fix(core): Don't require known manager names (#2792)

### Proposed Changes

* The policy service's list of known managers is not exhaustive; that is
up to each KAS
* Adds more logging to help identify misspelled or forgotten mgrs


### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: dmihalcik-virtru

service/kas/kas.go

@@ -61,6 +61,8 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					}
 				}
 
+				var kmgrNames []string
+
 				if kasCfg.Preview.KeyManagement {
 					srp.Logger.Info("preview feature: key management is enabled")
 
@@ -75,17 +77,18 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					p.KeyDelegator = trust.NewDelegatingKeyService(NewPlatformKeyIndexer(srp.SDK, kasURL.String(), srp.Logger), srp.Logger, cacheClient)
 					for _, manager := range srp.KeyManagerFactories {
 						p.KeyDelegator.RegisterKeyManager(manager.Name, manager.Factory)
+						kmgrNames = append(kmgrNames, manager.Name)
 					}
 
 					// Register Basic Key Manager
-
 					p.KeyDelegator.RegisterKeyManager(security.BasicManagerName, func(opts *trust.KeyManagerFactoryOptions) (trust.KeyManager, error) {
 						bm, err := security.NewBasicManager(opts.Logger, opts.Cache, kasCfg.RootKey)
 						if err != nil {
 							return nil, err
 						}
 						return bm, nil
 					})
+					kmgrNames = append(kmgrNames, security.BasicManagerName)
 					// Explicitly set the default manager for session key generation.
 					// This should be configurable, e.g., defaulting to BasicManager or an HSM if available.
 					p.KeyDelegator.SetDefaultMode(security.BasicManagerName) // Example: default to BasicManager
@@ -102,7 +105,9 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					})
 					// Set default for non-key-management mode
 					p.KeyDelegator.SetDefaultMode(inProcessService.Name())
+					kmgrNames = append(kmgrNames, inProcessService.Name())
 				}
+				srp.Logger.Info("kas registered trust.KeyManagers", slog.Any("key_managers", kmgrNames))
 
 				p.SDK = srp.SDK
 				p.Logger = srp.Logger

service/policy/keymanagement/key_management.go

@@ -112,7 +112,9 @@ func (ksvc Service) CreateProviderConfig(ctx context.Context, req *connect.Reque
 		return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("manager field is required"))
 	}
 	if !ksvc.isManagerRegistered(manager) {
-		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("manager type '%s' is not registered", manager))
+		ksvc.logger.WarnContext(ctx, "create provider: manager type is not registered",
+			slog.String("manager", manager),
+			slog.Any("registered_managers", ksvc.listManagerNames()))
 	}
 
 	auditParams := audit.PolicyEventParams{
@@ -186,10 +188,8 @@ func (ksvc Service) UpdateProviderConfig(ctx context.Context, req *connect.Reque
 
 	// Validate manager type if provided
 	manager := req.Msg.GetManager()
-	if manager != "" {
-		if !ksvc.isManagerRegistered(manager) {
-			return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("manager type '%s' is not registered", manager))
-		}
+	if manager != "" && !ksvc.isManagerRegistered(manager) {
+		ksvc.logger.WarnContext(ctx, "update provider: manager type is not registered", slog.String("manager", manager))
 	}
 
 	auditParams := audit.PolicyEventParams{
@@ -278,3 +278,11 @@ func (ksvc *Service) isManagerRegistered(managerName string) bool {
 	}
 	return false
 }
+
+func (ksvc Service) listManagerNames() []string {
+	names := make([]string, 0, len(ksvc.keyManagerFactories))
+	for _, factory := range ksvc.keyManagerFactories {
+		names = append(names, factory.Name)
+	}
+	return names
+}

service/trust/delegating_key_service.go

@@ -6,6 +6,8 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"maps"
+	"slices"
 	"sync"
 
 	"github.com/opentdf/platform/lib/ocrypto"
@@ -198,6 +200,7 @@ func (d *DelegatingKeyService) getKeyManager(ctx context.Context, name string) (
 	factory, factoryExists := d.managerFactories[name]
 	// Read defaultMode under lock for comparison.
 	currentDefaultMode := d.defaultMode
+	allNames := slices.Collect(maps.Keys(d.managerFactories))
 	d.mutex.Unlock()
 
 	if factoryExists {
@@ -221,6 +224,7 @@ func (d *DelegatingKeyService) getKeyManager(ctx context.Context, name string) (
 	// If 'name' was the defaultMode, _defKM will error if its factory is also missing.
 	// If 'name' was not the defaultMode, we fall back to the default manager.
 	d.l.Debug("key manager factory not found for name, attempting to use/load default",
+		slog.Any("key_managers", allNames),
 		slog.String("requested_name", name),
 		slog.String("configured_default_mode", currentDefaultMode),
 	)