docs(policy): deprecate non-namespaced registered resources

[alkalescent]

This PR documents the deprecation of non-namespaced registered resources and how to migrate existing resources using otdfctl.

Summary by CodeRabbit

• Documentation
  • Updated namespace and registered resources documentation to clarify their relationships and organizational scope
  • Introduced new namespaced registered resource identifier formats with deprecation of legacy non-namespaced formats
  • Added namespace-aware resource lookup behavior and uniqueness documentation
  • Provided migration guidance for converting non-namespaced registered resources to the new format
  • Updated Authorization Service documentation with concrete examples and clarified deprecations

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on updating the documentation to reflect the deprecation of non-namespaced registered resources within the policy system. It introduces the concept of namespaced registered resources, provides clear examples of their Fully Qualified Names (FQNs), and outlines the necessary migration steps for existing resources. These changes ensure that the documentation aligns with the evolving policy architecture, guiding users towards the recommended, namespaced approach for managing registered resources.

Highlights

• Deprecation of Non-Namespaced Registered Resources: Non-namespaced Registered Resources are now officially deprecated, with a future version requiring all Registered Resources to be associated with a namespace.
• Migration Path Documented: Documentation now includes instructions on how to migrate existing non-namespaced Registered Resources using the otdfctl migrate registered-resources command.
• FQN Examples Updated: Fully Qualified Name (FQN) examples for Registered Resources have been updated across the documentation to reflect the new namespaced structure and explicitly mark the deprecated non-namespaced format.
• Namespace Scope Expansion: Namespaces are now explicitly documented as organizational containers for both attributes and optionally for registered resources, clarifying their expanded role.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively documents the deprecation of non-namespaced registered resources. The changes are consistent across all modified files, updating definitions, examples, and diagrams to reflect that registered resources are now namespaced. The documentation is clearer and more accurate as a result. I have one suggestion to further improve the migration instructions to make them more actionable for users.

[github-actions]

📄 Preview deployed to https://opentdf-docs-pr-253.surge.sh

[coderabbitai]

Warning

Rate limit exceeded

@alkalescent has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 0 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 26 minutes and 0 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f2801735-0436-4938-9a4f-0e453b40d760

📥 Commits

Reviewing files that changed from the base of the PR and between 4af541a and d402c73.

📒 Files selected for processing (4)

• docs/components/policy/registered_resources.md
• docs/sdks/policy.mdx
• specs/authorization/authorization.openapi.yaml
• specs/policy/attributes/attributes.openapi.yaml

📝 Walkthrough

Walkthrough

This PR updates documentation and configuration to introduce namespace scoping for Registered Resources, marks non-namespaced Registered Resources as deprecated, and adds a migration guide for transitioning to the new namespace-aware behavior.

Changes

Cohort / File(s)	Summary
Configuration & Vocabulary .github/vale-styles/config/vocabularies/Opentdf/accept.txt	Updated Vale vocabulary patterns to accept plural and variant forms: namespace/namespaces/namespacing, FQN/FQNs, and AAV/AAVs.
Registered Resources Documentation docs/components/policy/registered_resources.md	Introduced optional namespace composition for Registered Resources; marked non-namespaced FQN format as deprecated; updated FQN format to include namespace prefix; added namespacing section defining creation, uniqueness, and deletion semantics; added new "Migrating Non-Namespaced Registered Resources" section with otdfctl migrate registered-resources command documentation and mode descriptions.
Policy & Authorization Documentation docs/components/policy/attributes.md, docs/components/policy/index.md, docs/components/authorization.md, docs/sdks/policy.mdx	Updated policy documentation to clarify that namespaces can optionally contain registered resources; revised authorization service documentation to replace generic FQN descriptions with concrete examples and updated deprecation labels; clarified Registered Resources policy component as "scoped to Namespaces"; expanded namespace definition to include optional registered resources.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Namespaces bloom, tidy and neat,
Deprecated paths hop in retreat,
Resources organized, organized true,
Migration guide helps the old shift anew! 🌿✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and specifically describes the main change: documenting the deprecation of non-namespaced registered resources, which aligns with the primary objective across all modified documentation files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DSPX-2496-rr-ns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

docs/components/policy/registered_resources.md (1)

1-1: ⚠️ Potential issue | 🟡 Minor

Switch this modified policy page to .mdx format.

This file is updated as .md, which conflicts with the documentation format rule.

As per coding guidelines, **/*.{md,mdx}: Documentation files should use .mdx format; name new pages kebab-case.mdx, and use index.mdx for section landing pages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/components/policy/registered_resources.md` at line 1, This documentation
page is currently saved as a .md file but must follow the project's docs rule to
use .mdx; rename the file from registered_resources.md to kebab-case .mdx (e.g.,
registered-resources.mdx) or, if this is a section landing page, to index.mdx
inside a folder, and update any internal frontmatter or import usage to the .mdx
filename; ensure the top-level heading "Registered Resources" remains and that
the file extension and name follow the repository's .mdx naming conventions.

docs/components/policy/attributes.md (1)

1-1: ⚠️ Potential issue | 🟡 Minor

Convert this updated doc page to .mdx.

The file is modified as .md, but the documentation convention requires .mdx.

As per coding guidelines, **/*.{md,mdx}: Documentation files should use .mdx format; name new pages kebab-case.mdx, and use index.mdx for section landing pages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/components/policy/attributes.md` at line 1, The doc page titled
"Attributes" is currently written as a .md file; rename and convert it to a .mdx
file using the docs convention (use kebab-case for new page names, e.g.,
attributes.mdx) or if this is a section landing page turn it into index.mdx, and
ensure the file content is valid MDX (retain the "Attributes" heading and any
frontmatter) so it follows the **/*.{md,mdx} documentation guideline.

docs/components/authorization.md (1)

1-3: ⚠️ Potential issue | 🟡 Minor

Use .mdx for this documentation page.

This file is being modified as Markdown (.md), but docs standards require .mdx for documentation files.

As per coding guidelines, **/*.{md,mdx}: Documentation files should use .mdx format; name new pages kebab-case.mdx, and use index.mdx for section landing pages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/components/authorization.md` around lines 1 - 3, The documentation page
"authorization.md" is in the wrong format; rename and convert it to MDX by
changing the filename to a kebab-case .mdx (e.g., authorization.mdx) or to
index.mdx if this is a section landing page, update frontmatter and any
MD-specific constructs to MDX-compatible syntax, and ensure the docs
build/config references the new .mdx file instead of the .md file.

docs/components/policy/index.md (1)

1-4: ⚠️ Potential issue | 🟡 Minor

Please migrate this updated policy doc to .mdx.

The changed page remains .md, which conflicts with the docs file-format rule.

As per coding guidelines, **/*.{md,mdx}: Documentation files should use .mdx format; name new pages kebab-case.mdx, and use index.mdx for section landing pages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/components/policy/index.md` around lines 1 - 4, The file
docs/components/policy/index.md is still in .md and needs to be migrated to
.mdx: rename the page to use .mdx (use index.mdx for this section landing page)
and move/convert any frontmatter or markdown content into the new .mdx file
while preserving the existing YAML frontmatter fields (sidebar_position and
slug) or converting them to MDX-compatible export metadata; ensure the filename
follows the docs rule (section landing pages use index.mdx) and update any
internal imports/links that referenced docs/components/policy/index.md to point
to docs/components/policy/index.mdx.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@docs/components/authorization.md`:
- Around line 1-3: The documentation page "authorization.md" is in the wrong
format; rename and convert it to MDX by changing the filename to a kebab-case
.mdx (e.g., authorization.mdx) or to index.mdx if this is a section landing
page, update frontmatter and any MD-specific constructs to MDX-compatible
syntax, and ensure the docs build/config references the new .mdx file instead of
the .md file.

In `@docs/components/policy/attributes.md`:
- Line 1: The doc page titled "Attributes" is currently written as a .md file;
rename and convert it to a .mdx file using the docs convention (use kebab-case
for new page names, e.g., attributes.mdx) or if this is a section landing page
turn it into index.mdx, and ensure the file content is valid MDX (retain the
"Attributes" heading and any frontmatter) so it follows the **/*.{md,mdx}
documentation guideline.

In `@docs/components/policy/index.md`:
- Around line 1-4: The file docs/components/policy/index.md is still in .md and
needs to be migrated to .mdx: rename the page to use .mdx (use index.mdx for
this section landing page) and move/convert any frontmatter or markdown content
into the new .mdx file while preserving the existing YAML frontmatter fields
(sidebar_position and slug) or converting them to MDX-compatible export
metadata; ensure the filename follows the docs rule (section landing pages use
index.mdx) and update any internal imports/links that referenced
docs/components/policy/index.md to point to docs/components/policy/index.mdx.

In `@docs/components/policy/registered_resources.md`:
- Line 1: This documentation page is currently saved as a .md file but must
follow the project's docs rule to use .mdx; rename the file from
registered_resources.md to kebab-case .mdx (e.g., registered-resources.mdx) or,
if this is a section landing page, to index.mdx inside a folder, and update any
internal frontmatter or import usage to the .mdx filename; ensure the top-level
heading "Registered Resources" remains and that the file extension and name
follow the repository's .mdx naming conventions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d4d78d79-1ebf-47b7-8c5e-68d0566c3fda

📥 Commits

Reviewing files that changed from the base of the PR and between 70d68f6 and 28abb3a.

📒 Files selected for processing (6)

• .github/vale-styles/config/vocabularies/Opentdf/accept.txt
• docs/components/authorization.md
• docs/components/policy/attributes.md
• docs/components/policy/index.md
• docs/components/policy/registered_resources.md
• docs/sdks/policy.mdx

[c-r33d]

I think we are changing this to not delete the old, but add a metadata tag that we can then use with a prune or cleanup command.

[alkalescent]

Okay, what would you recommend? I'm thinking I can keep this block as current behavior but mention future expected behavior. Alternatively, I can just remove mention of migration until we get to an expected state.

[c-r33d]

I would keep everything as you have it and add, "to delete items you will need to run a separate prune\cleanup command which can be found in the otdfctl docs".

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/components/policy/registered_resources.md`:
- Around line 67-70: Update the "Namespace Deletion Cascade" section to
disambiguate API vs SDK behavior: explicitly state whether cascading
hard-deletes of Registered Resources (and their values) occur only for
API/admin-level namespace deletion or whether SDK calls only perform
soft-deletes (deactivation). Reference the SDK docs pages (docs/sdks/policy.mdx)
and attributes doc (docs/components/policy/attributes.md) in the text and add a
short sentence clarifying that SDK namespace operations are soft-delete only
while administrative/API endpoints can perform permanent hard-delete cascades,
or, if the API does not hard-delete, change the cascade wording to indicate
soft-delete of resources instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 897ee3b7-a9b9-47bd-9625-0d93a29117aa

📥 Commits

Reviewing files that changed from the base of the PR and between 1f0418c and 4af541a.

📒 Files selected for processing (1)

• docs/components/policy/registered_resources.md