Skip to content

OPA Rego Policy Path

Huzefaaa2 edited this page Jul 4, 2026 · 1 revision

OPA/Rego Policy Path

CAVRA policies remain authored as versioned YAML policy packs. The OPA/Rego policy path exports those packs into Rego modules, JSON data, OPA input fixtures, parity reports, and policy manifests without replacing the existing Python runtime engine.

What This Adds

  • YAML policy remains the source of truth.
  • Generated Rego is Git-versioned and reviewable.
  • OPA input fixtures are public-safe and repeatable.
  • Python runtime decisions and Rego-compatible decisions are parity tested.
  • Enterprise deployments can attach private CI, review, rollback, and runtime evidence without exposing private policy packs.

Export

cavra policy rego-export \
  --policy-pack cavra-ai-agent-baseline \
  --output-dir dist/opa-rego

The export writes:

  • cavra_policy.rego
  • data.json
  • opa-input-fixtures.json
  • rego-parity-report.json
  • policy-version-manifest.json

Test Parity

cavra policy rego-test --policy-pack cavra-ai-agent-baseline

The parity suite covers sensitive file reads, policy writes, Terraform plan/apply, protected-branch pushes, and unknown MCP filesystem servers.

Optional OPA CLI

opa check examples/opa-rego/generated/cavra_policy.rego
opa eval \
  --data examples/opa-rego/generated/cavra_policy.rego \
  --data examples/opa-rego/generated/data.json \
  --input examples/opa-rego/input.block-env-read.json \
  'data.cavra.policy.decision'

OPA is optional for public Python CI, but operators can use it in policy review workflows.

Readiness

python3 scripts/validate_opa_rego_policy.py \
  --packet examples/opa-rego/enterprise-opa-rego-policy.live.sanitized.example.json \
  --require-live

The live gate passes when:

ready_for_live_opa_rego_policy_path: true
blocker_count: 0

Enterprise deployments still provide private policy repository links, approval workflow evidence, CI run references, OPA runtime deployment evidence, and rollback evidence inside the customer evidence room.

Clone this wiki locally