feat: add system metadata assertions to TDFConfig #2446
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
strantalis
changed the title
github-actions
bot
added
size/s
comp:sdk
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @strantalis, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request implements a new feature that automatically embeds system metadata as an assertion within TDF files. This provides valuable environmental context for each TDF, improving data provenance and enabling better auditing of where and how TDFs are generated.
Highlights
- New Feature: System Metadata Assertions: This pull request introduces the capability to automatically include system-level metadata (such as operating system, Go runtime version, SDK version, hostname, and architecture) as an assertion within a TDF (Trusted Data Format) file. This enhances the traceability and auditing of TDFs by providing contextual information about their creation environment.
- New Configuration Option: A new
TDFOption,WithSystemMetadataAssertion(), has been added. This option allows users to easily enable the automatic inclusion of system metadata assertions when creating a TDF, integrating seamlessly with the existing configuration pattern. - Dedicated Metadata Generation Function: A new helper function,
GetSystemMetadataAssertionConfig(), has been implemented insdk/assertion.go. This function is responsible for collecting the relevant system metadata and formatting it into a standardAssertionConfigobject, ready to be added to the TDF manifest. - Integration and Testing: The TDF creation process in
sdk/tdf.gohas been updated to conditionally append the generated system metadata assertion if the new configuration option is active. Comprehensive unit tests have also been added insdk/tdf_test.goto validate the correct generation, inclusion, and content of these new assertions.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
System details flow, Into TDF's heart they go, Context now we know.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request adds a feature to include system metadata as a default assertion in the TDF manifest. The changes involve adding a new option to TDFConfig, a function to generate the system metadata assertion, and integrating this into the TDF creation process. The code is generally well-structured, and a unit test is included for the new functionality. Please address the minor issues identified regarding error handling, a typo, and naming consistency.
3 tasks
elizabethhealy
previously approved these changes
Jun 16, 2025
elizabethhealy
approved these changes
Jun 16, 2025
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jun 23, 2025
🤖 I have created a release *beep* *boop* --- ## [0.5.0](sdk/v0.4.7...sdk/v0.5.0) (2025-06-23) ### Features * add system metadata assertions to TDFConfig ([#2446](#2446)) ([4eb9fff](4eb9fff)) * **core:** DSPX-608 - Deprecate public_client_id ([#2185](#2185)) ([0f58efa](0f58efa)) * **sdk:** adds seeker interface to TDF Reader ([#2385](#2385)) ([63ccd9a](63ccd9a)) * **sdk:** Allow key splits with same algo ([#2454](#2454)) ([7422b15](7422b15)) * **sdk:** autoconfig kaos with kids ([#2438](#2438)) ([c272016](c272016)) * **sdk:** Enable base key support. ([#2425](#2425)) ([9ff3806](9ff3806)) ### Bug Fixes * **ci:** Fix intermittent failures from auth tests ([#2345](#2345)) ([395988a](395988a)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.3.6 to 0.4.0 in /sdk ([#2397](#2397)) ([99e3aa4](99e3aa4)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.4.0 to 0.5.0 in /sdk ([#2471](#2471)) ([e8f97e0](e8f97e0)) * **deps:** bump the external group across 1 directory with 5 updates ([#2400](#2400)) ([0b7ea79](0b7ea79)) * set consistent system metadata id and schema ([#2451](#2451)) ([5db3cf2](5db3cf2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 26, 2025
🤖 I have created a release *beep* *boop* --- ## [0.7.0](sdk/v0.6.1...sdk/v0.7.0) (2025-08-25) ### ⚠ BREAKING CHANGES * **core:** Require go 1.23+ ([#1979](#1979)) ### Features * add system metadata assertions to TDFConfig ([#2446](#2446)) ([4eb9fff](4eb9fff)) * **authz:** authz v2 versioning implementation ([#2173](#2173)) ([557fc21](557fc21)) * **core:** adds bulk rewrap to sdk and service ([#1835](#1835)) ([11698ae](11698ae)) * **core:** Adds EC withSalt options ([#2126](#2126)) ([67b6fb8](67b6fb8)) * **core:** Adds ErrInvalidPerSchema ([#1860](#1860)) ([456639e](456639e)) * **core:** DSPX-608 - Deprecate public_client_id ([#2185](#2185)) ([0f58efa](0f58efa)) * **core:** EXPERIMENTAL: EC-wrapped key support ([#1902](#1902)) ([652266f](652266f)) * **core:** Expose version info ([#1841](#1841)) ([92a9f5e](92a9f5e)) * **core:** Require go 1.23+ ([#1979](#1979)) ([164c922](164c922)) * **core:** v2 ERS with proto updates ([#2210](#2210)) ([a161ef8](a161ef8)) * **policy:** actions service RPCs should actually hit storage layer CRUD ([#2063](#2063)) ([da4faf5](da4faf5)) * **policy:** Add list key mappings rpc. ([#2533](#2533)) ([fbc2724](fbc2724)) * **policy:** adds new public keys table ([#1836](#1836)) ([cad5048](cad5048)) * **policy:** Allow the deletion of a key. ([#2575](#2575)) ([82b96f0](82b96f0)) * **policy:** Default Platform Keys ([#2254](#2254)) ([d7447fe](d7447fe)) * **policy:** DSPX-902 NDR service crud implementation (2/2) ([#2066](#2066)) ([030ad33](030ad33)) * **policy:** key management crud ([#2110](#2110)) ([4c3d53d](4c3d53d)) * **sdk:** Add a KAS allowlist ([#2085](#2085)) ([d7cfdf3](d7cfdf3)) * **sdk:** add nanotdf plaintext policy ([#2182](#2182)) ([e5c56db](e5c56db)) * **sdk:** adds seeker interface to TDF Reader ([#2385](#2385)) ([63ccd9a](63ccd9a)) * **sdk:** Allow key splits with same algo ([#2454](#2454)) ([7422b15](7422b15)) * **sdk:** Allow schema validation during TDF decrypt ([#1870](#1870)) ([b7e6fb2](b7e6fb2)) * **sdk:** autoconfig kaos with kids ([#2438](#2438)) ([c272016](c272016)) * **sdk:** bump protocol/go v0.6.0 ([#2536](#2536)) ([23e4c2b](23e4c2b)) * **sdk:** CreateTDF option to run with specific target schema version ([#2045](#2045)) ([0976b15](0976b15)) * **sdk:** Enable base key support. ([#2425](#2425)) ([9ff3806](9ff3806)) * **sdk:** Expose connectrpc wrapper codegen for re-use ([#2322](#2322)) ([8b29392](8b29392)) * **sdk:** MIC-1436: User can decrypt TDF files created with FileWatcher2.0.8 and older. ([#1833](#1833)) ([f77d110](f77d110)) * **sdk:** remove hex encoding for segment hash ([#1805](#1805)) ([d7179c2](d7179c2)) * **sdk:** sdk.New should validate platform connectivity and provide precise error ([#1937](#1937)) ([aa3696d](aa3696d)) * **sdk:** Use ConnectRPC in the go client ([#2200](#2200)) ([fc34ee6](fc34ee6)) ### Bug Fixes * Allow parsing IPs as hostnames ([#1999](#1999)) ([d54b550](d54b550)) * **ci:** Fix intermittent failures from auth tests ([#2345](#2345)) ([395988a](395988a)) * **ci:** Update expired ca and certs in oauth unit tests ([#2113](#2113)) ([5440fcc](5440fcc)) * **core:** Autobump sdk ([#1863](#1863)) ([855cb2b](855cb2b)) * **core:** Autobump sdk ([#1873](#1873)) ([085ac7a](085ac7a)) * **core:** Autobump sdk ([#1894](#1894)) ([201244e](201244e)) * **core:** Autobump sdk ([#1917](#1917)) ([edeeb74](edeeb74)) * **core:** Autobump sdk ([#1941](#1941)) ([0a5a948](0a5a948)) * **core:** Autobump sdk ([#1948](#1948)) ([4dfb457](4dfb457)) * **core:** Autobump sdk ([#1968](#1968)) ([7084061](7084061)) * **core:** Autobump sdk ([#1972](#1972)) ([7258f5d](7258f5d)) * **core:** Autobump sdk ([#2102](#2102)) ([0315635](0315635)) * **core:** Fixes protoJSON parse bug on ec rewrap ([#1943](#1943)) ([9bebfd0](9bebfd0)) * **core:** Improves errors when under heavy load ([#2132](#2132)) ([4490a14](4490a14)) * **core:** Update fixtures and flattening in sdk and service ([#1827](#1827)) ([d6d6a7a](d6d6a7a)) * **core:** Updates ec-wrapped to newer salt ([#1961](#1961)) ([0e17968](0e17968)) * **deps:** bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible in /sdk ([#2597](#2597)) ([a68d00d](a68d00d)) * **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.2.0 to 0.3.0 in /sdk ([#2502](#2502)) ([3ec8b35](3ec8b35)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.3.6 to 0.4.0 in /sdk ([#2397](#2397)) ([99e3aa4](99e3aa4)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.4.0 to 0.5.0 in /sdk ([#2471](#2471)) ([e8f97e0](e8f97e0)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.5.0 to 0.5.1 in /sdk ([#2505](#2505)) ([4edab72](4edab72)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.6.0 to 0.6.2 in /sdk ([#2586](#2586)) ([4ed9856](4ed9856)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.6.2 to 0.7.0 in /sdk ([#2627](#2627)) ([e775e14](e775e14)) * **deps:** bump golang.org/x/oauth2 from 0.26.0 to 0.30.0 in /sdk ([#2252](#2252)) ([9b775a2](9b775a2)) * **deps:** bump google.golang.org/grpc from 1.71.0 to 1.72.1 in /sdk ([#2244](#2244)) ([49484e0](49484e0)) * **deps:** bump the external group across 1 directory with 5 updates ([#2400](#2400)) ([0b7ea79](0b7ea79)) * **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE GO-2025-3563 ([#2061](#2061)) ([9c16843](9c16843)) * Improve http.Client usage for security and performance ([#1910](#1910)) ([e6a53a3](e6a53a3)) * **sdk:** adds connection options to getPlatformConfiguration ([#2286](#2286)) ([a3af31e](a3af31e)) * **sdk:** Allow reuse of session key ([#2016](#2016)) ([d48c11e](d48c11e)) * **sdk:** bump lib/ocrypto to 0.1.8 ([#1938](#1938)) ([53fa8ab](53fa8ab)) * **sdk:** bump protocol/go module dependencies ([#2078](#2078)) ([e027f43](e027f43)) * **sdk:** Display proper error on kas rewrap failure ([#2081](#2081)) ([508cbcd](508cbcd)) * **sdk:** everything is `mixedSplits` now ([#1861](#1861)) ([ba78f14](ba78f14)) * **sdk:** Fix compatibility between bulk and non-bulk rewrap ([#1914](#1914)) ([74abbb6](74abbb6)) * **sdk:** Fixed token expiration time ([#1854](#1854)) ([c3cda1b](c3cda1b)) * **sdk:** perfsprint lint issues ([#2208](#2208)) ([d36a078](d36a078)) * **sdk:** Prefer KID and Algorithm selection from key maps ([#2475](#2475)) ([98fd392](98fd392)) * **sdk:** Removes unnecessary down-cast of `int` ([#1869](#1869)) ([66f0c14](66f0c14)) * **sdk:** Version config fix ([#1847](#1847)) ([be5d817](be5d817)) * Service utilize `httputil.SafeHttpClient` ([#1926](#1926)) ([af32700](af32700)) * set consistent system metadata id and schema ([#2451](#2451)) ([5db3cf2](5db3cf2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
Checklist
Testing Instructions