pivot: remove id, rely on labels only. enable annotations by default

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Author: srenatus

CHANGELOG.md

@@ -5,24 +5,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
-### Evaluated Rules in Decision Logs and API Responses
-
-Rules can now be annotated with a metadata `id` field. When any loaded policy contains
-rules with `id` annotations, the IDs of successfully evaluated rules are automatically
-included in decision log events (as `ids`). Additionally, the Data API supports a `?ids`
-query parameter to include the same information directly in the response payload.
-Duplicate IDs from functions called multiple times are suppressed.
-
-```rego
-# METADATA
-# id: allow-admin
-allow if input.role == "admin"
-```
-
-When external rule sources are registered, rule tracking is always enabled so that
-externally-provided rules with `id` annotations are recorded.
-
-### Rule Labels in Metadata and Decision Logs
+### Rule Labels in Decision Logs
 
 Rule annotations now support a `labels` field. When `include_rule_metadata` is enabled,
 labels from all successfully evaluated rules are collected and included in each decision
@@ -35,7 +18,6 @@ include_rule_metadata: true
 
 ```rego
 # METADATA
-# id: allow-admin
 # labels:
 #   severity: low
 #   team: platform
@@ -48,12 +30,8 @@ The resulting decision log entry will contain:
 {"rule_labels": [{"severity": "low", "team": "platform"}]}
 ```
 
-Embedding projects can change the default by setting `config.DefaultIncludeRuleMetadata = true`.
-
-Note: when using `include_rule_metadata` via the configuration file, policies must be loaded
-via the bundle plugin (i.e. configured through `services` and `bundles` in the config) for
-annotations to be processed correctly. Policies loaded from command-line paths are parsed
-before the configuration is available.
+The runtime now processes metadata annotations by default, so labels are always
+available regardless of how policies are loaded.
 
 ## 1.16.1
 

e2e/cli/evaluated_rules.txtar

@@ -1,4 +1,4 @@
-# Verify that evaluated rule IDs appear in decision logs written via the
+# Verify that rule labels appear in decision logs written via the
 # file_logger plugin (slog-based path).
 
 exec $OPA build -o bundles/bundle.tar.gz --bundle policy/
@@ -8,7 +8,7 @@ http_server bundles
 exec $OPA run --server --addr unix://opa.sock --log-format json --log-level info --config-file config.yaml &opa&
 retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 
-# POST to v1/data — rule with id "allow-admin" should be evaluated.
+# POST to v1/data — rule with labels should be evaluated.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
 jq stdout '.result == true'
 
@@ -19,11 +19,11 @@ jq stdout '.result == false'
 kill -INT opa
 wait opa
 
-# Decision log file should contain ids for the admin request.
-jq -s decisions.log '[.[] | select(.ids == ["allow-admin"])] | length == 1'
+# Decision log file should contain rule_labels for the admin request.
+jq -s decisions.log '[.[] | select(.rule_labels == [{"severity": "low"}])] | length == 1'
 
-# Decision log file should have an entry without ids for the guest request.
-jq -s decisions.log '[.[] | select(.path == "authz/allow" and (.ids == null))] | length == 1'
+# Decision log file should have an entry without rule_labels for the guest request.
+jq -s decisions.log '[.[] | select(.path == "authz/allow" and (.rule_labels == null))] | length == 1'
 
 -- config.yaml --
 include_rule_metadata: true
@@ -49,11 +49,13 @@ package authz
 default allow := false
 
 # METADATA
-# id: allow-admin
+# labels:
+#   severity: low
 allow if input.role == "admin"
 
 # METADATA
-# id: allow-editor
+# labels:
+#   severity: low
 allow if input.role == "editor"
 
 -- bundles/.gitkeep --

e2e/cli/evaluated_rules_file_logger.txtar e2e/cli/rule_labels_file_logger.txtare2e/cli/evaluated_rules_file_logger.txtar renamed to e2e/cli/rule_labels_file_logger.txtar

@@ -12,7 +12,7 @@ retry curl -sf --unix-socket opa.sock 'http://localhost/health?bundles'
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin"}}' http://localhost/v1/data/authz/allow
 jq stdout '.result == true'
 
-# Evaluate violations — triggers both violation rules
+# Evaluate violations — triggers both violation rules; labels collected per-rule.
 exec curl -sf --unix-socket opa.sock -H 'Content-Type: application/json' -d '{"input": {"role": "admin", "dept": "eng"}}' http://localhost/v1/data/authz/violations
 jq stdout '.result | length == 2'
 
@@ -46,26 +46,22 @@ package authz
 default allow := false
 
 # METADATA
-# id: allow-admin
 # labels:
 #   severity: low
 allow if input.role == "admin"
 
 # METADATA
-# id: allow-editor
 # labels:
 #   severity: low
 allow if input.role == "editor"
 
 # METADATA
-# id: no-admin-role
 # labels:
 #   severity: high
 #   category: compliance
 violations contains "admin role is restricted" if input.role == "admin"
 
 # METADATA
-# id: no-admin-in-eng
 # labels:
 #   severity: critical
 #   category: org-policy

e2e/cli/rule_metadata_dl.txtar

@@ -27,7 +27,6 @@ type (
 	// Annotations represents metadata attached to other AST nodes such as rules.
 	Annotations struct {
 		Scope            string                       `json:"scope"`
-		ID               string                       `json:"id,omitempty"`
 		Title            string                       `json:"title,omitempty"`
 		Entrypoint       bool                         `json:"entrypoint,omitempty"`
 		Description      string                       `json:"description,omitempty"`
@@ -135,10 +134,6 @@ func (a *Annotations) Compare(other *Annotations) int {
 		return cmp
 	}
 
-	if cmp := strings.Compare(a.ID, other.ID); cmp != 0 {
-		return cmp
-	}
-
 	if cmp := strings.Compare(a.Title, other.Title); cmp != 0 {
 		return cmp
 	}
@@ -206,10 +201,6 @@ func (a *Annotations) MarshalJSON() ([]byte, error) {
 		"scope": a.Scope,
 	}
 
-	if a.ID != "" {
-		data["id"] = a.ID
-	}
-
 	if a.Title != "" {
 		data["title"] = a.Title
 	}
@@ -458,10 +449,6 @@ func (a *Annotations) toObject() (*Object, *Error) {
 		obj.Insert(InternedTerm("scope"), InternedTerm(a.Scope))
 	}
 
-	if len(a.ID) > 0 {
-		obj.Insert(InternedTerm("id"), StringTerm(a.ID))
-	}
-
 	if len(a.Title) > 0 {
 		obj.Insert(InternedTerm("title"), StringTerm(a.Title))
 	}
@@ -620,10 +607,6 @@ func attachAnnotationsNodes(mod *Module) Errors {
 		if err := validateAnnotationEntrypointAttachment(a); err != nil {
 			errs = append(errs, err)
 		}
-
-		if err := validateAnnotationIDAttachment(a); err != nil {
-			errs = append(errs, err)
-		}
 	}
 
 	return errs
@@ -656,14 +639,6 @@ func validateAnnotationEntrypointAttachment(a *Annotations) *Error {
 	return nil
 }
 
-func validateAnnotationIDAttachment(a *Annotations) *Error {
-	if a.ID != "" && a.Scope != annotationScopeRule {
-		return NewError(
-			ParseErr, a.Loc(), "annotation id applied to non-rule scope '%v'", a.Scope)
-	}
-	return nil
-}
-
 // Copy returns a deep copy of a.
 func (a *AuthorAnnotation) Copy() *AuthorAnnotation {
 	cpy := *a

v1/ast/annotations.go

@@ -2815,7 +2815,6 @@ func (p *Parser) validateDefaultRuleArgs(rule *Rule) bool {
 // which isn't handled properly by json for some reason.
 type rawAnnotation struct {
 	Scope            string           `yaml:"scope"`
-	ID               string           `yaml:"id"`
 	Title            string           `yaml:"title"`
 	Entrypoint       bool             `yaml:"entrypoint"`
 	Description      string           `yaml:"description"`
@@ -2881,7 +2880,6 @@ func (b *metadataParser) Parse() (result *Annotations, err error) {
 	result = &Annotations{
 		comments:      b.comments,
 		Scope:         raw.Scope,
-		ID:            raw.ID,
 		Entrypoint:    raw.Entrypoint,
 		Title:         raw.Title,
 		Description:   raw.Description,

v1/ast/parser.go

@@ -10,11 +10,3 @@ const (
 	// DefaultMinTLSVersion is the minimum TLS version used by OPA server and REST clients
 	DefaultMinTLSVersion = tls.VersionTLS12
 )
-
-var (
-	// DefaultIncludeRuleMetadata controls whether custom metadata from rule annotations
-	// is included in decision logs by default. When true, this also enables annotation
-	// processing during policy parsing. Embedding projects can set this to true via an
-	// init() function to change the default.
-	DefaultIncludeRuleMetadata bool
-)

v1/config/default.go

@@ -68,7 +68,6 @@ type EventV1 struct {
 	Timestamp           time.Time               `json:"timestamp"`
 	Metrics             map[string]any          `json:"metrics,omitempty"`
 	RequestID           uint64                  `json:"req_id,omitempty"`
-	IDs                 []string                `json:"ids,omitempty"`
 	RuleLabels          []map[string]any        `json:"rule_labels,omitempty"`
 	RequestContext      *RequestContext         `json:"request_context,omitempty"`
 	Custom              map[string]any          `json:"custom,omitempty"`
@@ -211,14 +210,6 @@ func (e *EventV1) AST() (ast.Value, error) {
 		event.Insert(ast.InternedTerm("requested_by"), ast.StringTerm(e.RequestedBy))
 	}
 
-	if len(e.IDs) > 0 {
-		evaluatedRules := make([]*ast.Term, len(e.IDs))
-		for i, v := range e.IDs {
-			evaluatedRules[i] = ast.StringTerm(v)
-		}
-		event.Insert(ast.InternedTerm("ids"), ast.ArrayTerm(evaluatedRules...))
-	}
-
 	if len(e.RuleLabels) > 0 {
 		v, err := ast.InterfaceToValue(e.RuleLabels)
 		if err == nil {
@@ -746,7 +737,6 @@ func (p *Plugin) Log(ctx context.Context, decision *server.Info) error {
 		RequestedBy:         decision.RemoteAddr,
 		Timestamp:           decision.Timestamp,
 		RequestID:           decision.RequestID,
-		IDs:                 decision.EvaluatedRuleIDs,
 		RuleLabels:          decision.EvaluatedRuleLabels,
 		inputAST:            decision.InputAST,
 		Custom:              decision.Custom,
@@ -1242,7 +1232,6 @@ func eventToAttrs(event EventV1) []slog.Attr {
 		attrs = append(attrs, slog.Any("request_context", event.RequestContext))
 	}
 
-	addAttrIfSliceNotEmpty(&attrs, "ids", event.IDs)
 	addAttrIfSliceNotEmpty(&attrs, "rule_labels", event.RuleLabels)
 	addAttrIfHasLen(&attrs, "custom", event.Custom)
 
@@ -1364,7 +1353,6 @@ func eventToFields(event EventV1) map[string]any {
 		fields["request_context"] = event.RequestContext
 	}
 
-	addIfSliceNotEmpty(fields, "ids", stringsToAny(event.IDs))
 
 	if len(event.RuleLabels) > 0 {
 		var v any = event.RuleLabels