OPA v1.17.0

[johanfylling]

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• A new future.keywords.not import that adds improved semantics to the not keyword.
• Rule Labels in Decision Logs
• Published json schema for IR and bundle manifest
• Dropped automaxprocs and x/net dependencies

Improved Negation Semantics (#8387)

This OPA release introduces a new future.keywords.not import
that fixes a long-standing semantic issue with negation in Rego.

Without the import, the compiler expands a negated composite expression like
not f(g(input.x)) into a series of sub-expressions evaluated before the
not:

__local0__ = input.x
g(__local0__, __local1__)
not f(__local1__)

If any sub-expression fails — for example, input.x is undefined or g
produces an undefined result — the entire rule fails rather than the not succeeding.
This is unintuitive: the user's intent is "the condition does not hold," but
an undefined intermediate value causes a silent failure instead of the expected
not result.

With import future.keywords.not, composite-expression negation wraps the full compiler
expansion in an implicit body:

not { __local0__ = input.x; g(__local0__, __local1__); f(__local1__) }

Now, if any sub-expression is undefined or fails, the body is unsatisfiable
and the not expression succeeds; matching the intuition that "the condition does not hold."

NOTE:

Users are recommended to import future.keywords.not whenever the not keyword is used in a policy.

Authored by @johanfylling

Rule Labels in Decision Logs (#2089)

Rule annotations now support a labels field. Labels from all successfully evaluated
rules are collected and included in each decision log entry as a top-level rule_labels
array. Each element is the merged label map for one successfully evaluated rule, with
inner-scope-wins precedence across the rule's annotation chain
(subpackages < package < document < rule). Merged maps are deduplicated
across rules so that identical label sets collapse to a single entry.

# METADATA
# scope: package
# labels:
#   service: authz
#   severity: info
package myapp

# METADATA
# labels:
#   severity: low
#   team: platform
allow if input.role == "admin"

The resulting decision log entry will contain:

{"rule_labels": [{"service": "authz", "severity": "low", "team": "platform"}]}

Note how severity: info from the package scope is overridden by severity: low from
the rule scope. Queries against rule_labels can now rely on each entry carrying the
full label context for a single rule, rather than one entry per contributing scope.

Both the runtime and the Go SDK now process metadata annotations by default.

Authored by @srenatus, reported by @tsandall

Runtime, SDK, Tooling

• ast: Allow $ref in allOf in JSON schemas (#6523) authored by @deeglaze reported by @mosiac1
• bundle: Update bundle roots conflict detection algorithm. (#8664) authored by @philipaconrad
• download: Use oras, not containerd (#8639) authored by @srenatus
• server: Remove dead code (s.partials) (#8708) authored by @srenatus
• server: Wire in response/request metadata for compile handler (#8650) authored by @srenatus
• server/types: generalize request/response metadata (#8650) authored by @srenatus

Compiler, Topdown and Rego

• builtins: Enable pattern validation in json.verify_schema and json.match_schema built-in functions (#6089) authored by @sspaink reported by @ewout8
• ir: Don't capitalize index field in MakeNumberRefStmt IR statement (#6266) authored by @sspaink reported by @johanfylling
• perf: Avoid allocating in binary and/or operators when possible (#8689) authored by @anderseknert
• rego: Allow per-eval GenerateJSON function (#8690) authored by @anderseknert

Docs, Website, Ecosystem

• ecosystem: add OPA MCP (#8618) authored by @OrygnsCode
• docs: Add explicit address binding to examples (#8688) authored by @charlieegan3
• docs: Add titles to code blocks in policy-testing (#8649) authored by @charlieegan3
• docs: Correct OCP SSH key docs (#8675) authored by @taurelius
• docs: Update diagram to match index examples (#8667) authored by @charlieegan3

Miscellaneous

• ast,storage/inmem: Add inmem.NewFromASTObject and add missing string case to ast.InternedValue (#8707) authored by @anderseknert
• build: go install -> go install tool to control checksums (#8646) authored by @srenatus
• build: Push edge binaries to bucket (#8668) authored by @charlieegan3
• workflows: Fix benchmarks workflow (replace action, avoid stackoverflow) (#8655) authored by @srenatus
• workflows: Note improvements in benchmark comments (#8673) authored by @srenatus
• Generate a JSON Schema for the IR plan (#8662) authored by @sspaink reported by @kroekle
• Generate a JSON Schema for the bundle manifest (#8661) authored by @sspaink reported by @kroekle
• Dependency updates; notably:
  • build(deps): Remove automaxprocs dependency (#8696) authored by @anderseknert
  • build(deps): Remove direct x/net dependency (#8697) authored by @anderseknert
  • build(deps): Bump github.com/bytecodealliance/wasmtime-go from 43.0.2 to 44.0.0 (8652) authored by @srenatus
  • build(deps): Bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1
  • build(deps): Bump github.com/huandu/go-sqlbuilder from 1.40.2 to 1.41.0
  • build(deps): Bump github.com/lestrrat-go/jwx/v3 from 3.1.0 to 3.1.1
  • build(deps): Bump github.com/vektah/gqlparser/v2 from 2.5.32 to 2.5.33
  • build(deps): Bump google.golang.org/grpc from 1.80.0 to 1.81.0
  • build(deps): Bump gopkg.in/ini.v1 from 1.67.1 to 1.67.2

Release notes and downloads can be found here.