feat(main): update proto GIT_TAG to service/v0.8.0#137
Open
Conversation
Owner
b-long
commented
Apr 30, 2026
b-long
commented
- Bump default GIT_TAG from service/v0.7.2 to service/v0.8.0
- Remove unnecessary lambda from re.sub in run_buf_generate()
- Restore buf.gen.yaml to its original content after buf generate runs (was leaking absolute plugin path into tracked file)
- Add sys.path fix in init.py for connect-python v0.6+ absolute import style
- Regenerate all proto files from service/v0.8.0 (new: obligations, updated kasregistry/objects/unsafe/authorization)
- Update test assertion to match new default tag
- Bump default GIT_TAG from service/v0.7.2 to service/v0.8.0 - Remove unnecessary lambda from re.sub in run_buf_generate() - Restore buf.gen.yaml to its original content after buf generate runs (was leaking absolute plugin path into tracked file) - Add sys.path fix in __init__.py for connect-python v0.6+ absolute import style - Regenerate all proto files from service/v0.8.0 (new: obligations, updated kasregistry/objects/unsafe/authorization) - Update test assertion to match new default tag
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the OpenTDF platform protobuf definitions to version 0.8.0, introduces new message types for obligations and key mappings, and adds a new ListKeyMappings RPC. Additionally, it includes updates to the Python generation script and runtime import handling to support newer versions of the Connect-Python plugin. My feedback focuses on cleaning up commented-out code and unused imports in the newly added proto files to improve maintainability.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the generated Python protobuf/Connect/gRPC outputs to match OpenTDF platform service/v0.8.0, along with small generator/test adjustments to keep generation deterministic and imports working with the updated connect generator output.
Changes:
- Bump the default platform
GIT_TAGtoservice/v0.8.0and update the related unit test assertion. - Regenerate protobuf/pyi/connect/legacy-grpc outputs for the updated protos (notably adding Policy Obligations and updating Unsafe/KAS Registry/Authorization protos).
- Update the generation workflow to avoid leaking absolute plugin paths into the tracked
buf.gen.yaml, and add an import workaround for connect-generated absolute imports.
Reviewed changes
Copilot reviewed 25 out of 50 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| otdf-python-proto/tests/test_generate_connect_proto.py | Updates assertion for the new default service/v0.8.0 tag. |
| otdf-python-proto/src/otdf_python_proto/init.py | Adds a sys.path workaround to support connect-generated absolute imports. |
| otdf-python-proto/scripts/generate_connect_proto.py | Updates default tag; restores buf.gen.yaml after generation; adjusts plugin-path substitution. |
| otdf-python-proto/src/otdf_python_proto/wellknownconfiguration/wellknown_configuration_connect.py | Regenerated connect client imports to absolute-style. |
| otdf-python-proto/src/otdf_python_proto/kas/kas_connect.py | Regenerated connect client imports to absolute-style. |
| otdf-python-proto/src/otdf_python_proto/entityresolution/entity_resolution_connect.py | Regenerated connect client imports to absolute-style. |
| otdf-python-proto/src/otdf_python_proto/authorization/authorization_connect.py | Regenerated connect client imports to absolute-style. |
| otdf-python-proto/src/otdf_python_proto/policy/unsafe/unsafe_pb2.py | Regenerated protobuf for updated Unsafe KAS key delete request/response shapes. |
| otdf-python-proto/src/otdf_python_proto/policy/unsafe/unsafe_pb2.pyi | Regenerated stubs for updated Unsafe KAS key delete request/response shapes. |
| otdf-python-proto/src/otdf_python_proto/policy/objects_pb2.py | Regenerated protobuf for new obligation-related policy objects. |
| otdf-python-proto/src/otdf_python_proto/policy/objects_pb2.pyi | Regenerated stubs for new obligation-related policy objects. |
| otdf-python-proto/src/otdf_python_proto/policy/obligations/init.py | Adds/keeps package marker for new obligations module. |
| otdf-python-proto/src/otdf_python_proto/policy/obligations/obligations_pb2.py | New generated protobuf module for obligations service/messages. |
| otdf-python-proto/src/otdf_python_proto/policy/obligations/obligations_pb2.pyi | New generated stubs for obligations service/messages. |
| otdf-python-proto/src/otdf_python_proto/policy/obligations/obligations_connect.py | New generated Connect client/server scaffolding for obligations. |
| otdf-python-proto/src/otdf_python_proto/policy/kasregistry/key_access_server_registry_pb2.py | Regenerated protobuf for KAS Registry changes (incl. key mappings, algorithm validation updates). |
| otdf-python-proto/src/otdf_python_proto/policy/kasregistry/key_access_server_registry_pb2.pyi | Regenerated stubs for KAS Registry changes (incl. key mappings). |
| otdf-python-proto/src/otdf_python_proto/policy/kasregistry/key_access_server_registry_connect.py | Regenerated Connect client/server with new ListKeyMappings RPC. |
| otdf-python-proto/src/otdf_python_proto/authorization/v2/authorization_pb2.py | Regenerated protobuf with updated validation constraints/limits. |
| otdf-python-proto/proto-files/policy/unsafe/unsafe.proto | Updates Unsafe delete KAS key request/response schema. |
| otdf-python-proto/proto-files/policy/objects.proto | Adds obligation-related policy object messages. |
| otdf-python-proto/proto-files/policy/obligations/obligations.proto | Adds new obligations service proto definitions. |
| otdf-python-proto/proto-files/policy/kasregistry/key_access_server_registry.proto | Updates algorithm validation and adds key-mapping RPC/messages. |
| otdf-python-proto/proto-files/authorization/v2/authorization.proto | Updates validation constraints (entity chain size, resource/decision limits). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/obligations/init.py | Adds/keeps package marker for legacy gRPC obligations outputs. |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/obligations/obligations_pb2_grpc.py | New generated legacy gRPC stubs for obligations service. |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/kasregistry/key_access_server_registry_pb2_grpc.py | Regenerated legacy gRPC stubs with new ListKeyMappings RPC. |
| otdf-python-proto/src/otdf_python_proto/logger/audit/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/wellknownconfiguration/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/unsafe/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/subjectmapping/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/resourcemapping/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/registeredresources/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/namespaces/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/keymanagement/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/kasregistry/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/attributes/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/actions/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/policy/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/logger/audit/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/logger/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/kas/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/entityresolution/v2/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/entityresolution/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/entity/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/common/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/authorization/v2/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/legacy_grpc/authorization/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/entityresolution/v2/init.py | Package marker file (created/updated by generation). |
| otdf-python-proto/src/otdf_python_proto/authorization/v2/init.py | Package marker file (created/updated by generation). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+8
to
+16
| from pathlib import Path | ||
| from importlib import metadata | ||
|
|
||
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | ||
| # rather than relative ones. Add this package's directory to sys.path so those imports resolve. | ||
| _pkg_dir = str(Path(__file__).parent) | ||
| if _pkg_dir not in sys.path: | ||
| sys.path.insert(0, _pkg_dir) | ||
|
|
There was a problem hiding this comment.
Modifying sys.path from a library __init__.py (especially inserting at position 0) has global side effects: after importing otdf_python_proto, imports like import policy / import kas may unexpectedly resolve to this package's internal modules and shadow unrelated third-party modules with the same names. Consider an approach that avoids sys.path mutation (e.g., configuring the generator to emit package-prefixed imports, or using explicit module aliasing in sys.modules limited to the needed names).
Suggested change
| from pathlib import Path | |
| from importlib import metadata | |
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | |
| # rather than relative ones. Add this package's directory to sys.path so those imports resolve. | |
| _pkg_dir = str(Path(__file__).parent) | |
| if _pkg_dir not in sys.path: | |
| sys.path.insert(0, _pkg_dir) | |
| from importlib import metadata, import_module | |
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | |
| # rather than relative ones. Register only the generated top-level package names that | |
| # need to resolve into this package, instead of mutating sys.path for the whole process. | |
| def _register_generated_package_aliases(): | |
| for alias in ("common", "entity", "kas", "legacy_grpc", "logger", "policy"): | |
| sys.modules.setdefault(alias, import_module(f".{alias}", __name__)) | |
| _register_generated_package_aliases() |
Comment on lines
+11
to
+12
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | ||
| # rather than relative ones. Add this package's directory to sys.path so those imports resolve. |
There was a problem hiding this comment.
The comment says this is needed for connect-python v0.6+, but pyproject.toml currently pins connect-python[compiler]>=0.4.2,<0.5. Either update the dependency constraint (if the project now requires v0.6+) or adjust the comment to match the supported versions, to avoid confusing future maintainers.
Suggested change
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | |
| # rather than relative ones. Add this package's directory to sys.path so those imports resolve. | |
| # Some generated protobuf modules use absolute sub-package imports | |
| # (e.g. `import kas.kas_pb2`) rather than relative ones. Add this package's | |
| # directory to sys.path so those imports resolve. |
Comment on lines
+8
to
+16
| from pathlib import Path | ||
| from importlib import metadata | ||
|
|
||
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | ||
| # rather than relative ones. Add this package's directory to sys.path so those imports resolve. | ||
| _pkg_dir = str(Path(__file__).parent) | ||
| if _pkg_dir not in sys.path: | ||
| sys.path.insert(0, _pkg_dir) | ||
|
|
There was a problem hiding this comment.
This new import-resolution workaround is easy to regress (e.g., if package layout changes or new top-level proto packages are added). Consider adding a small unit test that imports otdf_python_proto and then successfully imports one of the connect-generated absolute imports (e.g., import kas.kas_pb2 or import policy.objects_pb2) to lock in the expected behavior.
Suggested change
| from pathlib import Path | |
| from importlib import metadata | |
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | |
| # rather than relative ones. Add this package's directory to sys.path so those imports resolve. | |
| _pkg_dir = str(Path(__file__).parent) | |
| if _pkg_dir not in sys.path: | |
| sys.path.insert(0, _pkg_dir) | |
| import types | |
| from pathlib import Path | |
| from importlib import metadata | |
| # connect-python v0.6+ generates absolute sub-package imports (e.g. `import kas.kas_pb2`) | |
| # rather than relative ones. Register this package's generated subpackages as top-level | |
| # package aliases so those absolute imports resolve without mutating global sys.path. | |
| _pkg_path = Path(__file__).parent | |
| def _register_generated_top_level_packages(): | |
| for child in _pkg_path.iterdir(): | |
| if not child.is_dir() or child.name.startswith("_"): | |
| continue | |
| module_name = child.name | |
| if module_name in sys.modules: | |
| continue | |
| package_module = types.ModuleType(module_name) | |
| package_module.__file__ = str(child / "__init__.py") | |
| package_module.__package__ = module_name | |
| package_module.__path__ = [str(child)] | |
| sys.modules[module_name] = package_module | |
| _register_generated_top_level_packages() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.