chore: protocol update (#163)

* chore: proto update

* chore: update docs

* fix: ci

* fix: test

* chore: drop risk

* chore: update

* fix: lint

* chore: protocol update

* chore: update

* chore: update

Author: ecmadao

docs/data-sources/setting.md

@@ -17,12 +17,11 @@ The setting data source.
 
 ### Required
 
-- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES", "ENVIRONMENT", "PASSWORD_RESTRICTION", "SQL_RESULT_SIZE_LIMIT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
+- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES", "ENVIRONMENT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
 
 ### Optional
 
 - `classification` (Block List, Max: 1) Classification for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--classification))
-- `password_restriction` (Block List, Max: 1) Restrict for login password (see [below for nested schema](#nestedblock--password_restriction))
 - `semantic_types` (Block Set) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
 - `workspace_profile` (Block List, Max: 1) (see [below for nested schema](#nestedblock--workspace_profile))
 
@@ -42,10 +41,6 @@ Required:
 - `levels` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--classification--levels))
 - `title` (String) The classification title. Optional.
 
-Optional:
-
-- `classification_from_config` (Boolean) If true, we will only store the classification in the config. Otherwise we will get the classification from table/column comment, and write back to the schema metadata.
-
 <a id="nestedblock--classification--classifications"></a>
 ### Nested Schema for `classification.classifications`
 
@@ -74,20 +69,6 @@ Optional:
 
 
 
-<a id="nestedblock--password_restriction"></a>
-### Nested Schema for `password_restriction`
-
-Optional:
-
-- `min_length` (Number) min_length is the minimum length for password, should no less than 8.
-- `password_rotation_in_seconds` (Number) password_rotation requires users to reset their password after the duration. The duration should be at least 86400 (one day).
-- `require_letter` (Boolean) require_letter requires the password must contains at least one letter, regardless of upper case or lower case.
-- `require_number` (Boolean) require_number requires the password must contains at least one number.
-- `require_reset_password_for_first_login` (Boolean) require_reset_password_for_first_login requires users to reset their password after the 1st login.
-- `require_special_character` (Boolean) require_special_character requires the password must contains at least one special character.
-- `require_uppercase_letter` (Boolean) require_uppercase_letter requires the password must contains at least one upper case letter.
-
-
 <a id="nestedblock--semantic_types"></a>
 ### Nested Schema for `semantic_types`
 
@@ -164,6 +145,7 @@ Required:
 Optional:
 
 - `announcement` (Block List, Max: 1) Custom announcement. Will show as a banner in the Bytebase UI. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--workspace_profile--announcement))
+- `branding_logo` (String) The branding logo as a data URI (e.g. data:image/png;base64,...).
 - `database_change_mode` (String) The workspace database change mode, support EDITOR or PIPELINE. Default PIPELINE
 - `disallow_password_signin` (Boolean) Whether to disallow password signin (except workspace admins). Require ENTERPRISE subscription
 - `disallow_signup` (Boolean) Disallow self-service signup, users can only be invited by the owner. Require PRO subscription.
@@ -172,7 +154,9 @@ Optional:
 - `enforce_identity_domain` (Boolean) Only user and group from the domains can be created and login.
 - `external_url` (String) The URL user visits Bytebase. The external URL is used for: 1. Constructing the correct callback URL when configuring the VCS provider. The callback URL points to the frontend; 2. Creating the correct webhook endpoint when configuring the project GitOps workflow. The webhook endpoint points to the backend.
 - `maximum_role_expiration_in_seconds` (Number) The max duration in seconds for role expired. If the value is less than or equal to 0, we will remove the setting. AKA no limit.
+- `password_restriction` (Block List, Max: 1) Password restriction settings. (see [below for nested schema](#nestedblock--workspace_profile--password_restriction))
 - `token_duration_in_seconds` (Number) The duration for login token in seconds. The duration should be at least 3600 (one hour).
+- `watermark` (Boolean) Whether to display watermark on pages. Requires ENTERPRISE license.
 
 <a id="nestedblock--workspace_profile--announcement"></a>
 ### Nested Schema for `workspace_profile.announcement`
@@ -184,6 +168,20 @@ Optional:
 - `text` (String) The text of announcement. Leave it as empty string can clear the announcement
 
 
+<a id="nestedblock--workspace_profile--password_restriction"></a>
+### Nested Schema for `workspace_profile.password_restriction`
+
+Optional:
+
+- `min_length` (Number) min_length is the minimum length for password, should be no less than 8.
+- `password_rotation_in_seconds` (Number) password_rotation requires users to reset their password after the duration. The duration should be at least 86400 (one day).
+- `require_letter` (Boolean) require_letter requires the password must contain at least one letter, regardless of upper case or lower case.
+- `require_number` (Boolean) require_number requires the password must contain at least one number.
+- `require_reset_password_for_first_login` (Boolean) require_reset_password_for_first_login requires users to reset their password after the 1st login.
+- `require_special_character` (Boolean) require_special_character requires the password must contain at least one special character.
+- `require_uppercase_letter` (Boolean) require_uppercase_letter requires the password must contain at least one upper case letter.
+
+
 
 <a id="nestedblock--approval_flow"></a>
 ### Nested Schema for `approval_flow`

docs/data-sources/user.md

@@ -17,7 +17,7 @@ The user data source.
 
 ### Required
 
-- `name` (String) The user name in users/{user id or email} format.
+- `name` (String) The user name in users/{email} format.
 
 ### Read-Only
 

docs/resources/review_config.md

@@ -41,7 +41,28 @@ Required:
 
 Optional:
 
-- `comment` (String) The comment for the rule.
-- `payload` (String) The payload is a JSON string that varies by rule type. Check https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/SQL_REVIEW_RULES_DOCUMENTATION.md#payload-structure-types for all details
+- `comment_convention_payload` (Block List, Max: 1) Comment convention payload for rules: COLUMN_COMMENT, TABLE_COMMENT. (see [below for nested schema](#nestedblock--rules--comment_convention_payload))
+- `naming_case_payload` (Boolean) Naming case payload for rule: NAMING_IDENTIFIER_CASE. Set to true for UPPER case, false for LOWER case.
+- `naming_payload` (Block List, Max: 1) Naming payload for rules: NAMING_TABLE, NAMING_COLUMN, NAMING_COLUMN_AUTO_INCREMENT, NAMING_INDEX_FK, NAMING_INDEX_IDX, NAMING_INDEX_UK, NAMING_INDEX_PK, TABLE_DROP_NAMING_CONVENTION. (see [below for nested schema](#nestedblock--rules--naming_payload))
+- `number_payload` (Number) Number payload for rules: STATEMENT_INSERT_ROW_LIMIT, STATEMENT_AFFECTED_ROW_LIMIT, STATEMENT_WHERE_MAXIMUM_LOGICAL_OPERATOR_COUNT, STATEMENT_MAXIMUM_LIMIT_VALUE, STATEMENT_MAXIMUM_JOIN_TABLE_COUNT, STATEMENT_MAXIMUM_STATEMENTS_IN_TRANSACTION, COLUMN_MAXIMUM_CHARACTER_LENGTH, COLUMN_MAXIMUM_VARCHAR_LENGTH, COLUMN_AUTO_INCREMENT_INITIAL_VALUE, INDEX_KEY_NUMBER_LIMIT, INDEX_TOTAL_NUMBER_LIMIT, TABLE_TEXT_FIELDS_TOTAL_LENGTH, TABLE_LIMIT_SIZE, SYSTEM_COMMENT_LENGTH, ADVICE_ONLINE_MIGRATION.
+- `string_array_payload` (List of String) String array payload for rules: COLUMN_REQUIRED, COLUMN_TYPE_DISALLOW_LIST, INDEX_PRIMARY_KEY_TYPE_ALLOWLIST, INDEX_TYPE_ALLOW_LIST, SYSTEM_CHARSET_ALLOWLIST, SYSTEM_COLLATION_ALLOWLIST, SYSTEM_FUNCTION_DISALLOWED_LIST, TABLE_DISALLOW_DDL, TABLE_DISALLOW_DML.
+- `string_payload` (String) String payload for rule: STATEMENT_QUERY_MINIMUM_PLAN_LEVEL.
+
+<a id="nestedblock--rules--comment_convention_payload"></a>
+### Nested Schema for `rules.comment_convention_payload`
+
+Optional:
+
+- `max_length` (Number) The maximum length for the comment.
+- `required` (Boolean) Whether the comment is required.
+
+
+<a id="nestedblock--rules--naming_payload"></a>
+### Nested Schema for `rules.naming_payload`
+
+Optional:
+
+- `format` (String) The naming format regex pattern.
+- `max_length` (Number) The maximum length for the name.
 
 

docs/resources/setting.md

@@ -17,14 +17,13 @@ The setting resource.
 
 ### Required
 
-- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES", "ENVIRONMENT", "PASSWORD_RESTRICTION", "SQL_RESULT_SIZE_LIMIT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
+- `name` (String) The setting name in settings/{name} format. The name support "WORKSPACE_APPROVAL", "WORKSPACE_PROFILE", "DATA_CLASSIFICATION", "SEMANTIC_TYPES", "ENVIRONMENT". Check the proto https://github.com/bytebase/bytebase/blob/main/proto/v1/v1/setting_service.proto#L109 for details
 
 ### Optional
 
 - `approval_flow` (Block List) Configure risk level and approval flow for different tasks. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--approval_flow))
 - `classification` (Block List, Max: 1) Classification for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--classification))
 - `environment_setting` (Block List) The environment (see [below for nested schema](#nestedblock--environment_setting))
-- `password_restriction` (Block List, Max: 1) Restrict for login password (see [below for nested schema](#nestedblock--password_restriction))
 - `semantic_types` (Block Set) Semantic types for data masking. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--semantic_types))
 - `workspace_profile` (Block List, Max: 1) (see [below for nested schema](#nestedblock--workspace_profile))
 
@@ -73,10 +72,6 @@ Required:
 - `levels` (Block Set, Min: 1) (see [below for nested schema](#nestedblock--classification--levels))
 - `title` (String) The classification title. Optional.
 
-Optional:
-
-- `classification_from_config` (Boolean) If true, we will only store the classification in the config. Otherwise we will get the classification from table/column comment, and write back to the schema metadata.
-
 <a id="nestedblock--classification--classifications"></a>
 ### Nested Schema for `classification.classifications`
 
@@ -131,20 +126,6 @@ Read-Only:
 
 
 
-<a id="nestedblock--password_restriction"></a>
-### Nested Schema for `password_restriction`
-
-Optional:
-
-- `min_length` (Number) min_length is the minimum length for password, should no less than 8.
-- `password_rotation_in_seconds` (Number) password_rotation requires users to reset their password after the duration. The duration should be at least 86400 (one day).
-- `require_letter` (Boolean) require_letter requires the password must contains at least one letter, regardless of upper case or lower case.
-- `require_number` (Boolean) require_number requires the password must contains at least one number.
-- `require_reset_password_for_first_login` (Boolean) require_reset_password_for_first_login requires users to reset their password after the 1st login.
-- `require_special_character` (Boolean) require_special_character requires the password must contains at least one special character.
-- `require_uppercase_letter` (Boolean) require_uppercase_letter requires the password must contains at least one upper case letter.
-
-
 <a id="nestedblock--semantic_types"></a>
 ### Nested Schema for `semantic_types`
 
@@ -221,6 +202,7 @@ Required:
 Optional:
 
 - `announcement` (Block List, Max: 1) Custom announcement. Will show as a banner in the Bytebase UI. Require ENTERPRISE subscription. (see [below for nested schema](#nestedblock--workspace_profile--announcement))
+- `branding_logo` (String) The branding logo as a data URI (e.g. data:image/png;base64,...).
 - `database_change_mode` (String) The workspace database change mode, support EDITOR or PIPELINE. Default PIPELINE
 - `disallow_password_signin` (Boolean) Whether to disallow password signin (except workspace admins). Require ENTERPRISE subscription
 - `disallow_signup` (Boolean) Disallow self-service signup, users can only be invited by the owner. Require PRO subscription.
@@ -229,7 +211,9 @@ Optional:
 - `enforce_identity_domain` (Boolean) Only user and group from the domains can be created and login.
 - `external_url` (String) The URL user visits Bytebase. The external URL is used for: 1. Constructing the correct callback URL when configuring the VCS provider. The callback URL points to the frontend; 2. Creating the correct webhook endpoint when configuring the project GitOps workflow. The webhook endpoint points to the backend.
 - `maximum_role_expiration_in_seconds` (Number) The max duration in seconds for role expired. If the value is less than or equal to 0, we will remove the setting. AKA no limit.
+- `password_restriction` (Block List, Max: 1) Password restriction settings. (see [below for nested schema](#nestedblock--workspace_profile--password_restriction))
 - `token_duration_in_seconds` (Number) The duration for login token in seconds. The duration should be at least 3600 (one hour).
+- `watermark` (Boolean) Whether to display watermark on pages. Requires ENTERPRISE license.
 
 <a id="nestedblock--workspace_profile--announcement"></a>
 ### Nested Schema for `workspace_profile.announcement`
@@ -241,3 +225,17 @@ Optional:
 - `text` (String) The text of announcement. Leave it as empty string can clear the announcement
 
 
+<a id="nestedblock--workspace_profile--password_restriction"></a>
+### Nested Schema for `workspace_profile.password_restriction`
+
+Optional:
+
+- `min_length` (Number) min_length is the minimum length for password, should be no less than 8.
+- `password_rotation_in_seconds` (Number) password_rotation requires users to reset their password after the duration. The duration should be at least 86400 (one day).
+- `require_letter` (Boolean) require_letter requires the password must contain at least one letter, regardless of upper case or lower case.
+- `require_number` (Boolean) require_number requires the password must contain at least one number.
+- `require_reset_password_for_first_login` (Boolean) require_reset_password_for_first_login requires users to reset their password after the 1st login.
+- `require_special_character` (Boolean) require_special_character requires the password must contain at least one special character.
+- `require_uppercase_letter` (Boolean) require_uppercase_letter requires the password must contain at least one upper case letter.
+
+

docs/resources/user.md

@@ -32,7 +32,7 @@ The user resource.
 - `last_change_password_time` (String) The user last change password time.
 - `last_login_time` (String) The user last login time.
 - `mfa_enabled` (Boolean) The mfa_enabled flag means if the user has enabled MFA.
-- `name` (String) The user name in users/{user id or email} format.
+- `name` (String) The user name in users/{email} format.
 - `service_key` (String) The service key for service account.
 - `source` (String) Source means where the user comes from. For now we support Entra ID SCIM sync, so the source could be Entra ID.
 - `state` (String) The user is deleted or not.

examples/setup/approval_flow.tf

@@ -14,7 +14,7 @@ resource "bytebase_setting" "approval_flow" {
         ]
       }
 
-      source    = "DML"
+      source    = "CHANGE_DATABASE"
       condition = "resource.environment_id == \"prod\" && statement.affected_rows >= 100"
     }
 

examples/setup/main.tf

@@ -33,6 +33,12 @@ resource "bytebase_setting" "workspace_profile" {
   workspace_profile {
     external_url = "https://bytebase.example.com"
     domains      = ["bytebase.com"]
+
+    password_restriction {
+      min_length                             = 8
+      require_number                         = true
+      require_reset_password_for_first_login = true
+    }
   }
 }
 

examples/setup/project.tf

@@ -15,7 +15,7 @@ resource "bytebase_project" "sample_project" {
   webhooks {
     title = "Sample webhook 1"
     type  = "SLACK"
-    url   = "https://webhook.site/91fcd52a-39f1-4e7b-a43a-ddf72796d6b1"
+    url   = "https://hooks.slack.com"
     notification_types = [
       "NOTIFY_ISSUE_APPROVED",
       "NOTIFY_PIPELINE_ROLLOUT",
@@ -26,7 +26,7 @@ resource "bytebase_project" "sample_project" {
   webhooks {
     title = "Sample webhook 2"
     type  = "LARK"
-    url   = "https://webhook.site/91fcd52a-39f1-4e7b-a43a-ddf72796d6b1"
+    url   = "https://open.larksuite.com"
     notification_types = [
       "ISSUE_APPROVAL_NOTIFY",
       "ISSUE_PIPELINE_STAGE_STATUS_UPDATE"

examples/setup/sql_review.tf

@@ -13,31 +13,33 @@ resource "bytebase_review_config" "sample" {
     bytebase_project.sample_project.name
   ])
   rules {
-    type   = "column.no-null"
+    type   = "COLUMN_NO_NULL"
     engine = "MYSQL"
     level  = "WARNING"
   }
   rules {
-    type    = "column.required"
-    engine  = "MYSQL"
-    level   = "ERROR"
-    payload = "{\"list\":[\"id\",\"created_ts\",\"updated_ts\",\"creator_id\",\"updater_id\"]}"
+    type                 = "COLUMN_REQUIRED"
+    engine               = "MYSQL"
+    level                = "ERROR"
+    string_array_payload = ["id", "created_ts", "updated_ts", "creator_id", "updater_id"]
   }
   rules {
-    type   = "table.require-pk"
+    type   = "TABLE_REQUIRE_PK"
     engine = "MYSQL"
     level  = "ERROR"
   }
   rules {
-    type    = "naming.column"
-    engine  = "MYSQL"
-    level   = "ERROR"
-    payload = "{\"format\":\"^[a-z]+(_[a-z]+)*$\",\"maxLength\":64}"
+    type   = "NAMING_COLUMN"
+    engine = "MYSQL"
+    level  = "ERROR"
+    naming_payload {
+      format = "^[a-z]+(_[a-z]+)*$"
+    }
   }
   rules {
-    type    = "statement.maximum-limit-value"
-    engine  = "MYSQL"
-    level   = "ERROR"
-    payload = "{\"number\":1000}"
+    type           = "STATEMENT_MAXIMUM_LIMIT_VALUE"
+    engine         = "MYSQL"
+    level          = "ERROR"
+    number_payload = 1000
   }
 }

go.mod

@@ -5,8 +5,8 @@ go 1.24.4
 toolchain go1.24.5
 
 require (
-	buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251128062846-919a7a8657b9.2
-	buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.10-20251128062846-919a7a8657b9.1
+	buf.build/gen/go/bytebase/bytebase/connectrpc/go v1.19.1-20251213023536-6609958f901e.2
+	buf.build/gen/go/bytebase/bytebase/protocolbuffers/go v1.36.11-20251213023536-6609958f901e.1
 	connectrpc.com/connect v1.19.1
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/terraform-plugin-docs v0.13.0
@@ -15,11 +15,11 @@ require (
 	github.com/pkg/errors v0.9.1
 	google.golang.org/genproto v0.0.0-20250528174236-200df99c418a
 	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7
-	google.golang.org/protobuf v1.36.10
+	google.golang.org/protobuf v1.36.11
 )
 
 require (
-	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.10-20250912141014-52f32327d4b0.1 // indirect
+	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.11-20250912141014-52f32327d4b0.1 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.3 // indirect