Build an OPA bundle from a local directory using opa build, which produces a bundle.tar.gz containing compiled policies and data; host this file on an HTTP server or object storage bucket.
Write an OPA configuration file specifying services (the bundle server URL and optional authentication), a bundles section pointing to the bundle name and path, and a polling interval.
Start the OPA server with opa run --server --config-file config.yaml; OPA will download and activate the bundle on startup and re-poll at the configured interval.
Configure the decision_logs plugin in the config file with a console reporter or remote service endpoint; verify decisions appear in OPA logs after sending a policy query.
Configure the status plugin to report bundle download status and activation events to a remote endpoint; query the OPA /health and /status HTTP endpoints to confirm bundle is active.
Known gotchas
If the bundle server requires authentication (e.g., bearer token), configure it in the services.credentials section of the OPA config; do not pass credentials as CLI flags.
OPA activates a new bundle only if it passes verification; a Rego compile error in an updated bundle causes OPA to retain the previous bundle rather than entering a broken state.
Decision log entries include the full input and result by default, which can be large; use the mask_decision configuration to redact sensitive fields before shipping to a remote service.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp