runtime+config: drive annotation parsing from new configurable

...not from an extra config flag. Restores the default to `false` for
anyone not setting `opa_config.DefaultIncludeRuleMetadata` or not
configuring `include_rule_metadata: true`.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Author: srenatus

CHANGELOG.md

@@ -5,19 +5,6 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
-### Runtime Defaults to Parsing Metadata Annotations
-
-The OPA runtime (server mode) now processes rule metadata annotations by default.
-Previously, annotations were only parsed when explicitly enabled or when a rule
-contained an `id` field. This ensures annotations are always available during
-evaluation, regardless of how policies are loaded (bundles, files, or watch mode).
-
-To restore the previous behavior, set `skip_annotation_processing` in the configuration:
-
-```yaml
-skip_annotation_processing: true
-```
-
 ### Evaluated Rules in Decision Logs and API Responses
 
 Rules can now be annotated with a metadata `id` field. When any loaded policy contains

docs/docs/configuration.md

@@ -1036,8 +1036,7 @@ The `server` configuration sets:
 | `persistence_directory`          | `string`  | No (default `$PWD/.opa`)            | Set directory to use for persistence with options like `bundles[_].persist`.                                                                                                                                                                                                            |
 | `plugins`                        | `object`  | No (default: `{}`)                  | Location for custom plugin configuration.                                                                                                                                                                                                                                               |
 | `nd_builtin_cache`               | `boolean` | No (default: `false`)               | Enable the non-deterministic builtins caching system during policy evaluation, and include the contents of the cache in decision logs. Note that decision logs that are larger than `upload_size_limit_bytes` will drop the `nd_builtin_cache` key from the log entry before uploading. |
-| `skip_annotation_processing`     | `boolean` | No (default: `false`)               | Disable metadata annotation processing during policy parsing. By default, the runtime processes annotations so they are available during evaluation.                                                                                                                                    |
-| `include_rule_metadata`          | `boolean` | No (default: `false`)               | Include custom metadata from evaluated rule annotations in decision logs. When enabled, the `custom` field of each decision log entry will contain a `rule_metadata` key with the custom annotation fields of all successfully evaluated rules.                                          |
+| `include_rule_metadata`          | `boolean` | No (default: `false`)               | Include custom metadata from evaluated rule annotations in decision logs. When enabled, the `custom` field of each decision log entry will contain a `rule_metadata` key with the custom annotation fields of all successfully evaluated rules. Implies annotation processing.          |
 
 ## Using Environment Variables in Configuration
 

v1/config/config.go

@@ -102,7 +102,6 @@ type Config struct {
 	DefaultAuthorizationDecision *string                    `json:"default_authorization_decision,omitempty"`
 	Caching                      json.RawMessage            `json:"caching,omitempty"`
 	NDBuiltinCache               bool                       `json:"nd_builtin_cache,omitempty"`
-	SkipAnnotationProcessing     bool                       `json:"skip_annotation_processing,omitempty"`
 	IncludeRuleMetadata          bool                       `json:"include_rule_metadata,omitempty"`
 	PersistenceDirectory         *string                    `json:"persistence_directory,omitempty"`
 	DistributedTracing           json.RawMessage            `json:"distributed_tracing,omitempty"`
@@ -185,11 +184,6 @@ func (c Config) NDBuiltinCacheEnabled() bool {
 	return c.NDBuiltinCache
 }
 
-// AnnotationProcessingSkipped returns true if annotation processing should be disabled.
-func (c Config) AnnotationProcessingSkipped() bool {
-	return c.SkipAnnotationProcessing
-}
-
 // GetPersistenceDirectory returns the configured persistence directory, or $PWD/.opa if none is configured
 func (c Config) GetPersistenceDirectory() (string, error) {
 	if c.PersistenceDirectory == nil {
@@ -240,12 +234,11 @@ func (c *Config) Clone() *Config {
 	}
 
 	clone := &Config{
-		NDBuiltinCache:           c.NDBuiltinCache,
-		SkipAnnotationProcessing: c.SkipAnnotationProcessing,
-		IncludeRuleMetadata:      c.IncludeRuleMetadata,
-		Server:                   c.Server.Clone(),
-		Storage:                  c.Storage.Clone(),
-		Labels:                   maps.Clone(c.Labels),
+		NDBuiltinCache:      c.NDBuiltinCache,
+		IncludeRuleMetadata: c.IncludeRuleMetadata,
+		Server:              c.Server.Clone(),
+		Storage:             c.Storage.Clone(),
+		Labels:              maps.Clone(c.Labels),
 	}
 
 	if c.Services != nil {

v1/config/default.go

@@ -5,6 +5,7 @@
 package config
 
 // DefaultIncludeRuleMetadata controls whether custom metadata from rule annotations
-// is included in decision logs by default. Embedding projects can set this to true
-// via an init() function or linker flag to change the default.
+// is included in decision logs by default. When true, this also enables annotation
+// processing during policy parsing. Embedding projects can set this to true via an
+// init() function to change the default.
 var DefaultIncludeRuleMetadata bool

v1/plugins/plugins.go

@@ -562,6 +562,10 @@ func New(raw []byte, id string, store storage.Store, opts ...func(*Manager)) (*M
 		m.parserOptions.RegoVersion = ast.DefaultRegoVersion
 	}
 
+	if parsedConfig.IncludeRuleMetadata {
+		m.parserOptions.ProcessAnnotation = true
+	}
+
 	if m.logger == nil {
 		m.logger = logging.Get()
 	}

v1/runtime/runtime.go

@@ -291,10 +291,6 @@ type Params struct {
 	// NDBCacheEnabled allows enabling the non-deterministic builtin cache globally.
 	NDBCacheEnabled bool
 
-	// SkipAnnotationProcessing disables metadata annotation processing during policy parsing.
-	// By default, the runtime processes annotations. Set this to true to restore the old behavior.
-	SkipAnnotationProcessing bool
-
 	// IncludeRuleMetadataInDecisionLogs enables carry-over of custom metadata fields
 	// from evaluated rule annotations into the decision log "custom" field.
 	IncludeRuleMetadataInDecisionLogs bool
@@ -313,9 +309,9 @@ func (p *Params) regoVersion() ast.RegoVersion {
 	return ast.DefaultRegoVersion
 }
 
-func (p *Params) parserOptions(skipAnnotations bool) ast.ParserOptions {
+func (p *Params) parserOptions() ast.ParserOptions {
 	return ast.ParserOptions{
-		ProcessAnnotation: !skipAnnotations,
+		ProcessAnnotation: opa_config.DefaultIncludeRuleMetadata || p.IncludeRuleMetadataInDecisionLogs,
 		RegoVersion:       p.regoVersion(),
 	}
 }
@@ -441,7 +437,7 @@ func NewRuntime(ctx context.Context, params Params) (*Runtime, error) {
 
 	regoVersion := params.regoVersion()
 
-	loaded, err := initload.LoadPathsForRegoVersion(regoVersion, params.Paths, params.Filter, params.BundleMode, params.BundleVerificationConfig, params.SkipBundleVerification, params.BundleLazyLoadingMode, !params.SkipAnnotationProcessing, false, nil, nil)
+	loaded, err := initload.LoadPathsForRegoVersion(regoVersion, params.Paths, params.Filter, params.BundleMode, params.BundleVerificationConfig, params.SkipBundleVerification, params.BundleLazyLoadingMode, opa_config.DefaultIncludeRuleMetadata || params.IncludeRuleMetadataInDecisionLogs, false, nil, nil)
 	if err != nil {
 		return nil, fmt.Errorf("load error: %w", err)
 	}
@@ -533,7 +529,7 @@ func NewRuntime(ctx context.Context, params Params) (*Runtime, error) {
 		plugins.WithPrometheusRegister(metrics),
 		plugins.WithTracerProvider(tracerProvider),
 		plugins.WithEnableVersionCheck(params.EnableVersionCheck),
-		plugins.WithParserOptions(params.parserOptions(params.SkipAnnotationProcessing)),
+		plugins.WithParserOptions(params.parserOptions()),
 		plugins.WithDistributedTracingOpts(params.DistributedTracingOpts),
 		plugins.WithBundleActivatorPlugin(params.BundleActivatorPlugin),
 		plugins.WithHooks(params.Hooks),

v1/server/server.go

@@ -450,14 +450,10 @@ func (s *Server) WithIncludeRuleMetadata(include bool) *Server {
 }
 
 func (s *Server) newEvaluatedRuleTracker(force bool) *topdown.EvaluatedRuleTracker {
-	if !force && !s.evaluatedRulesEnabled && !s.hasExternalSources() && !s.includeRuleMetadata {
-		return nil
-	}
-	t := &topdown.EvaluatedRuleTracker{}
-	if s.includeRuleMetadata {
-		t.CollectCustom = true
+	if force || s.evaluatedRulesEnabled || s.includeRuleMetadata {
+		return &topdown.EvaluatedRuleTracker{CollectCustom: s.includeRuleMetadata}
 	}
-	return t
+	return nil
 }
 
 func compilerHasRuleIDs(c *ast.Compiler) bool {
@@ -476,10 +472,6 @@ func compilerHasRuleIDs(c *ast.Compiler) bool {
 	return false
 }
 
-func (s *Server) hasExternalSources() bool {
-	return s.manager.GetExternalSources() != nil && s.manager.GetExternalSources().Len() > 0
-}
-
 func evaluatedRuleIDs(t *topdown.EvaluatedRuleTracker) []string {
 	if t == nil || len(t.IDs) == 0 {
 		return nil