feat: Add multi-selector support to flagd

[Nilushiya]

This PR
Adds multi-selector support for flag evaluation and sync by allowing clients to pass an ordered list of selectors and merging results so later selectors override earlier ones.
Adds HTTP header support for multi-selectors via the new flag-selector header (comma-separated), with fallback to the existing Flagd-Selector header.
Implements ordered multi-merge for ResolveAll by evaluating per selector in sequence and merging by flag key.
Related Issues
Fixes #1234523

Notes
New header: flag-selector (preferred). Example: flag-selector: flagSetId=base,flagSetId=tenantA,flagSetId=tenantB
Backward compatible: existing Flagd-Selector still works (single selector), and also works with comma-separated selector lists after this change.
Merge semantics: selectors are applied left-to-right; later selector results override earlier ones for the same FlagKey.
Key code changes:
flagd/pkg/service/constants.go: adds FLAG_SELECTOR_HEADER = "flag-selector"
flagd/pkg/service/selector.go: helper functions to read selector expression from HTTP headers and gRPC metadata (prefers flag-selector)
flagd/pkg/service/flag-evaluation/selector_merge.go: adds ResolveAllWithSelectorMerge to evaluate selectors in order and merge results
flagd/pkg/service/flag-evaluation/flag_evaluator_v1.go and flagd/pkg/service/flag-evaluation/flag_evaluator.go: ResolveAll now uses ResolveAllWithSelectorMerge
flagd/pkg/service/flag-sync/handler.go: adds ordered selector parsing + merge for sync fetch/stream
Tests added/updated:
flagd/pkg/service/selector_test.go
flagd/pkg/service/flag-sync/handler_test.go
flagd/pkg/service/flag-evaluation/ofrep/handler_test.go
Follow-up Tasks
Extend multi-selector behavior consistently to other evaluation endpoints (non-bulk Resolve* calls) if required.
Align streaming/watch behavior for multi-selectors across all services (if stricter per-selector watch semantics are needed).
How to test
Build and run:
docker build -f flagd/build.Dockerfile -t flagd:multi-selector .
docker compose up -d
Postman (ResolveAll):
POST http://localhost:8013/flagd.evaluation.v1.Service/ResolveAll
Headers:
Content-Type: application/json
flag-selector: flagSetId=base,flagSetId=tenantA (order matters)
Body: {} or {"context":{"Hospital":"A1"}}
Expect: flags from tenantA override flags from base for overlapping keys.
refer this repo : https://github.com/Nilushiya/Multi-tenat-with-multi-selector.git

[netlify]

✅ Deploy Preview for polite-licorice-3db33c canceled.

Name	Link
🔨 Latest commit	f59c005
🔍 Latest deploy log	https://app.netlify.com/projects/polite-licorice-3db33c/deploys/69bcaf7d6382c30008a049a7

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances flagd's capability to manage feature flags in multi-tenant or hierarchical environments. By introducing multi-selector support, clients can now specify multiple flag sets to be evaluated in a defined order, enabling more granular control and dynamic configuration overrides. This change provides greater flexibility for developers to implement sophisticated flag management strategies, improving the adaptability of applications.

Highlights

• Multi-selector Support: Introduced the ability to pass an ordered list of selectors for flag evaluation and synchronization, allowing for complex, layered flag configurations.
• HTTP Header Integration: Added support for multi-selectors via a new "flag-selector" HTTP header (comma-separated), with backward compatibility for the existing "Flagd-Selector" header.
• Ordered Merge Logic: Implemented ResolveAllWithSelectorMerge to evaluate flags based on multiple selectors in sequence, ensuring that results from later selectors override earlier ones for the same flag key.

Changelog

• flagd/pkg/service/constants.go
  • Added a new constant FLAG_SELECTOR_HEADER for the preferred multi-selector HTTP header.
• flagd/pkg/service/flag-evaluation/flag_evaluator.go
  • Updated ResolveAll to utilize the new ResolveAllWithSelectorMerge function, enabling multi-selector evaluation.
• flagd/pkg/service/flag-evaluation/flag_evaluator_v1.go
  • Modified ResolveAll to integrate ResolveAllWithSelectorMerge for multi-selector support in the v1 evaluation service.
• flagd/pkg/service/flag-evaluation/ofrep/handler.go
  • Changed HandleFlagEvaluation and HandleBulkEvaluation to use the new SelectorExpressionFromHTTPHeaders and ResolveAllWithSelectorMerge for processing multiple selectors.
• flagd/pkg/service/flag-evaluation/ofrep/handler_test.go
  • Added necessary imports and a new test case to verify that HandleBulkEvaluation correctly processes the flag-selector header for ordered evaluation.
• flagd/pkg/service/flag-evaluation/selector_merge.go
  • Introduced a new file containing ResolveAllWithSelectorMerge and splitSelectorExpression functions, which handle the logic for evaluating multiple selectors and merging their results in a defined order.
• flagd/pkg/service/flag-sync/handler.go
  • Refactored SyncFlags and FetchAllFlags to support multi-selectors, including new helper functions parseSelectorList and fetchMergedFlags for processing and merging flags from multiple sources.
• flagd/pkg/service/flag-sync/handler_test.go
  • Added a mockMergeStore and new test cases to validate the multi-selector override logic in FetchAllFlags and fetchMergedFlags.
• flagd/pkg/service/selector.go
  • Created a new file with utility functions SelectorExpressionFromHTTPHeaders and SelectorExpressionFromGRPCMetadata to extract selector expressions from HTTP headers and gRPC metadata, prioritizing the new flag-selector header.
• flagd/pkg/service/selector_test.go
  • Added new test cases to verify the correct parsing of selector expressions from HTTP headers and gRPC metadata.

Activity

• No human activity has occurred on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces multi-selector support for flag evaluation and synchronization. However, the current implementation has critical security concerns, notably a vulnerability to Denial of Service (DoS) attacks due to the lack of limits on the number of selectors processed in a single request, affecting both evaluation and synchronization services. There's also a logic error in the OFREP single evaluation endpoint that could lead to broken access control by incorrectly parsing multi-selector headers. Additionally, inconsistencies in the flag merging logic for the sync service and redundant code in the gRPC header parsing require attention to ensure overall correctness and consistency.

[gemini-code-assist]

The fetchMergedFlags function, used by both SyncFlags and FetchAllFlags, is vulnerable to a Denial of Service (DoS) attack. It iterates over an unbounded list of selectors and performs a store query for each, which is an expensive operation triggered on every flag update when multiple selectors are used. This loop lacks a limit on the number of selectors and does not check for context cancellation. Additionally, the merging logic uses a composite key of (flagSetID, key), which is inconsistent with the requirement to override flags based on the FlagKey alone. This will not perform an override if two flags have the same key but different FlagSetIds. To ensure correct override behavior and mitigate the DoS vulnerability, implement a limit on the number of selectors in parseSelectorList, ensure the merge loop respects context cancellation, and use only the flag key for merging.

type flagIdentifier struct {
	key string
}

merged := map[string]model.Flag{}
for _, selector := range selectors {
	flags, _, err := s.store.GetAll(ctx, &selector)
	if err != nil {
		return nil, err
	}
	for _, flag := range flags {
		merged[flag.Key] = flag
	}

[gemini-code-assist]

The ResolveAllWithSelectorMerge function is vulnerable to a Denial of Service (DoS) attack. It splits the selectorExpression by commas and iterates over the resulting slice without any limit on the number of selectors. An attacker can provide a large number of selectors in the request headers, causing the server to perform a full flag evaluation for each one. This process consumes significant CPU and memory, and the loop does not check for context cancellation (ctx.Done()), meaning it will run to completion even if the client disconnects.

Remediation: Implement a limit on the maximum number of selectors allowed (e.g., 10) and check the context status at the beginning of each iteration.

[gemini-code-assist]

In HandleFlagEvaluation, the selectorExpression (which can now be a comma-separated list of multiple selectors) is passed directly to store.NewSelector. This is a critical logic error as store.NewSelector is designed for a single selector, leading to incorrect parsing or an empty selector. This can cause the evaluator to fall back to the highest priority flag across all sources, potentially bypassing intended isolation between flag sets (e.g., tenant isolation), which is a broken access control vulnerability. This behavior is inconsistent with HandleBulkEvaluation. Update this endpoint to correctly handle multi-selectors, for example by splitting the expression and using the first valid selector if multi-merge is not yet supported for single evaluations.

[gemini-code-assist]

The logic for reading gRPC metadata is a bit complex and contains redundancy. Specifically, FLAG_SELECTOR_HEADER is checked twice. Also, gRPC metadata keys are typically normalized to lowercase, so checking for the original case of headers is often unnecessary and can be confusing.

Simplifying this function would improve readability and maintainability while retaining the correct behavior of prioritizing the new flag-selector header.

func SelectorExpressionFromGRPCMetadata(md metadata.MD) string {
	// gRPC metadata keys are conventionally lowercase.
	if selectors := strings.TrimSpace(strings.Join(md.Get(strings.ToLower(FLAG_SELECTOR_HEADER)), ",")); selectors != "" {
		return selectors
	}

	// Fallback to the old header.
	return strings.TrimSpace(strings.Join(md.Get(strings.ToLower(FLAGD_SELECTOR_HEADER)), ","))
}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[toddbaert]

Hey @Nilushiya - we intentionally did not implement this so far. Hypothetically it's possible (as well as other interesting options, such as selecting flags with particular metadata or other characteristics) but I don't think we understand our use-cases well-enough now to accept this work.

I would start with opening an issue, or an enhancement to this architecture document to discuss justifications and options.

[Nilushiya]

Hi Todd, I hope you’re doing well. Thank you for your feedback on the other PR (#1898). I understand your point regarding the need for clearer use cases and further discussion before proceeding with that approach. I wanted to kindly follow up on my PR: #1905 This update focuses on aligning the CRD definition with the latest flagD specifications and is important for my current work. At the moment, I’m unable to proceed further without this change being reviewed. Could I please ask you to take a look at this PR when you have a moment? I would really appreciate your feedback, and I’m happy to make any required changes. Thank you again for your time and support. Best regards, Nilushiya ᐧ

…

On Mon, 23 Mar 2026 at 15:42, Todd Baert ***@***.***> wrote: *toddbaert* left a comment (open-feature/flagd#1898) <#1898 (comment)> Hey @Nilushiya <https://github.com/Nilushiya> - we intentionally did not implement this so far. Hypothetically it's possible (as well as other interesting options, such as selecting flags with particular metadata or other characteristics) but I don't think we understand our use-cases well-enough now to accept this work. I would start with opening an issue, or an enhancement to this architecture document <https://github.com/open-feature/flagd/blob/main/docs/architecture-decisions/decouple-flag-source-and-set.md> to discuss justifications and options. — Reply to this email directly, view it on GitHub <#1898?email_source=notifications&email_token=AZWWC23POMVXPPGIK4UP6GL4SEEZDA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJQHE2DKMJRHAY2M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#issuecomment-4109451181>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZWWC26W4SMUSOSXLC2MPMD4SEEZDAVCNFSM6AAAAACWM5Z5D6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCMBZGQ2TCMJYGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>