feat(kas): Add nano policy binding to rewrap audit.

[c-r33d]

Proposed Changes

1.) Add nano policy binding to audit rewrap logs
2.) Bump sdk to version 0.10.1

Examples

Nano - Encrypted Policy - Gmac

{
    "time": "2025-11-03T12:53:39.67596-06:00",
    "level": "AUDIT",
    "msg": "rewrap",
    "namespace": "kas",
    "audit": {
        "object": {
            "type": "key_object",
            "id": "ff1a2fe2-a942-11f0-9751-a6a754e79d24",
            "name": "",
            "attributes": {
                "assertions": [],
                "attrs": [
                    "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger"
                ],
                "permissions": []
            }
        },
        "action": {
            "type": "rewrap",
            "result": "error"
        },
        "actor": {
            "id": "260a3342-65d8-4056-8d17-b362c932b9dc",
            "attributes": []
        },
        "eventMetaData": {
            "algorithm": "ec:secp256r1",
            "keyID": "e1",
            "policyBinding": "69750779a948846a",
            "tdfFormat": "Nano"
        },
        "clientInfo": {
            "userAgent": "connect-go/1.18.1 (go1.24.6)",
            "platform": "kas",
            "requestIP": "None"
        },
        "original": null,
        "updated": null,
        "requestID": "1eb13e08-963e-4abd-acfc-5a30fb3cb876",
        "timestamp": "2025-11-03T12:53:39-06:00"
    }
}

Nano - Encrypted policy - ECDSA

{
    "time": "2025-11-03T13:06:52.920043-06:00",
    "level": "AUDIT",
    "msg": "rewrap",
    "namespace": "kas",
    "audit": {
        "object": {
            "type": "key_object",
            "id": "3c370940-b8e8-11f0-b395-a6a754e79d24",
            "name": "",
            "attributes": {
                "assertions": [],
                "attrs": [
                    "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger"
                ],
                "permissions": []
            }
        },
        "action": {
            "type": "rewrap",
            "result": "success"
        },
        "actor": {
            "id": "260a3342-65d8-4056-8d17-b362c932b9dc",
            "attributes": []
        },
        "eventMetaData": {
            "algorithm": "ec:secp256r1",
            "keyID": "e1",
            "policyBinding": "07eb1084ee0e3f982d9374c184e88840abe5caa272cde5dd14798224db13107a",
            "tdfFormat": "Nano"
        },
        "clientInfo": {
            "userAgent": "connect-go/1.18.1 (go1.24.6)",
            "platform": "kas",
            "requestIP": "None"
        },
        "original": null,
        "updated": null,
        "requestID": "c27a751d-44a9-4866-beef-451b2fbef5ae",
        "timestamp": "2025-11-03T13:06:52-06:00"
    }
}

Nano - Plaintext policy - GMAC

{
    "time": "2025-11-03T13:01:27.938945-06:00",
    "level": "AUDIT",
    "msg": "rewrap",
    "namespace": "kas",
    "audit": {
        "object": {
            "type": "key_object",
            "id": "7857a624-b8e7-11f0-aa9c-a6a754e79d24",
            "name": "",
            "attributes": {
                "assertions": [],
                "attrs": [
                    "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger"
                ],
                "permissions": []
            }
        },
        "action": {
            "type": "rewrap",
            "result": "success"
        },
        "actor": {
            "id": "260a3342-65d8-4056-8d17-b362c932b9dc",
            "attributes": []
        },
        "eventMetaData": {
            "algorithm": "ec:secp256r1",
            "keyID": "e1",
            "policyBinding": "342b5951d82676fa",
            "tdfFormat": "Nano"
        },
        "clientInfo": {
            "userAgent": "connect-go/1.18.1 (go1.24.6)",
            "platform": "kas",
            "requestIP": "None"
        },
        "original": null,
        "updated": null,
        "requestID": "652cc0d2-fec8-49a4-8e0d-e5f01794bdaa",
        "timestamp": "2025-11-03T13:01:27-06:00"
    }
}

Nano - Plaintext policy - ECDSA

{
    "time": "2025-11-03T13:03:17.645969-06:00",
    "level": "AUDIT",
    "msg": "rewrap",
    "namespace": "kas",
    "audit": {
        "object": {
            "type": "key_object",
            "id": "bb58d92a-b8e7-11f0-8556-a6a754e79d24",
            "name": "",
            "attributes": {
                "assertions": [],
                "attrs": [
                    "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger"
                ],
                "permissions": []
            }
        },
        "action": {
            "type": "rewrap",
            "result": "success"
        },
        "actor": {
            "id": "260a3342-65d8-4056-8d17-b362c932b9dc",
            "attributes": []
        },
        "eventMetaData": {
            "algorithm": "ec:secp256r1",
            "keyID": "e1",
            "policyBinding": "7f50b172ceae7cb4eff9cff1849fed1022bb0f1abeb924060f50fdd5876bb09b",
            "tdfFormat": "Nano"
        },
        "clientInfo": {
            "userAgent": "connect-go/1.18.1 (go1.24.6)",
            "platform": "kas",
            "requestIP": "None"
        },
        "original": null,
        "updated": null,
        "requestID": "5a038826-43e8-42b6-9239-bd0cf3066cfd",
        "timestamp": "2025-11-03T13:03:17-06:00"
    }
}

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello @c-r33d, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the auditing capabilities for Nano TDF rewrap operations by integrating the Nano policy binding directly into the audit logs. This change ensures that critical policy information is captured and available for review, improving the traceability and security posture of key access server activities. The modifications involve updating data structures and audit event generation to consistently include this new detail.

Highlights

• Audit Logging Enhancement: The pull request introduces the inclusion of the Nano policy binding in the rewrap audit logs, providing more comprehensive auditing for Nano TDF operations.
• Data Structure Update: The kaoResult struct has been extended with a new PolicyBinding field to store the policy binding information relevant to Nano auditing.
• Audit Event Parameterization: The nanoTDFRewrap function now passes the newly captured PolicyBinding to the audit.RewrapAuditEventParams, ensuring it's recorded during rewrap events.
• Policy Binding Verification Refinement: The verifyNanoRewrapRequests function has been updated to explicitly retrieve the policy binding using header.PolicyBinding() and handle potential errors during this retrieval, before proceeding with verification and storing the binding.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Policy now bound, Audit logs reveal the truth, Security grows.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds the nano TDF policy binding to the rewrap audit logs. The changes in service/kas/access/rewrap.go correctly propagate the policy binding from the nano TDF header to the audit event parameters. The implementation looks correct. My main feedback is the lack of unit tests for this new functionality. Adding tests is crucial to ensure the correctness of the auditing and prevent future regressions. I've added a specific comment with a suggestion on how to test this.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	182.621922ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	109.85515ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	379.203738ms
Throughput	263.71 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.926379781s
Average Latency	397.404713ms
Throughput	125.23 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.752613171s
Average Latency	276.705066ms
Throughput	180.16 requests/second

[github-actions]

X-Test Results

opentdfplatformCHILP2.dockerbuild
✅ java-v0.4.34
cukes-report
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2870
✅ java-pull-2870
✅ go-pull-2870

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	174.869734ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	105.580566ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	360.01741ms
Throughput	277.76 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.37935939s
Average Latency	382.369681ms
Throughput	130.28 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.033931966s
Average Latency	269.451872ms
Throughput	184.95 requests/second

[github-actions]

X-Test Results

opentdfplatformV06HED.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2870
✅ java-pull-2870
✅ go-pull-2870

[opentdf-automation]

Successfully created backport PR for release/service/v0.11:

• feat(kas): Add nano policy binding to rewrap audit. [backport to release/service/v0.11] #2878

[c-r33d]

/backport

[opentdf-automation]

Successfully created backport PR for release/service/v0.11:

• feat(kas): Add nano policy binding to rewrap audit. [backport to release/service/v0.11] #2880