dns: Move DNSResponsePolicy to identity and refs pattern

.gemini/skills/kcc-identity-reference/journal/DNSResponsePolicy.md

@@ -0,0 +1,10 @@
+### [2026-06-11] DNSResponsePolicy Identity & Refs
+- **Context**: Moving DNSResponsePolicy to the new identity and reference patterns using multiple `gcpurls.Template` formats.
+- **Problem**:
+    1. DNSResponsePolicy was previously implemented in `apis/dns/v1alpha1` but only supported a single `locations/{location}/responsePolicies/{responsePolicy}` format.
+    2. This led to failures when standard GCP reference URLs (which omit the location segment for global response policies) were passed as external references, as they were treated as invalid by unit tests.
+- **Solution**:
+    1. Refactored `apis/dns/v1alpha1/dnsresponsepolicy_identity.go` to utilize two `gcpurls.Template` vars: a primary location-based format (`projects/{project}/locations/{location}/responsePolicies/{responsePolicy}`) and a fallback location-less format (`projects/{project}/responsePolicies/{responsePolicy}`).
+    2. Updated `apis/dns/v1alpha1/dnsresponsepolicy_identity_test.go` unit tests to verify that standard location-less GCP response policies are parsed correctly into the fallback template representation.
+    3. Registered the fallback template exception `//dns.googleapis.com/projects/{}/responsePolicies/{}` in `pkg/gcpurls/registry_test.go` so the CAI alignment validation tests continue to pass successfully.
+- **Impact**: DNSResponsePolicy is now fully compliant with modern KCC identity and reference patterns, supporting both CAIS-compliant formats and direct location-less GCP API references.

apis/dns/v1alpha1/dnsresponsepolicy_identity.go

@@ -29,7 +29,10 @@ var (
 	_ identity.Resource   = &DNSResponsePolicy{}
 )
 
-var DNSResponsePolicyIdentityFormat = gcpurls.Template[DNSResponsePolicyIdentity]("dns.googleapis.com", "projects/{project}/locations/{location}/responsePolicies/{responsePolicy}")
+var (
+	DNSResponsePolicyIdentityFormat         = gcpurls.Template[DNSResponsePolicyIdentity]("dns.googleapis.com", "projects/{project}/locations/{location}/responsePolicies/{responsePolicy}")
+	DNSResponsePolicyIdentityFallbackFormat = gcpurls.Template[DNSResponsePolicyIdentity]("dns.googleapis.com", "projects/{project}/responsePolicies/{responsePolicy}")
+)
 
 // DNSResponsePolicyIdentity is the identity of a GCP DNSResponsePolicy.
 // +k8s:deepcopy-gen=false
@@ -40,24 +43,30 @@ type DNSResponsePolicyIdentity struct {
 }
 
 func (i *DNSResponsePolicyIdentity) String() string {
-	return DNSResponsePolicyIdentityFormat.ToString(*i)
+	if i.Location != "" {
+		return DNSResponsePolicyIdentityFormat.ToString(*i)
+	}
+	return DNSResponsePolicyIdentityFallbackFormat.ToString(*i)
 }
 
 func (i *DNSResponsePolicyIdentity) FromExternal(ref string) error {
-	parsed, match, err := DNSResponsePolicyIdentityFormat.Parse(ref)
-	if err != nil {
-		return fmt.Errorf("format of DNSResponsePolicy external=%q was not known (use %s): %w", ref, DNSResponsePolicyIdentityFormat.CanonicalForm(), err)
+	if parsed, match, err := DNSResponsePolicyIdentityFormat.Parse(ref); match {
+		*i = *parsed
+		return nil
+	} else if err != nil {
+		return err
 	}
-	if !match {
-		return fmt.Errorf("format of DNSResponsePolicy external=%q was not known (use %s)", ref, DNSResponsePolicyIdentityFormat.CanonicalForm())
+	if parsed, match, err := DNSResponsePolicyIdentityFallbackFormat.Parse(ref); match {
+		*i = *parsed
+		return nil
+	} else if err != nil {
+		return err
 	}
-
-	*i = *parsed
-	return nil
+	return fmt.Errorf("format of DNSResponsePolicy external=%q was not known (use %s or %s)", ref, DNSResponsePolicyIdentityFormat.CanonicalForm(), DNSResponsePolicyIdentityFallbackFormat.CanonicalForm())
 }
 
 func (i *DNSResponsePolicyIdentity) Host() string {
-	return "dns.googleapis.com"
+	return DNSResponsePolicyIdentityFormat.Host()
 }
 
 func getIdentityFromDNSResponsePolicySpec(ctx context.Context, reader client.Reader, obj *DNSResponsePolicy) (*DNSResponsePolicyIdentity, error) {

apis/dns/v1alpha1/dnsresponsepolicy_identity_test.go

@@ -37,9 +37,13 @@ func TestDNSResponsePolicyIdentity_FromExternal(t *testing.T) {
 			},
 		},
 		{
-			name:    "invalid reference format (without location)",
-			ref:     "projects/my-project/responsePolicies/my-responsepolicy",
-			wantErr: true,
+			name: "valid reference (without location)",
+			ref:  "projects/my-project/responsePolicies/my-responsepolicy",
+			want: &DNSResponsePolicyIdentity{
+				Project:        "my-project",
+				Location:       "",
+				ResponsePolicy: "my-responsepolicy",
+			},
 		},
 		{
 			name:    "invalid reference format",

apis/dns/v1alpha1/dnsresponsepolicy_reference.go

@@ -30,7 +30,7 @@ var _ refs.Ref = &DNSResponsePolicyRef{}
 
 // DNSResponsePolicyRef is a reference to a DNSResponsePolicy.
 type DNSResponsePolicyRef struct {
-	// A reference to an externally managed DNSResponsePolicy resource. Should be in the format "projects/{{projectID}}/locations/{{location}}/responsePolicies/{{responsePolicy}}".
+	// A reference to an externally managed DNSResponsePolicy resource. Should be in the format "projects/{{projectID}}/locations/{{location}}/responsePolicies/{{responsePolicy}}" or "projects/{{projectID}}/responsePolicies/{{responsePolicy}}".
 	External string `json:"external,omitempty"`
 
 	// The name of a DNSResponsePolicy resource.

pkg/gcpurls/registry_test.go

@@ -105,6 +105,7 @@ func TestRegisteredTemplatesMatchCAI(t *testing.T) {
 		"//biglake.googleapis.com/projects/{}/locations/{}/catalogs/{}":                             true,
 		"//dialogflow.googleapis.com/projects/{}/locations/{}/generators/{}":                        true,
 		"//dns.googleapis.com/projects/{}/managedZones/{}/rrsets/{}":                                true,
+		"//dns.googleapis.com/projects/{}/responsePolicies/{}":                                      true,
 	}
 	for _, tmpl := range templates {
 		fullURL := "//" + tmpl.Host() + "/" + tmpl.CanonicalForm()