Update protos

src/main/proto/kessel/inventory/v1beta1/relationships/k8spolicy_ispropagatedto_k8scluster.proto

@@ -15,7 +15,7 @@ option java_outer_classname = "K8SPolicyIsPropagatedToK8SClusterProto";
 message K8SPolicyIsPropagatedToK8SCluster {
 
   // Metadata about this resource
-  Metadata metadata = 1 [ (buf.validate.field) = {required: false, ignore: IGNORE_ALWAYS} ];
+  Metadata metadata = 1 [ (buf.validate.field) = {ignore: IGNORE_ALWAYS} ];
 
   // Write only reporter specific data
   ReporterData reporter_data = 245278793 [ json_name = "reporter_data", (buf.validate.field).required = true ];

src/main/proto/kessel/inventory/v1beta2/check_bulk_request.proto

@@ -0,0 +1,29 @@
+syntax = "proto3";
+
+package kessel.inventory.v1beta2;
+
+import "buf/validate/validate.proto";
+import "kessel/inventory/v1beta2/resource_reference.proto";
+import "kessel/inventory/v1beta2/subject_reference.proto";
+import "kessel/inventory/v1beta2/consistency.proto";
+
+
+option go_package = "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta2";
+option java_multiple_files = true;
+option java_package = "org.project_kessel.api.inventory.v1beta2";
+
+// CheckBulkRequestItem represents a single permission check in a bulk request.
+message CheckBulkRequestItem {
+  ResourceReference object = 1 [(buf.validate.field).required = true];
+  string relation = 2 [(buf.validate.field).string.min_len = 1];
+  SubjectReference subject = 3 [(buf.validate.field).required = true];
+}
+
+// CheckBulkRequest allows checking multiple permissions in a single request.
+// This is more efficient than making individual Check calls when verifying permissions
+// for multiple resource-subject-relation combinations.
+message CheckBulkRequest {
+	repeated CheckBulkRequestItem items = 1 [(buf.validate.field).repeated.min_items = 1,
+  (buf.validate.field).repeated.max_items = 1000];
+	Consistency consistency = 2;
+}

src/main/proto/kessel/inventory/v1beta2/check_bulk_response.proto

@@ -0,0 +1,33 @@
+syntax = "proto3";
+
+package kessel.inventory.v1beta2;
+
+import "kessel/inventory/v1beta2/check_bulk_request.proto";
+import "kessel/inventory/v1beta2/consistency_token.proto";
+import "kessel/inventory/v1beta2/allowed.proto";
+import "buf/validate/validate.proto";
+import "google/rpc/status.proto";
+
+option go_package = "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta2";
+option java_multiple_files = true;
+option java_package = "org.project_kessel.api.inventory.v1beta2";
+
+// CheckBulkResponseItem represents the result of a single permission check.
+message CheckBulkResponseItem {
+	Allowed allowed = 1;
+}
+
+// CheckBulkResponsePair associates a request item with its corresponding result.
+message CheckBulkResponsePair {
+	CheckBulkRequestItem request = 1;
+	oneof response {
+		CheckBulkResponseItem item = 2;
+		google.rpc.Status error = 3;
+	};
+}
+
+// CheckBulkResponse contains the results of all permission checks in the request.
+message CheckBulkResponse {
+	repeated CheckBulkResponsePair pairs = 1 [(buf.validate.field).repeated.min_items = 1];
+	ConsistencyToken consistency_token = 2;
+}

src/main/proto/kessel/inventory/v1beta2/inventory_service.proto

@@ -13,6 +13,8 @@ import "kessel/inventory/v1beta2/delete_resource_request.proto";
 import "kessel/inventory/v1beta2/delete_resource_response.proto";
 import "kessel/inventory/v1beta2/streamed_list_objects_request.proto";
 import "kessel/inventory/v1beta2/streamed_list_objects_response.proto";
+import "kessel/inventory/v1beta2/check_bulk_request.proto";
+import "kessel/inventory/v1beta2/check_bulk_response.proto";
 
 option go_package = "github.com/project-kessel/inventory-api/api/kessel/inventory/v1beta2";
 option java_multiple_files = true;
@@ -54,6 +56,27 @@ service KesselInventoryService {
     };
   }
 
+
+  // Performs bulk permission checks for multiple resource-subject-relation combinations.
+  //
+  // This API is more efficient than making individual Check calls when verifying permissions
+  // for multiple items. It answers questions like:
+  // "Which of these resources can subject *X* perform action *Y* on?"
+  //
+  // Common use cases include:
+  // - Filtering lists based on user permissions
+  // - Batch authorization checks before performing bulk operations
+  // - Dashboard rendering with multiple permission checks
+  // - Pre-authorization for UI components
+  //
+  // The response includes a result for each item in the request, maintaining the same order.
+  rpc CheckBulk (CheckBulkRequest) returns (CheckBulkResponse) {
+      option (google.api.http) = {
+        post: "/api/inventory/v1beta2/checkbulk"
+        body: "*"
+      };
+  }
+
   // Reports to Kessel Inventory that a Resource has been created or has been updated.
   //
   // Reporters can use this API to report facts about their resources in order to

src/main/proto/kessel/inventory/v1beta2/report_resource_request.proto

@@ -23,15 +23,15 @@ message ReportResourceRequest {
   // Used to:
   // - Select the appropriate schema to validate the *Reporter Representation*
   // - Identify a *Reporter's Representation* uniquely in Kessel Inventory
-  string type = 2 [(buf.validate.field).string = {min_len: 1}];
+  string type = 2 [(buf.validate.field).string = {min_len: 1}, (buf.validate.field).string.pattern = "^[A-Za-z0-9_-]+$"];
   // The type of the *Reporter* (e.g., "hbi", "acm", "acs", "notifications").
   //
   // Must be a previously agreed-upon value between the *Reporter* and Kessel Inventory.
   // Must be consistent across all *Reporter Representations* reported by a given *Reporter*.
   // Used to:
   // - Select the appropriate schema to validate the *Reporter Representation*
   // - Identify a *Reporter's Representation* uniquely in Kessel Inventory
-  string reporter_type = 3 [(buf.validate.field).string = {min_len: 1}];
+  string reporter_type = 3 [(buf.validate.field).string = {min_len: 1}, (buf.validate.field).string.pattern = "^[A-Za-z0-9_-]+$"];
   // Identifier for the specific instance of the *Reporter*.
   // This may not be applicable to all Reporters
   //

src/main/proto/kessel/inventory/v1beta2/reporter_reference.proto

@@ -9,6 +9,9 @@ option java_multiple_files = true;
 option java_package = "org.project_kessel.api.inventory.v1beta2";
 
 message ReporterReference {
-  string type = 1 [(buf.validate.field).string.min_len = 1];
-  optional string instance_id = 2;
+  string type = 1 [(buf.validate.field).string.min_len = 1, (buf.validate.field).string.pattern = "^[A-Za-z0-9_]+$"];
+  optional string instance_id = 2 [
+    (buf.validate.field).string.pattern =
+      "(?i)^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$|^[A-Za-z][A-Za-z0-9._-]{0,255}$"
+  ];
 }

src/main/proto/kessel/inventory/v1beta2/representation_metadata.proto

@@ -12,5 +12,8 @@ message RepresentationMetadata {
   string api_href = 2 [(buf.validate.field).string = {min_len: 1}];
   optional string console_href = 3 ;
   optional string reporter_version = 4;
+  oneof idempotency_key {
+    string transaction_id = 5;
+  }
 }
 

src/main/proto/kessel/inventory/v1beta2/representation_type.proto

@@ -9,6 +9,6 @@ option java_multiple_files = true;
 option java_package = "org.project_kessel.api.inventory.v1beta2";
 
 message RepresentationType {
-  string resource_type = 1 [(buf.validate.field).string.min_len = 1];
-  optional string reporter_type = 2;
+  string resource_type = 1 [(buf.validate.field).string.min_len = 1, (buf.validate.field).string.pattern = "^[A-Za-z0-9_]+$"];
+  optional string reporter_type = 2 [(buf.validate.field).string.pattern = "^[A-Za-z0-9_]+$"];
 }

src/main/proto/kessel/inventory/v1beta2/resource_reference.proto

@@ -11,7 +11,7 @@ option java_multiple_files = true;
 option java_package = "org.project_kessel.api.inventory.v1beta2";// A reference to a Subject or, if a `relation` is provided, a Subject Set.
 
 message ResourceReference {
-  string resource_type = 1 [(buf.validate.field).required = true];
+  string resource_type = 1 [(buf.validate.field).string.min_len = 1, (buf.validate.field).string.pattern = "^[A-Za-z0-9_]+$"];
   string resource_id = 2 [(buf.validate.field).string.min_len = 1];
   optional ReporterReference reporter = 3;
 }