build(deps): bump the build group across 8 directories with 6 updates

[dependabot]

Bumps the build group with 1 update in the /examples/go-grpc directory: google.golang.org/grpc.
Bumps the build group with 1 update in the /examples/go-rego directory: github.com/open-policy-agent/opa.
Bumps the build group with 1 update in the /examples/go-rego-with-store directory: github.com/open-policy-agent/opa.
Bumps the build group with 1 update in the /examples/go-sdk directory: github.com/open-policy-agent/opa.
Bumps the build group with 1 update in the /examples/go-sdk-with-store directory: github.com/open-policy-agent/opa.
Bumps the build group with 1 update in the /examples/regal directory: github.com/open-policy-agent/regal.
Bumps the build group with 1 update in the /examples/rego directory: github.com/open-policy-agent/opa.
Bumps the build group with 4 updates in the /examples/sdk directory: github.com/open-policy-agent/opa, github.com/hashicorp/vault/api, github.com/testcontainers/testcontainers-go and github.com/testcontainers/testcontainers-go/modules/vault.

Updates google.golang.org/grpc from 1.78.0 to 1.81.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.1

Security

• xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per gRFC A41. (#9111)
  • Special Thanks: @​al4an444

Bug Fixes

• otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. (#9081)

Release 1.81.0

Behavior Changes

• balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

• Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

• xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
• transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
• xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

• grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
• xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
• xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
• xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
• stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
• mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)
  • Special Thanks: @​ash2k

Performance Improvements

• alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
• transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)

Release 1.80.0

Behavior Changes

• balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see #5288 for details. (#8837)
• xds: update resource error handling and re-resolution logic (#8907)
  • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
  • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

... (truncated)

Commits

• caf0772 Change version from 1.81.1-dev to 1.81.1 (#9122)
• 6ccbeeb Cherry-pick #9111 into v1.81.x (#9121)
• b33c29e Cherry-pick #9081 into v1.81.x (#9102)
• c45fae6 Change version to 1.81.1-dev (#9063)
• cb18228 Change version to 1.81.0 (#9062)
• 96748f9 Cherry-pick #9105 to 1.81.x (#9106)
• 9183222 Cherry pick #9055, #9032 to v1.81.x (#9095)
• 5cba6da Revert "deps: update dependencies for all modules (#9065)" (#9067)
• af8a936 deps: update dependencies for all modules (#9065)
• cdc60df transport: optimize heap allocations in ready reader and update syscall conne...
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels array. Each element is the merged label map for one successfully evaluated rule, with

... (truncated)

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.17.0

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like not f(g(input.x)) into a series of sub-expressions evaluated before the not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g produces an undefined result — the entire rule fails rather than the not succeeding. This is unintuitive: the user's intent is "the condition does not hold," but an undefined intermediate value causes a silent failure instead of the expected not result.

With import future.keywords.not, composite-expression negation wraps the full compiler expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @​johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated rules are collected and included in each decision log entry as a top-level rule_labels

... (truncated)

Commits

• 64a3625 Release v1.17.0 (#8710)
• 68c9de5 benchmarks: tweak per-PR benchmark regression check based on pr-check
• 7fe3066 server: remove dead code (s.partials) (#8708)
• 37830be ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case t...
• 1661f22 ast: add some schema $ref tests
• 3e22f56 benchmarks: only run for go changes
• 13aaeab benchmarks: move env vars, remove zizmor-ignore comment
• 93e1708 benchmarks: fix PR message, skip tests
• 4ce3991 benchmarks: use go tool machinery, add benchstat
• 41df8df benchmarks: use benchlab for per-PR feedback
• Additional commits viewable in compare view

Updates github.com/open-policy-agent/opa from 1.13.1 to 1.17.0

Release notes

Sourced from github.com/open-policy-agent/opa's releases.

v1.17.0

This release contains a mix of new features, performance improvem...

Description has been truncated