Merge branch 'main' into DSPX-1781-use-v2-rewrap

Author: elizabethhealy

.github/release-please/release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.4.0"
+  ".": "0.5.0"
 }

.github/workflows/update-protos.yaml

@@ -0,0 +1,185 @@
+name: "Update protos"
+
+on:
+  schedule:
+    - cron: "17 0 * * *" # Runs daily at 00:17 UTC
+
+  workflow_call:
+    inputs:
+      tag:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "The new tag for targeting the RPC protocol buffers."
+        required: true
+        default: "protocol/go/v0.13.0"
+
+jobs:
+  update-platform-protos:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: read
+
+    steps:
+      - name: Checkout web-sdk repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          path: web-sdk
+          persist-credentials: true
+
+      - name: Set up GitHub CLI as Actions bot
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh auth setup-git
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch latest semver tag for protocol/go
+        id: fetch-latest-tag
+        run: |
+          if [ -z "${{ github.event.inputs.tag }}" ]; then
+            LATEST_TAG=$(git ls-remote --tags https://github.com/opentdf/platform.git | \
+              grep "refs/tags/protocol/go" | \
+              sed 's|.*/||' | \
+              sort -V | \
+              tail -n1)
+            echo "LATEST_TAG=protocol/go/$LATEST_TAG" >> "$GITHUB_ENV"
+          else
+            echo "LATEST_TAG=${{ github.event.inputs.tag }}" >> "$GITHUB_ENV"
+          fi
+
+      - name: Check if update is needed
+        working-directory: ./web-sdk
+        id: check-update
+        run: |
+          CURRENT_TAG=$(jq -r '.["tag"]' lib/platform-proto-version.json)
+          if [ "$CURRENT_TAG" = "$LATEST_TAG" ]; then
+            echo "Platform branch is already up-to-date."
+            echo "no_updates=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "CURRENT_TAG=$CURRENT_TAG" >> "$GITHUB_ENV"
+
+      - name: Check for existing PR
+        if: steps.check-update.outputs.no_updates != 'true'
+        id: check-pr
+        working-directory: ./web-sdk
+        run: |
+          EXISTING_PR=$(gh pr list --head update-platform-protos --json number --jq '.[0].number')
+          if [ -n "$EXISTING_PR" ]; then
+            echo "EXISTING_PR=$EXISTING_PR" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check out existing PR
+        working-directory: ./web-sdk
+        if: steps.check-pr.outputs.EXISTING_PR != '' && steps.check-update.outputs.no_updates != 'true'
+        run: |
+          git fetch origin update-platform-protos:update-platform-protos
+          git checkout update-platform-protos
+
+      - name: Clone platform repo at protocol/go tag
+        if: steps.check-update.outputs.no_updates != 'true'
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          path: platform
+          repository: opentdf/platform
+          ref: ${{ env.LATEST_TAG }}
+          persist-credentials: true
+
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 #v5.0.0
+        if: steps.check-update.outputs.no_updates != 'true'
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: './web-sdk/lib/package-lock.json'
+
+      - name: Regen pb files
+        id: update-platform-protos
+        if: steps.check-update.outputs.no_updates != 'true'
+        working-directory: ./web-sdk/lib
+        run: |
+          npm ci
+          cd ..
+          ./scripts/platform.sh
+          TAG_COMMIT=$(gh api repos/opentdf/platform/git/ref/tags/$LATEST_TAG --jq '.object.sha')
+          jq --arg tag "$LATEST_TAG" '.["tag"] = $tag' lib/platform-proto-version.json > lib/platform-proto-version.tmp.json
+          jq --arg commit "$TAG_COMMIT" '.["commit"] = $commit' lib/platform-proto-version.tmp.json > lib/platform-proto-version.json
+          rm lib/platform-proto-version.tmp.json
+          # Check for changes after regeneration
+          if [ -z "$(git status --porcelain)" ]; then
+            echo "No changes detected after regeneration."
+          else
+            echo "Changes detected after regeneration"
+            echo "changes=true" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          PLATFORM_SRC: ../platform/service
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}          
+
+      - name: Create new branch
+        working-directory: ./web-sdk
+        if: steps.check-pr.outputs.EXISTING_PR == '' && steps.update-platform-protos.outputs.changes == 'true'
+        run: |
+          git checkout -b $BRANCH_NAME
+          git push origin $BRANCH_NAME
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH_NAME: update-platform-protos
+
+      - name: Update files
+        working-directory: ./web-sdk
+        if: steps.update-platform-protos.outputs.changes == 'true'
+        run: |
+          echo "Committing changes..."
+          FILES_CHANGED=$(git status --porcelain | awk '{print $2}')
+          for file in $FILES_CHANGED; do
+            echo "Committing file: $file"
+
+            CONTENT=$(base64 -i $file)
+            FILENAME=$(basename $file)
+            MESSAGE="Update $FILENAME to match platform tag $LATEST_TAG"
+
+            SHA=$( git rev-parse $BRANCH_NAME:$file 2>/dev/null | grep -E '^[0-9a-f]{40}$' || echo "" )
+            if [ -z "$SHA" ]; then
+              SHA=""
+            fi
+
+            gh api --method PUT /repos/opentdf/web-sdk/contents/$file \
+              --field message="$MESSAGE" \
+              --field content="$CONTENT" \
+              --field encoding="base64" \
+              --field branch="$BRANCH_NAME" \
+              --field sha="$SHA"
+          done
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH_NAME: update-platform-protos
+
+      - name: Create New PR
+        working-directory: ./web-sdk
+        if: steps.check-pr.outputs.EXISTING_PR == '' && steps.update-platform-protos.outputs.changes == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          RELEASE_NOTES=$(gh release view $LATEST_TAG --repo opentdf/platform --json body --jq '.body')
+          cat <<EOF > pr_body.txt
+          This PR regenerates the platform pb files based on tag: $LATEST_TAG. It also updates the lib/platform-proto-version.json file to reflect the new tag and commit.
+
+          See the release: https://github.com/opentdf/platform/releases/tag/$LATEST_TAG
+
+          Release Notes:
+          $RELEASE_NOTES
+          EOF
+          gh pr create \
+            --title "fix(sdk): Updates to proto version $LATEST_TAG" \
+            --body-file pr_body.txt \
+            --head update-platform-protos \
+            --base main
+

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## [0.5.0](https://github.com/opentdf/web-sdk/compare/sdk/v0.4.0...sdk-v0.5.0) (2025-10-17)
+
+
+### Features
+
+* add system metadata assertion ([#630](https://github.com/opentdf/web-sdk/issues/630)) ([922965c](https://github.com/opentdf/web-sdk/commit/922965c25c0a63b616dc833275152c4c55148ac3))
+* Certificates & Obligations ([#755](https://github.com/opentdf/web-sdk/issues/755)) ([688c304](https://github.com/opentdf/web-sdk/commit/688c30490e21d6c2080c187f8915c3eece41251d))
+* Get Namespace ([#756](https://github.com/opentdf/web-sdk/issues/756)) ([5b8ef25](https://github.com/opentdf/web-sdk/commit/5b8ef2518f16fbb69cb1d7b5e0297eb87f8e076c))
+* **sdk:** initial obligations support in rewrap flow ([#748](https://github.com/opentdf/web-sdk/issues/748)) ([0361361](https://github.com/opentdf/web-sdk/commit/03613617974982fe39cc7ac1362a17f843a40e63))
+
+
+### Bug Fixes
+
+* `signingKey` should not be part of the computed hash ([#696](https://github.com/opentdf/web-sdk/issues/696)) ([b763278](https://github.com/opentdf/web-sdk/commit/b7632783b17413393db3ff2ac49a2ad9201ed8ef))
+* **sdk:** Fix new API not setting nano attributes ([#679](https://github.com/opentdf/web-sdk/issues/679)) ([f0d9719](https://github.com/opentdf/web-sdk/commit/f0d97196ab258122fe9a07b7d7895017299a46c2))
+* SEC-4653 prevent ReDoS vulnerability in HTML payload unwrapping regex ([#686](https://github.com/opentdf/web-sdk/issues/686)) ([09d0360](https://github.com/opentdf/web-sdk/commit/09d036055a4eea621d182f04b706fae6dc78c195))
+
 ## [0.4.0](https://github.com/opentdf/web-sdk/compare/v0.3.2...v0.4.0) (2025-06-26)
 
 

Makefile

@@ -1,6 +1,6 @@
 
 # x-release-please-start-version
-version=0.4.0
+version=0.5.0
 # x-release-please-end
 extras=cli web-app
 pkgs=lib $(extras)

cli/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@opentdf/ctl",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "Node based CLI for opentdf",
   "repository": {
     "type": "git",
@@ -51,7 +51,7 @@
     "typescript-eslint": "^8.26.0"
   },
   "dependencies": {
-    "@opentdf/sdk": "file:../lib/opentdf-sdk-0.4.0.tgz",
+    "@opentdf/sdk": "file:../lib/opentdf-sdk-0.5.0.tgz",
     "yargs": "^17.7.2"
   }
 }

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opentdf/sdk",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "description": "OpenTDF for the Web",
   "homepage": "https://github.com/opentdf/web-sdk",
   "bugs": {

lib/package-lock.json

@@ -0,0 +1,4 @@
+{
+    "tag": "",
+    "commit": ""
+}