-
Notifications
You must be signed in to change notification settings - Fork 0
OPA Rego Policy Path
Huzefaaa2 edited this page Jul 4, 2026
·
1 revision
CAVRA policies remain authored as versioned YAML policy packs. The OPA/Rego policy path exports those packs into Rego modules, JSON data, OPA input fixtures, parity reports, and policy manifests without replacing the existing Python runtime engine.
- YAML policy remains the source of truth.
- Generated Rego is Git-versioned and reviewable.
- OPA input fixtures are public-safe and repeatable.
- Python runtime decisions and Rego-compatible decisions are parity tested.
- Enterprise deployments can attach private CI, review, rollback, and runtime evidence without exposing private policy packs.
cavra policy rego-export \
--policy-pack cavra-ai-agent-baseline \
--output-dir dist/opa-regoThe export writes:
cavra_policy.regodata.jsonopa-input-fixtures.jsonrego-parity-report.jsonpolicy-version-manifest.json
cavra policy rego-test --policy-pack cavra-ai-agent-baselineThe parity suite covers sensitive file reads, policy writes, Terraform plan/apply, protected-branch pushes, and unknown MCP filesystem servers.
opa check examples/opa-rego/generated/cavra_policy.rego
opa eval \
--data examples/opa-rego/generated/cavra_policy.rego \
--data examples/opa-rego/generated/data.json \
--input examples/opa-rego/input.block-env-read.json \
'data.cavra.policy.decision'OPA is optional for public Python CI, but operators can use it in policy review workflows.
python3 scripts/validate_opa_rego_policy.py \
--packet examples/opa-rego/enterprise-opa-rego-policy.live.sanitized.example.json \
--require-liveThe live gate passes when:
ready_for_live_opa_rego_policy_path: true
blocker_count: 0
Enterprise deployments still provide private policy repository links, approval workflow evidence, CI run references, OPA runtime deployment evidence, and rollback evidence inside the customer evidence room.
CAVRA Field Compass
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
Textbook home: Before the Agent Acts |
Development archive: development and testing artifacts |
Source repository: github.com/Huzefaaa2/cavra
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Technology Stack
- Unified Enterprise Roadmap
- Conclusion
- Development And Testing Archive
- Unified Enterprise Roadmap
- CLI
- API
- CAVRA Trial Field Guide
- AISPM Enterprise Live Ingestion
- Enterprise HA/DR Readiness
- Enterprise HA/DR Azure Map
- Enterprise KMS/HSM Evidence Custody
- Enterprise Immutable Audit Log
- Enterprise Compliance Mapping Packs
- Enterprise Reporting Exports
- Connector SDK And Certification
- Priority Certified Connectors
- Model Registry Connectors