chore(deps): bump github.com/open-policy-agent/opa from 1.16.0 to 1.16.1 in the go-dependencies group

[dependabot]

Bumps the go-dependencies group with 1 update: github.com/open-policy-agent/opa.

Updates github.com/open-policy-agent/opa from 1.16.0 to 1.16.1

Changelog

Sourced from github.com/open-policy-agent/opa's changelog.

1.16.1

This is a patch release addressing a regression (#8590) in the plugin manager that may cause the service to hang on shutdown.

Commits

• a72f9fa Prepare v1.16.1 release
• 9339812 plugins: Ensure plugin status functions don't hang after manager is stopped (...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[claude]

Claude finished @dependabot[bot]'s task in 46s —— View job

---

Dependency upgrade review: github.com/open-policy-agent/opa 1.16.0 → 1.16.1

• Review the PR diff
• Identify how OPA is used in this codebase
• Assess upgrade risk and breaking changes
• Post review summary

---

Verdict: Safe to merge ✅

What changed upstream

This is a patch release (1.16.0 → 1.16.1) fixing a single regression (#8590) in the OPA plugin manager — it could cause the service to hang on shutdown. Only two commits in the release: the fix and the version bump.

How OPA is used in this repo

OPA usage is confined to a single file — internal/evaluate/rego.go — which imports three packages:

• github.com/open-policy-agent/opa/v1/ast — policy parsing
• github.com/open-policy-agent/opa/v1/rego — policy evaluation
• github.com/open-policy-agent/opa/v1/storage/inmem — in-memory data store

The code uses OPA purely as an embedded library for evaluating Rego policies (parsing modules, running queries, collecting results). It does not use the OPA plugin manager, server, or any long-running OPA process — so the specific regression being fixed (shutdown hang in plugin manager) does not affect this codebase at all.

The evaluate package is consumed by cmd/kosli/evaluateHelpers.go and tested in internal/evaluate/rego_test.go.

Risk assessment

Factor	Assessment
Semver	Patch (1.16.0 → 1.16.1) — no breaking changes expected
Scope of upstream fix	Plugin manager shutdown — not used by this repo
API surface used	ast.ParseModuleWithOpts, rego.New/Eval, inmem.NewFromObject — stable, unchanged
go.sum module hash	Same go.mod hash (21uy+...), confirming no transitive dep changes

No risks identified. The APIs used by this repo are untouched by the upstream patch. This is a safe, no-op upgrade from this codebase's perspective.