Metadata blocks gets scrambled in retained Rego policy when target is Wasm

[johanfylling]

When a policy is built with wasm as target, Rego source that isn't a Wasm entrypoint is retained in .rego files in the output bundle. Any Wasm entrypoint that was "moved out" is referenced through an import statement in the retained Rego code. Comments and metadata blocks are not modified or removed in the build procedure, which means that any such statements will remain, and consequently get applied to whatever statement happened to be below the entrypoint, if any.

E.g. when the following policy is built with opa build -t wasm:

package test

a := 1

# METADATA
# title: B 
# entrypoint: true
b := 2

a_ref := a

# METADATA
# title: B_REF
# description: This meta will not be attached to anything for wasm target
b_ref := b

The resulting bundle will contain the corresponding .rego file:

package test

import data.test.b
import data.test.b_ref

a := 1

# METADATA
# title: B 
# entrypoint: true

a_ref := a

# METADATA
# title: B_REF
# description: This meta will not be attached to anything for wasm target

where the rules b and b_ref has been compiled as Wasm entrypoints, and are therefore now imported instead of defined as Rego. The metadata blocks are however left in place; making the meta for b be applied to a_ref, and the meta for b_ref not applied to anything.

Executing opa inspect -a on a bundle with metadata annotated Wasm entrypoints will have unintended output.
Any bundle with a dangling metadata block (as in the example above) will return an error:

error: bundle bundle.tar.gz: 1 error occurred: /annotated2.rego:14: rego_parse_error: invalid annotation scope ''

[johanfylling]

Suggested solution: for any package/rule that is compiled into a Wasm entrypoint, transcribe it's metadata, if any, as a JSON metadata attribute under the corresponding wasm entrypoint in the bundle's .manifest file. When executing opa inspect, also read annotations from this additional source.