fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results (#2860)

### Proposed Changes

* Make sure an entity identifier that breaks out into multiple entity
representations when back from the ERS response results in AND logic
across the representations on each individual resource
* Audit should log for each entity representation for clarity (possible
to provide an entity chain with dozens of email addresses in a single
identifier, so there should be a log to audit for each representation of
an entity from the chained email address entities)

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: jakedoublev

.github/workflows/checks.yaml

@@ -214,7 +214,7 @@ jobs:
           mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost
           cp opentdf-dev.yaml opentdf.yaml
           yq eval '.server.tls.enabled = true' -i opentdf.yaml
-          yq eval '.trace = {"enabled":true}' -i opentdf.yaml
+          yq eval '.server.trace.enabled = true' -i opentdf.yaml
       - name: Added Trusted Certs
         run: |
           sudo chmod -R 777 ./keys

service/authorization/v2/authorization.go

@@ -188,7 +188,7 @@ func (as *Service) GetDecision(ctx context.Context, req *connect.Request[authzV2
 		return nil, statusifyError(ctx, as.logger, err)
 	}
 
-	decisions, permitted, err := pdp.GetDecision(
+	decision, err := pdp.GetDecision(
 		ctx,
 		entityIdentifier,
 		action,
@@ -199,10 +199,15 @@ func (as *Service) GetDecision(ctx context.Context, req *connect.Request[authzV2
 	if err != nil {
 		return nil, statusifyError(ctx, as.logger, err)
 	}
-	resp, err := rollupSingleResourceDecision(permitted, decisions)
+
+	resourceDecisions, err := rollupResourceDecisions(decision)
 	if err != nil {
 		return nil, statusifyError(ctx, as.logger, err)
 	}
+
+	resp := &authzV2.GetDecisionResponse{
+		Decision: resourceDecisions[0],
+	}
 	return connect.NewResponse(resp), nil
 }
 
@@ -232,7 +237,7 @@ func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Re
 		return nil, statusifyError(ctx, as.logger, err)
 	}
 
-	decisions, allPermitted, err := pdp.GetDecision(
+	decision, err := pdp.GetDecision(
 		ctx,
 		entityIdentifier,
 		action,
@@ -244,14 +249,14 @@ func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Re
 		return nil, statusifyError(ctx, as.logger, errors.Join(ErrFailedToGetDecision, err))
 	}
 
-	resourceDecisions, err := rollupMultiResourceDecisions(decisions)
+	resourceDecisions, err := rollupResourceDecisions(decision)
 	if err != nil {
 		return nil, statusifyError(ctx, as.logger, err)
 	}
 
 	resp := &authzV2.GetDecisionMultiResourceResponse{
 		AllPermitted: &wrapperspb.BoolValue{
-			Value: allPermitted,
+			Value: decision.AllPermitted,
 		},
 		ResourceDecisions: resourceDecisions,
 	}
@@ -291,19 +296,19 @@ func (as *Service) GetDecisionBulk(ctx context.Context, req *connect.Request[aut
 		resources := request.GetResources()
 		fulfillableObligations := request.GetFulfillableObligationFqns()
 
-		decisions, allPermitted, err := pdp.GetDecision(ctx, entityIdentifier, action, resources, reqContext, fulfillableObligations)
+		decision, err := pdp.GetDecision(ctx, entityIdentifier, action, resources, reqContext, fulfillableObligations)
 		if err != nil {
 			return nil, statusifyError(ctx, as.logger, errors.Join(ErrFailedToGetDecision, err))
 		}
 
-		resourceDecisions, err := rollupMultiResourceDecisions(decisions)
+		resourceDecisions, err := rollupResourceDecisions(decision)
 		if err != nil {
 			return nil, statusifyError(ctx, as.logger, err, slog.Int("index", idx))
 		}
 
 		decisionResponse := &authzV2.GetDecisionMultiResourceResponse{
 			AllPermitted: &wrapperspb.BoolValue{
-				Value: allPermitted,
+				Value: decision.AllPermitted,
 			},
 			ResourceDecisions: resourceDecisions,
 		}