Fix: enforce restrictMetadata for non-system attributes even when allowSystemMetadata is true

[Copilot]

When allowSystemMetadata=true, DOC validation was completely bypassed for all attributes, allowing any undeclared attribute to pass through unchecked—far broader than the intended "permit system-generated metadata updates" scope.

Change

Tighten the exemption to only skip DOC validation for attributes explicitly present in systemGeneratedMetadataAttributes, while still enforcing restrictMetadata for everything else.

// Before — skips DOC validation for ALL attributes when allowSystemMetadata=true
if (restrictMetadata && !allowSystemMetadata) { ... }

// After — only exempts known system-generated attributes
if (restrictMetadata && !(allowSystemMetadata && systemGeneratedMetadataAttributes.contains(metadataEntry.getAttribute()))) { ... }

• allowSystemMetadata=false → behavior unchanged
• allowSystemMetadata=true, system attribute → exempted from DOC validation (intended)
• allowSystemMetadata=true, non-system attribute → still validated against DOC rules (fixed)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• raw.github.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/HPC_DME_APIs/HPC_DME_APIs/src/hpc-server/hpc-app-service-impl org.codehaus.plexus.classworlds.launcher.Launcher compile -q (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.12/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.12/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.12 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.12/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/HPC_DME_APIs/HPC_DME_APIs/src org.codehaus.plexus.classworlds.launcher.Launcher -f pom.xml -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

This PR narrows the allowSystemMetadata=true exemption so that DOC (Data Object Configuration) metadata validation is only skipped for explicitly recognized system-generated attributes, while keeping restrictMetadata enforcement for all other attributes.

Changes:

• Updated restrictMetadata gating so DOC declaration checks are bypassed only when the attribute is in systemGeneratedMetadataAttributes and allowSystemMetadata=true.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The exemption for DOC validation when allowSystemMetadata is true is currently keyed off the global systemGeneratedMetadataAttributes set. That set includes data-object-only system attributes (see constructor) in addition to the smaller collectionSystemGeneratedMetadataAttributeNames list. For collection metadata updates, this means object-only system attributes would also be treated as exempt from DOC validation. Consider using the collection/data-object specific system-attribute lists (or passing the relevant set into validateMetadata) so only resource-appropriate system attributes are exempted.

Suggested change

	&& systemGeneratedMetadataAttributes.contains(metadataEntry.getAttribute()))) {
	&& collectionSystemGeneratedMetadataAttributeNames.contains(metadataEntry.getAttribute()))) {