From 6e9966ae130ba0da5044aed505c0496bd44d1878 Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:09:45 +0530
Subject: [PATCH 1/8] Update authority.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/core/v3/authority.proto | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xds/core/v3/authority.proto b/xds/core/v3/authority.proto
index d666c38e..2cc04297 100644
--- a/xds/core/v3/authority.proto
+++ b/xds/core/v3/authority.proto
@@ -15,8 +15,8 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // xDS authority information.
 message Authority {
-  string name = 1 [(validate.rules).string = {min_len: 1}];
-
+string name = 1 [(validate.rules).string = {min_len: 1, pattern: "^[0-9a-zA-Z_\\-\\.~:]+$"}];
+  
   // .. space reserved for additional authority addressing information, e.g. for
   // resource signing, items such as CA trust chain, cert pinning may be added.
 }

From c1becb9276b91a290cb6f3f1a21f1b7100da1c39 Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:10:36 +0530
Subject: [PATCH 2/8] Update cidr.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/core/v3/cidr.proto | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xds/core/v3/cidr.proto b/xds/core/v3/cidr.proto
index 76c78740..94928907 100644
--- a/xds/core/v3/cidr.proto
+++ b/xds/core/v3/cidr.proto
@@ -16,8 +16,8 @@ option go_package = "github.com/cncf/xds/go/xds/core/v3";
 // the subnet mask for a `CIDR <https://tools.ietf.org/html/rfc4632>`_ range.
 message CidrRange {
   // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
-  string address_prefix = 1 [(validate.rules).string = {min_len: 1}];
-
+  string address_prefix = 1 [(validate.rules).string = {address: true}];
+  
   // Length of prefix, e.g. 0, 32. Defaults to 0 when unset.
   google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];
 }

From f3999b9af991ee992f2ad5c84ea25620c8e97e90 Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:14:38 +0530
Subject: [PATCH 3/8] Update resource_locator.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/core/v3/resource_locator.proto | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xds/core/v3/resource_locator.proto b/xds/core/v3/resource_locator.proto
index 9b40d52f..0dcd484a 100644
--- a/xds/core/v3/resource_locator.proto
+++ b/xds/core/v3/resource_locator.proto
@@ -44,13 +44,13 @@ message ResourceLocator {
   // Opaque identifier for the resource. Any '/' will not be escaped during URI
   // encoding and will form part of the URI path. This may end
   // with ‘*’ for glob collection references.
-  string id = 2;
+  string id = 2 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\./~:]*$"}];
 
   // Logical authority for resource (not necessarily transport network address).
   // Authorities are opaque in the xDS API, data-plane load balancers will map
   // them to concrete network transports such as an xDS management server, e.g.
   // via envoy.config.core.v3.ConfigSource.
-  string authority = 3;
+  string authority = 3 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\.~:]*$"}];
 
   // Fully qualified resource type (as in type URL without types.googleapis.com/
   // prefix).

From 6aea8d590950da846c8e57c394423d75e381d336 Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:15:53 +0530
Subject: [PATCH 4/8] Update resource_name.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/core/v3/resource_name.proto | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/xds/core/v3/resource_name.proto b/xds/core/v3/resource_name.proto
index 0f3d9974..8b02c956 100644
--- a/xds/core/v3/resource_name.proto
+++ b/xds/core/v3/resource_name.proto
@@ -26,12 +26,12 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 message ResourceName {
   // Opaque identifier for the resource. Any '/' will not be escaped during URI
   // encoding and will form part of the URI path.
-  string id = 1;
+  string id = 1 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\./~:]*$"}];
 
   // Logical authority for resource (not necessarily transport network address).
   // Authorities are opaque in the xDS API, data-plane load balancers will map
   // them to concrete network transports such as an xDS management server.
-  string authority = 2;
+  string authority = 2 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\.~:]*$"}];
 
   // Fully qualified resource type (as in type URL without types.googleapis.com/
   // prefix).

From bc44986c8718e490c7ef19156d3ff74e960f5cf0 Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:18:16 +0530
Subject: [PATCH 5/8] Update matcher.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/type/matcher/v3/matcher.proto | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/xds/type/matcher/v3/matcher.proto b/xds/type/matcher/v3/matcher.proto
index cc03ff6e..d521171c 100644
--- a/xds/type/matcher/v3/matcher.proto
+++ b/xds/type/matcher/v3/matcher.proto
@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
+import "xds/annotations/v3/security.proto";
 import "xds/core/v3/extension.proto";
 import "xds/type/matcher/v3/string.proto";
 
@@ -107,7 +108,10 @@ message Matcher {
   message MatcherTree {
     // A map of configured matchers. Used to allow using a map within a oneof.
     message MatchMap {
-      map<string, OnMatch> map = 1 [(validate.rules).map = {min_pairs: 1}];
+      map<string, OnMatch> map = 1 [
+        (validate.rules).map = {min_pairs: 1},
+        (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+      ];
     }
 
     // Protocol-specific specification of input field to match on.

From 5717a2f45b658b20b559bab5bffa434f99e7bd92 Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:19:45 +0530
Subject: [PATCH 6/8] Update regex.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/type/matcher/v3/regex.proto | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/xds/type/matcher/v3/regex.proto b/xds/type/matcher/v3/regex.proto
index 3ff4ca95..26343abe 100644
--- a/xds/type/matcher/v3/regex.proto
+++ b/xds/type/matcher/v3/regex.proto
@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
+import "xds/annotations/v3/security.proto";
 import "validate/validate.proto";
 
 option java_package = "com.github.xds.type.matcher.v3";
@@ -42,5 +43,8 @@ message RegexMatcher {
 
   // The regex match string. The string must be supported by the configured
   // engine.
-  string regex = 2 [ (validate.rules).string = {min_len : 1} ];
+  string regex = 2 [
+    (validate.rules).string = {min_len : 1},
+    (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+  ];
 }

From bc3eac7271e00e74beb44ef47136936e76ee0e1b Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:25:24 +0530
Subject: [PATCH 7/8] Update string.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/type/matcher/v3/string.proto | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/xds/type/matcher/v3/string.proto b/xds/type/matcher/v3/string.proto
index e58cb413..12ec3184 100644
--- a/xds/type/matcher/v3/string.proto
+++ b/xds/type/matcher/v3/string.proto
@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
+import "xds/annotations/v3/security.proto";
 import "xds/core/v3/extension.proto";
 import "xds/type/matcher/v3/regex.proto";
 
@@ -25,7 +26,7 @@ message StringMatcher {
     // Examples:
     //
     // * *abc* only matches the value *abc*.
-    string exact = 1;
+    string exact = 1 [(xds.annotations.v3.security).configure_for_untrusted_downstream = true];
 
     // The input string must have the prefix specified here.
     // Note: empty prefix is not allowed, please use regex instead.
@@ -33,7 +34,10 @@ message StringMatcher {
     // Examples:
     //
     // * *abc* matches the value *abc.xyz*
-    string prefix = 2 [(validate.rules).string = {min_len: 1}];
+    string prefix = 2 [
+      (validate.rules).string = {min_len: 1},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // The input string must have the suffix specified here.
     // Note: empty prefix is not allowed, please use regex instead.
@@ -41,10 +45,16 @@ message StringMatcher {
     // Examples:
     //
     // * *abc* matches the value *xyz.abc*
-    string suffix = 3 [(validate.rules).string = {min_len: 1}];
+    string suffix = 3 [
+      (validate.rules).string = {min_len: 1},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // The input string must match the regular expression specified here.
-    RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}];
+    RegexMatcher safe_regex = 5 [
+      (validate.rules).message = {required: true},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // The input string must have the substring specified here.
     // Note: empty contains match is not allowed, please use regex instead.
@@ -52,7 +62,10 @@ message StringMatcher {
     // Examples:
     //
     // * *abc* matches the value *xyz.abc.def*
-    string contains = 7 [(validate.rules).string = {min_len: 1}];
+    string contains = 7 [
+      (validate.rules).string = {min_len: 1},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // Use an extension as the matcher type.
     // [#extension-category: envoy.string_matcher]

From af905de77d1fec3aa4c2fda1de3d084e043d85a7 Mon Sep 17 00:00:00 2001
From: Sanjay Jangid <136222049+sanjay20m@users.noreply.github.com>
Date: Sun, 8 Mar 2026 22:27:43 +0530
Subject: [PATCH 8/8] Update range.proto

Signed-off-by: Sanjay Jangid  <136222049+sanjay20m@users.noreply.github.com>
---
 xds/type/v3/range.proto | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/xds/type/v3/range.proto b/xds/type/v3/range.proto
index 8fc97ab2..afcca34b 100644
--- a/xds/type/v3/range.proto
+++ b/xds/type/v3/range.proto
@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package xds.type.v3;
 
+import "validate/validate.proto";
+
 option java_package = "com.github.xds.type.v3";
 option java_outer_classname = "RangeProto";
 option java_multiple_files = true;
@@ -16,7 +18,7 @@ message Int64Range {
   int64 start = 1;
 
   // end of the range (exclusive)
-  int64 end = 2;
+  int64 end = 2 [(validate.rules).int64 = {gt_field: "start"}];
 }
 
 // Specifies the int32 start and end of the range using half-open interval
@@ -26,7 +28,7 @@ message Int32Range {
   int32 start = 1;
 
   // end of the range (exclusive)
-  int32 end = 2;
+  int32 end = 2 [(validate.rules).int32 = {gt_field: "start"}];
 }
 
 // Specifies the double start and end of the range using half-open interval
@@ -36,5 +38,5 @@ message DoubleRange {
   double start = 1;
 
   // end of the range (exclusive)
-  double end = 2;
+  double end = 2 [(validate.rules).double = {gt_field: "start"}];
 }