docs: add authentication decision guide and SDK auth reference

[marythought]

Summary

• Adds Authentication Decision Guide (docs/guides/authentication-guide.md) — a decision flowchart, scenario matrix, dev vs production checklist, and common pitfalls for developers new to OpenTDF or figuring out how to authenticate with their setup.
• Adds SDK Authentication Reference (docs/sdks/authentication.mdx) — documents all auth methods (client credentials, token exchange, refresh token, certificate exchange, custom token source, DPoP, session encryption) with Go/Java/JS code examples.

Addresses the gap identified in the Go SDK docs audit (DSPX-2476) where auth methods like WithTokenExchange, WithTLSCredentials, WithOAuthAccessTokenSource, and WithCustomAccessTokenSource had godoc but were not surfaced in the docs site.

Test plan

• Verify both pages render correctly in the sidebar (SDK > Authentication, Guides > Authentication Decision Guide)
• Verify mermaid flowchart and sequence diagram render in the decision guide
• Verify code examples in tabs display correctly on the SDK auth page
• Cross-check SDK code examples against current API signatures
• Verify all internal links resolve (e.g., decision guide → SDK auth sections)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added comprehensive Authentication Decision Guide covering token validation flows, authentication method selection, setup instructions, development vs. production guidance, and common troubleshooting scenarios.
  • Added detailed SDK Authentication documentation explaining supported authentication mechanisms and usage guidance across SDKs.
  • Reorganized SDK documentation navigation structure for improved clarity and discoverability.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the OpenTDF documentation by providing two new, crucial resources for developers. It introduces a decision guide to help users navigate the various authentication options available within the platform, alongside a detailed reference for implementing these methods across different SDKs. These additions aim to streamline the developer experience by clarifying authentication choices and providing practical code examples, thereby improving usability and reducing common integration challenges.

Highlights

• Authentication Decision Guide Added: A new guide (docs/guides/authentication-guide.md) has been introduced, featuring a decision flowchart, scenario matrix, dev vs production checklist, and common pitfalls to help developers choose the appropriate OpenTDF authentication method.
• SDK Authentication Reference Provided: A comprehensive reference (docs/sdks/authentication.mdx) has been added, detailing all supported authentication methods (client credentials, token exchange, refresh token, certificate exchange, custom token source, DPoP, session encryption) with code examples for Go, Java, and JavaScript SDKs.
• Documentation Gap Addressed: This pull request closes a previously identified documentation gap (DSPX-2476) by surfacing SDK authentication methods that previously only had godoc entries, making them accessible on the main documentation site.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces two new markdown files to enhance the documentation: an Authentication Decision Guide and an SDK Authentication Reference. The changes aim to provide developers with clear guidance on authentication methods within the OpenTDF platform, including decision-making flowcharts and code examples across multiple SDKs (Go, Java, JavaScript). I have added a review comment to improve the clarity of the documentation.

[github-actions]

📄 Preview deployed to https://opentdf-docs-pr-250.surge.sh

[marythought]

@CodeRabbit review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds comprehensive authentication documentation and reorganizes SDK documentation structure. A new authentication guide covers OIDC-based token validation flows and decision trees for different authentication methods. Existing SDK documentation pages are updated with refreshed titles and reordered sidebar positions. A CI script is enhanced to include GitHub API authentication headers and improved error handling.

Changes

Cohort / File(s)	Summary
Authentication Documentation docs/guides/authentication-guide.md, docs/sdks/authentication.mdx	Two new authentication documentation pages covering OIDC token validation flows, decision flowcharts for method selection, scenario matrices, setup instructions per method, development vs. production configurations, and common authentication pitfalls.
SDK Documentation Structure docs/sdks/authorization.mdx, docs/sdks/discovery.mdx, docs/sdks/platform-client.mdx, docs/sdks/policy.mdx, docs/sdks/tdf.mdx, docs/sdks/troubleshooting.mdx	Frontmatter updates to SDK documentation files including sidebar position adjustments and title standardization across the documentation hierarchy.
GitHub API Integration src/openapi/check-vendored-yaml.ts	Enhanced GitHub API interaction with conditional authentication header support via environment variable, improved HTTP error handling with response body buffering, and stricter validation of API response shape.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A guide to tokens, flows, and schemes,
Authentication realizes dreams!
With sidebars sorted, docs pristine,
And GitHub headers in between,
The rabbit's work is now complete,
Our auth docs can't be beat! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: adding an authentication decision guide and SDK authentication reference documentation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DSPX-2388/auth-decision-guide

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable sequence diagrams in the walkthrough.

Disable the reviews.sequence_diagrams setting to disable sequence diagrams in the walkthrough.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/openapi/check-vendored-yaml.ts (1)

74-82: ⚠️ Potential issue | 🟠 Major

Handle non-200 responses in fetchText to prevent silent false negatives.

At Line 81, the function resolves body content regardless of HTTP status. If raw fetch returns 404/429/5xx, hasApiPaths can misclassify the file and skip a real error path.

🔧 Proposed fix

 function fetchText(url: string): Promise<string> {
   return new Promise((resolve, reject) => {
     import('https').then(https => {
       const headers: Record<string, string> = { 'User-Agent': 'opentdf-docs-check-vendored-yaml' };
       if (GITHUB_TOKEN) {
         headers['Authorization'] = `token ${GITHUB_TOKEN}`;
       }
       https.get(url, { headers } as any, (response: any) => {
         let data = '';
-        response.on('data', (chunk: string) => { data += chunk; });
-        response.on('end', () => resolve(data));
+        response.on('data', (chunk: string) => { data += chunk; });
+        response.on('end', () => {
+          if (response.statusCode !== 200) {
+            reject(new Error(
+              `GitHub raw request failed: ${url}\n` +
+              `  Status: ${response.statusCode}\n` +
+              `  Response: ${data.slice(0, 200)}`
+            ));
+            return;
+          }
+          resolve(data);
+        });
       }).on('error', reject);
     }).catch(reject);
   });
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/openapi/check-vendored-yaml.ts` around lines 74 - 82, The fetchText
function currently resolves the response body regardless of HTTP status; update
the https.get response handler in fetchText to inspect response.statusCode
(and/or response.status) and reject the Promise for non-2xx statuses (e.g.,
404/429/5xx) including status code and body/response message in the error so
callers like hasApiPaths don't get silent false negatives; keep the existing
headers logic (GITHUB_TOKEN) and still accumulate data on 'data' events, but on
'end' check status and call reject(...) for non-success codes, while resolving
only for successful 200-level responses.

🧹 Nitpick comments (4)

src/openapi/check-vendored-yaml.ts (1)

43-46: Consider centralizing GitHub header construction.

Both fetch paths duplicate the same header logic; a small helper would prevent drift.

♻️ Suggested refactor

 const GITHUB_TOKEN = process.env.GITHUB_TOKEN || '';
+
+function githubHeaders(): Record<string, string> {
+  const headers: Record<string, string> = { 'User-Agent': 'opentdf-docs-check-vendored-yaml' };
+  if (GITHUB_TOKEN) headers['Authorization'] = `token ${GITHUB_TOKEN}`;
+  return headers;
+}
...
-      const headers: Record<string, string> = { 'User-Agent': 'opentdf-docs-check-vendored-yaml' };
-      if (GITHUB_TOKEN) {
-        headers['Authorization'] = `token ${GITHUB_TOKEN}`;
-      }
-      https.get(url, { headers } as any, (response: any) => {
+      https.get(url, { headers: githubHeaders() } as any, (response: any) => {
...
-      const headers: Record<string, string> = { 'User-Agent': 'opentdf-docs-check-vendored-yaml' };
-      if (GITHUB_TOKEN) {
-        headers['Authorization'] = `token ${GITHUB_TOKEN}`;
-      }
-      https.get(url, { headers } as any, (response: any) => {
+      https.get(url, { headers: githubHeaders() } as any, (response: any) => {

Also applies to: 74-77

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/openapi/check-vendored-yaml.ts` around lines 43 - 46, The duplicated
GitHub header construction (creating headers with 'User-Agent' and optionally
'Authorization' using GITHUB_TOKEN) should be extracted into a small helper
(e.g., getGitHubHeaders or buildGitHubHeaders) that returns
Record<string,string> and is reused in both places where headers is currently
built (the places using the headers variable and GITHUB_TOKEN). Replace the
inline header creation with a call to that helper, keeping the same header keys
('User-Agent' and 'Authorization') and behavior when GITHUB_TOKEN is present.

docs/sdks/discovery.mdx (1)

3-3: Optional: keep title and H1 wording aligned.

Line 3 sets title to Discovery, while the page heading remains “Attribute Discovery”. Aligning both can reduce naming drift in docs UX.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/sdks/discovery.mdx` at line 3, The page title metadata currently reads
`title: Discovery` while the document H1 is “Attribute Discovery”; update one to
match the other for consistency—either change the frontmatter title to
`Attribute Discovery` or rename the H1 to `Discovery` (look for the `title:
Discovery` frontmatter and the H1 string "Attribute Discovery" and make them
identical).

docs/sdks/platform-client.mdx (1)

3-3: Consider aligning frontmatter title with the page H1.

Line 3 uses Architecture, while the visible H1 is “SDK Architecture: Core vs. Service Client”. Keeping both identical improves navigation/search consistency.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/sdks/platform-client.mdx` at line 3, The frontmatter title currently
reads "Architecture" but the page H1 is "SDK Architecture: Core vs. Service
Client"; update the frontmatter title to match the visible H1 (set title: "SDK
Architecture: Core vs. Service Client") or alternatively change the H1 to match
the frontmatter so both the frontmatter title and the H1 are identical for
consistent navigation/search.

docs/sdks/authentication.mdx (1)

39-45: Standardize endpoint format across SDK examples for consistency.

Java examples consistently use host-only endpoints (e.g., platformEndpoint("localhost:8080")) while Go and JavaScript examples use full URLs with schemes (e.g., http://localhost:8080). Although the Java SDK likely infers the scheme from context (e.g., the useInsecurePlaintextConnection() flag), updating Java examples to match the explicit format of other SDKs improves clarity and follows a uniform pattern across the documentation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/sdks/authentication.mdx` around lines 39 - 45, Update the Java SDK
example to use a full URL for the endpoint to match other SDK docs: change the
SDKBuilder call that sets platformEndpoint(...) so it receives an explicit
scheme (e.g., "http://localhost:8080") instead of just "localhost:8080"; keep
the useInsecurePlaintextConnection(true) flag as-is to indicate a dev-only
insecure connection. Ensure the example still uses SDKBuilder, platformEndpoint,
clientSecret, and useInsecurePlaintextConnection so readers can locate the
snippet easily.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/guides/authentication-guide.md`:
- Line 171: Update the phrasing in the bullet that starts with "Self-signed
certs in dev:" by replacing both occurrences of "dev" with "development" (the
line referencing useInsecurePlaintextConnection(true) should read "Self-signed
certs in development:" and mention trusting the development CA) to satisfy style
linting and maintain consistency.

In `@docs/sdks/authentication.mdx`:
- Line 68: The copy duplicates the adverb "only" in the sentences that reference
clientSecretAuthProvider; edit the text around the symbol
clientSecretAuthProvider to remove the redundant "only" (e.g., change either
"should only be used in Node.js or server-side environments" to "should be used
in Node.js or server-side environments" or change "currently available only" to
"currently available"), and make the same single-word edit at the other
occurrence that references clientSecretAuthProvider so both places are
consistent.

---

Outside diff comments:
In `@src/openapi/check-vendored-yaml.ts`:
- Around line 74-82: The fetchText function currently resolves the response body
regardless of HTTP status; update the https.get response handler in fetchText to
inspect response.statusCode (and/or response.status) and reject the Promise for
non-2xx statuses (e.g., 404/429/5xx) including status code and body/response
message in the error so callers like hasApiPaths don't get silent false
negatives; keep the existing headers logic (GITHUB_TOKEN) and still accumulate
data on 'data' events, but on 'end' check status and call reject(...) for
non-success codes, while resolving only for successful 200-level responses.

---

Nitpick comments:
In `@docs/sdks/authentication.mdx`:
- Around line 39-45: Update the Java SDK example to use a full URL for the
endpoint to match other SDK docs: change the SDKBuilder call that sets
platformEndpoint(...) so it receives an explicit scheme (e.g.,
"http://localhost:8080") instead of just "localhost:8080"; keep the
useInsecurePlaintextConnection(true) flag as-is to indicate a dev-only insecure
connection. Ensure the example still uses SDKBuilder, platformEndpoint,
clientSecret, and useInsecurePlaintextConnection so readers can locate the
snippet easily.

In `@docs/sdks/discovery.mdx`:
- Line 3: The page title metadata currently reads `title: Discovery` while the
document H1 is “Attribute Discovery”; update one to match the other for
consistency—either change the frontmatter title to `Attribute Discovery` or
rename the H1 to `Discovery` (look for the `title: Discovery` frontmatter and
the H1 string "Attribute Discovery" and make them identical).

In `@docs/sdks/platform-client.mdx`:
- Line 3: The frontmatter title currently reads "Architecture" but the page H1
is "SDK Architecture: Core vs. Service Client"; update the frontmatter title to
match the visible H1 (set title: "SDK Architecture: Core vs. Service Client") or
alternatively change the H1 to match the frontmatter so both the frontmatter
title and the H1 are identical for consistent navigation/search.

In `@src/openapi/check-vendored-yaml.ts`:
- Around line 43-46: The duplicated GitHub header construction (creating headers
with 'User-Agent' and optionally 'Authorization' using GITHUB_TOKEN) should be
extracted into a small helper (e.g., getGitHubHeaders or buildGitHubHeaders)
that returns Record<string,string> and is reused in both places where headers is
currently built (the places using the headers variable and GITHUB_TOKEN).
Replace the inline header creation with a call to that helper, keeping the same
header keys ('User-Agent' and 'Authorization') and behavior when GITHUB_TOKEN is
present.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 836ad35d-db3d-49b1-b784-83e69ca6a7e6

📥 Commits

Reviewing files that changed from the base of the PR and between 21b88e5 and 54a9a9a.

📒 Files selected for processing (9)

• docs/guides/authentication-guide.md
• docs/sdks/authentication.mdx
• docs/sdks/authorization.mdx
• docs/sdks/discovery.mdx
• docs/sdks/platform-client.mdx
• docs/sdks/policy.mdx
• docs/sdks/tdf.mdx
• docs/sdks/troubleshooting.mdx
• src/openapi/check-vendored-yaml.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use “development” instead of “dev” to satisfy style linting.

Line 171 currently uses “dev” twice in one bullet; replacing with “development” avoids spelling/style failures and improves consistency.

📝 Suggested edit

-- **Self-signed certs in dev:** Use `useInsecurePlaintextConnection(true)` (Java) or configure your TLS settings to trust the dev CA.
+- **Self-signed certs in development:** Use `useInsecurePlaintextConnection(true)` (Java) or configure your TLS settings to trust the development CA.

🧰 Tools

🪛 GitHub Check: Vale

[failure] 171-171:
[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'dev'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'dev'?", "location": {"path": "docs/guides/authentication-guide.md", "range": {"start": {"line": 171, "column": 127}}}, "severity": "ERROR"}

---

[failure] 171-171:
[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'dev'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'dev'?", "location": {"path": "docs/guides/authentication-guide.md", "range": {"start": {"line": 171, "column": 26}}}, "severity": "ERROR"}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/guides/authentication-guide.md` at line 171, Update the phrasing in the
bullet that starts with "Self-signed certs in dev:" by replacing both
occurrences of "dev" with "development" (the line referencing
useInsecurePlaintextConnection(true) should read "Self-signed certs in
development:" and mention trusting the development CA) to satisfy style linting
and maintain consistency.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove duplicated “only” for readability.

There’s repeated adverb usage in both sentences (“should only be used…”, “currently available only…”).

✏️ Proposed wording cleanup

-`clientSecretAuthProvider` should only be used in Node.js or server-side environments.
+`clientSecretAuthProvider` should be used only in Node.js or server-side environments.
...
-Refresh token authentication is currently available only in the JavaScript SDK.
+Refresh token authentication is currently available in the JavaScript SDK only.

Also applies to: 137-137

🧰 Tools

🪛 LanguageTool

[style] ~68-~68: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ... only clientSecretAuthProvider should only be used in Node.js or server-side envir...

(ADVERB_REPETITION_PREMIUM)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/sdks/authentication.mdx` at line 68, The copy duplicates the adverb
"only" in the sentences that reference clientSecretAuthProvider; edit the text
around the symbol clientSecretAuthProvider to remove the redundant "only" (e.g.,
change either "should only be used in Node.js or server-side environments" to
"should be used in Node.js or server-side environments" or change "currently
available only" to "currently available"), and make the same single-word edit at
the other occurrence that references clientSecretAuthProvider so both places are
consistent.