput	111.30 requests/second

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/grpc/index.html`:
- Line 12960: The docs currently render an empty paragraph for
AddObligationTriggerRequest; restore a short proto comment for the
AddObligationTriggerRequest message in the proto definition (the comment
directly above the AddObligationTriggerRequest message) describing its purpose,
then regenerate the documentation so the brief description appears in
docs/grpc/index.html. Ensure the comment uses the proto comment style (// or /**
*/) and references AddObligationTriggerRequest so the docs generator picks it
up.

In `@docs/openapi/policy/obligations/obligations.openapi.yaml`:
- Around line 1672-1682: The generated OpenAPI has a stray "description:
Triggers" attached to the message GetObligationTriggerRequest; move the proto
comment in service/policy/obligations/obligations.proto so it isn't a leading
comment on a message (e.g., attach the "Triggers" comment to the RPC/service
block or a non-message token or remove it), then regenerate the OpenAPI;
specifically update the proto around the
GetObligationTriggerRequest/AddObligationTriggerRequest area so the "Triggers"
section header is not a leading comment on the GetObligationTriggerRequest
message before regenerating the YAML.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a0aebf4c-4266-4c08-9bce-604a49cb3c5a

📥 Commits

Reviewing files that changed from the base of the PR and between 017362e and fcf2711.

⛔ Files ignored due to path filters (2)

• protocol/go/policy/obligations/obligations.pb.go is excluded by !**/*.pb.go
• protocol/go/policy/obligations/obligations_grpc.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (13)

• docs/grpc/index.html
• docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml
• docs/openapi/policy/obligations/obligations.openapi.yaml
• protocol/go/policy/obligations/obligationsconnect/obligations.connect.go
• sdk/sdkconnect/obligations.go
• service/integration/obligation_triggers_test.go
• service/policy/db/obligations.go
• service/policy/db/obligations.sql.go
• service/policy/db/queries/obligations.sql
• service/policy/db/schema_erd.md
• service/policy/obligations/obligations.go
• service/policy/obligations/obligations.proto
• service/policy/obligations/obligations_test.go

💤 Files with no reviewable changes (1)

• service/policy/db/schema_erd.md

[gemini-code-assist]

Code Review

This pull request introduces the GetObligationTrigger RPC, encompassing protobuf definitions, database integration, and SDK updates. The implementation includes a refactor of the database layer to use a centralized hydrateObligationTrigger function for consistent object hydration. A significant issue was found in the documentation where the database schema ERD was entirely removed; this should be updated to include the new trigger relationships instead of being deleted.

I am having trouble creating individual review comments. Click here to see my feedback.

service/policy/db/schema_erd.md (1-4)

The Mermaid ERD diagram was completely removed. If this file is intended to document the database schema, it should be updated with the new obligation_triggers table relationship rather than being emptied.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	159.581735ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	84.231083ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	424.684924ms
Throughput	235.47 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	44.378582618s
Average Latency	441.867496ms
Throughput	112.67 requests/second

[github-actions]

X-Test Results

✅ go-pull-3318
✅ java-pull-3318
✅ go-v0.9.0
✅ js-pull-3318
✅ java-v0.9.0
✅ js-v0.9.0
test-cases-mapping-report
bats-test-results
cukes-report
opentdfplatformKRCVMR.dockerbuild
govulncheck-failure-7
govulncheck-failure-1
govulncheck-failure-0
govulncheck-failure-4
govulncheck-failure-2

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	199.113989ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	94.269016ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	396.855905ms
Throughput	251.98 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	42.450800443s
Average Latency	422.663885ms
Throughput	117.78 requests/second

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go-pull-3318
✅ go-v0.9.0
✅ java-pull-3318
✅ java-v0.9.0
✅ js-pull-3318
✅ js-v0.9.0
test-cases-mapping-report
cukes-report
bats-test-results
opentdfplatform92R0FU.dockerbuild
govulncheck-failure-7
govulncheck-failure-0
govulncheck-failure-2
govulncheck-failure-1
govulncheck-failure-4