b-long · b-long · Apr 30, 2026
diff --git a/otdf-python-proto/proto-files/authorization/v2/authorization.proto b/otdf-python-proto/proto-files/authorization/v2/authorization.proto
@@ -21,11 +21,11 @@ message EntityIdentifier {
   oneof identifier {
     option (buf.validate.oneof).required = true;
 
-    // chain of one or more entities
+    // chain of one or more entities and at most 10
     entity.EntityChain entity_chain = 1 [(buf.validate.field).cel = {
       id: "entity_chain_required"
-      message: "entities must be provided"
-      expression: "has(this.entities) && this.entities.size() > 0"
+      message: "entities must be provided and between 1 and 10 in count"
+      expression: "has(this.entities) && this.entities.size() > 0 && this.entities.size() <= 10"
     }];
 
     // fully qualified name of the registered resource value stored in platform policy, where in
@@ -65,11 +65,13 @@ message Resource {
   }
 
   oneof resource {
+    // a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count
     AttributeValues attribute_values = 2 [(buf.validate.field).cel = {
       id: "attribute_values_required"
-      message: "if provided, resource.attribute_values must not be empty"
-      expression: "this.fqns.size() > 0 && this.fqns.all(item, item.isUri())"
+      message: "if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs"
+      expression: "this.fqns.size() > 0 && this.fqns.size() <= 20 && this.fqns.all(item, item.isUri())"
     }];
+    // fully qualified name of the registered resource value stored in platform policy
     string registered_resource_value_fqn = 3 [(buf.validate.field).string = {
       min_len: 1
       uri: true
@@ -112,15 +114,17 @@ message GetDecisionResponse {
 // 1. one entity reference (actor)
 // 2. one action
 // 3. multiple resources
-// Note: this is a more performant bulk request for multiple resource decisions
+// Note: this is a more performant bulk request for multiple resource decisions, up to 1000 per request
 message GetDecisionMultiResourceRequest {
   // an entity must be identified for authorization decisioning
   EntityIdentifier entity_identifier = 1 [(buf.validate.field).required = true];
   // name on action is required
   policy.Action action = 2 [(buf.validate.field).required = true];
   repeated Resource resources = 3 [
-    (buf.validate.field).required = true,
-    (buf.validate.field).repeated = {min_items: 1}
+    (buf.validate.field).repeated = {
+      min_items: 1
+      max_items: 1000
+    }
   ];
 
   option (buf.validate.message).cel = {
@@ -141,7 +145,12 @@ message GetDecisionMultiResourceResponse {
 // This is a more performant bulk request for complex decisioning (i.e. multiple entity chains or actions on
 // multiple resources)
 message GetDecisionBulkRequest {
-  repeated GetDecisionMultiResourceRequest decision_requests = 1;
+  repeated GetDecisionMultiResourceRequest decision_requests = 1 [
+    (buf.validate.field).repeated = {
+      min_items: 1
+      max_items: 200
+    }
+  ];
 }
 message GetDecisionBulkResponse {
   repeated GetDecisionMultiResourceResponse decision_responses = 1;

diff --git a/otdf-python-proto/proto-files/policy/kasregistry/key_access_server_registry.proto b/otdf-python-proto/proto-files/policy/kasregistry/key_access_server_registry.proto
@@ -403,7 +403,7 @@ message CreateKeyRequest {
   Algorithm key_algorithm = 3 [(buf.validate.field).cel = {
     id: "key_algorithm_defined"
     message: "The key_algorithm must be one of the defined values."
-    expression: "this in [1, 2, 3, 4]" // Allow ALGORITHM_EC_P256, ALGORITHM_RSA_2048, ALGORITHM_X25519, ALGORITHM_AES_256_GCM
+    expression: "this in [1, 2, 3, 4, 5]" // Allow ALGORITHM_RSA_2048, ALGORITHM_RSA_4096, ALGORITHM_EC_P256, ALGORITHM_EC_P384, ALGORITHM_EC_P521
   }]; // The algorithm to be used for the key
   // Required
   KeyMode key_mode = 4 [(buf.validate.field).cel = {
@@ -445,7 +445,7 @@ message ListKeysRequest {
   Algorithm key_algorithm = 1 [(buf.validate.field).cel = {
     id: "key_algorithm_defined"
     message: "The key_algorithm must be one of the defined values."
-    expression: "this in [0, 1, 2, 3, 4]" // Allow ALGORITHM_EC_P256, ALGORITHM_RSA_2048, ALGORITHM_X25519, ALGORITHM_AES_256_GCM
+    expression: "this in [0, 1, 2, 3, 4, 5]" // Allow unspecified and object.Algorithm values for currently supported RSA bit sizes and EC curve types
   }]; // Filter keys by algorithm
 
   oneof kas_filter {
@@ -545,15 +545,15 @@ message RotateKeyRequest {
     Algorithm algorithm = 2 [(buf.validate.field).cel = {
       id: "key_algorithm_defined"
       message: "The key_algorithm must be one of the defined values."
-      expression: "this in [1, 2, 3, 4]" // Allow ALGORITHM_EC_P256, ALGORITHM_RSA_2048, ALGORITHM_X25519, ALGORITHM_AES_256_GCM
+      expression: "this in [1, 2, 3, 4, 5]" // Allow ALGORITHM_RSA_2048, ALGORITHM_RSA_4096, ALGORITHM_EC_P256, ALGORITHM_EC_P384, ALGORITHM_EC_P521
     }];
     // Required
     KeyMode key_mode = 3 [
       (buf.validate.field).enum.defined_only = true,
       (buf.validate.field).cel = {
         id: "new_key_mode_defined"
         message: "The new key_mode must be one of the defined values (1-4)."
-        expression: "this in [1, 2, 3, 4]" // Allow all defined modes
+        expression: "this in [1, 2, 3, 4]" // Allow modes CONFIG_ROOT_KEY, PROVIDER_ROOT_KEY, REMOTE, PUBLIC_KEY_ONLY
       }
     ];
     // Required
@@ -617,6 +617,35 @@ message SetBaseKeyResponse {
   SimpleKasKey previous_base_key = 2; // The previous base key, if any
 }
 
+message MappedPolicyObject {
+  string id = 1; // The unique identifier of the policy object
+  string fqn = 2; // The fully qualified name of the policy object
+}
+
+message KeyMapping {
+  string kid = 1;
+  string kas_uri = 2;
+  repeated MappedPolicyObject namespace_mappings = 3; // List of namespaces mapped to the key
+  repeated MappedPolicyObject attribute_mappings = 4; // List of attribute definitions mapped to the key
+  repeated MappedPolicyObject value_mappings = 5; // List of attribute values mapped to the key
+}
+
+message ListKeyMappingsRequest {
+  oneof identifier {
+    option (buf.validate.oneof).required = false;
+    string id = 2 [(buf.validate.field).string.uuid = true]; // The unique identifier of the key to retrieve
+    KasKeyIdentifier key = 3;
+  }
+
+  policy.PageRequest pagination = 10; // Pagination request for the list of keys
+}
+
+message ListKeyMappingsResponse {
+  repeated KeyMapping key_mappings = 1; // The list of key mappings
+
+  policy.PageResponse pagination = 10; // Pagination response for the list of keys
+}
+
 service KeyAccessServerRegistryService {
   rpc ListKeyAccessServers(ListKeyAccessServersRequest) returns (ListKeyAccessServersResponse) {
     option (google.api.http) = {get: "/key-access-servers"};
@@ -660,4 +689,7 @@ service KeyAccessServerRegistryService {
 
   // Get Default kas keys
   rpc GetBaseKey(GetBaseKeyRequest) returns (GetBaseKeyResponse) {}
+
+  // Request to list key mappings in the Key Access Service.
+  rpc ListKeyMappings(ListKeyMappingsRequest) returns (ListKeyMappingsResponse) {}
 }
diff --git a/otdf-python-proto/proto-files/policy/objects.proto b/otdf-python-proto/proto-files/policy/objects.proto
@@ -5,6 +5,7 @@ package policy;
 import "buf/validate/validate.proto";
 import "common/common.proto";
 import "google/protobuf/wrappers.proto";
+// import "google/protobuf/struct.proto";
 
 message SimpleKasPublicKey {
   Algorithm algorithm = 1;
@@ -447,7 +448,6 @@ message RegisteredResourceValue {
     // Common metadata
     common.Metadata metadata = 100;
   }
-
   string id = 1;
 
   string value = 2;
@@ -460,6 +460,50 @@ message RegisteredResourceValue {
   common.Metadata metadata = 100;
 }
 
+message Obligation {
+  string id = 1;
+
+  Namespace namespace = 2;
+
+  string name = 3;
+
+  repeated ObligationValue values = 4;
+
+  common.Metadata metadata = 100;
+}
+
+message ObligationValue {
+  string id = 1;
+
+  Obligation obligation = 2;
+
+  string value = 3;
+
+  common.Metadata metadata = 100;
+}
+
+message ObligationTrigger {
+  string id = 1;
+
+  ObligationValue obligation_value = 2;
+
+  Action action = 3;
+
+  Value attribute_value = 4;
+
+  common.Metadata metadata = 100;
+}
+
+// message ObligationFulfiller {
+//   string id = 1;
+
+//   ObligationValue obligation_value = 2;
+
+//   google.protobuf.Struct conditionals = 3;
+
+//   common.Metadata metadata = 100;
+// }
+
 // Supported key algorithms.
 enum Algorithm {
   ALGORITHM_UNSPECIFIED = 0;