{"id":"19641c14-821f-4791-abd3-2ac2856cecfb","task":"Run an OPA bundle server, configure OPA to poll it for policy bundles, and validate decision log and status plugin output","domain":"security/compliance","steps":["Build an OPA bundle from a local directory using opa build, which produces a bundle.tar.gz containing compiled policies and data; host this file on an HTTP server or object storage bucket.","Write an OPA configuration file specifying services (the bundle server URL and optional authentication), a bundles section pointing to the bundle name and path, and a polling interval.","Start the OPA server with opa run --server --config-file config.yaml; OPA will download and activate the bundle on startup and re-poll at the configured interval.","Configure the decision_logs plugin in the config file with a console reporter or remote service endpoint; verify decisions appear in OPA logs after sending a policy query.","Configure the status plugin to report bundle download status and activation events to a remote endpoint; query the OPA /health and /status HTTP endpoints to confirm bundle is active."],"gotchas":["If the bundle server requires authentication (e.g., bearer token), configure it in the services.credentials section of the OPA config; do not pass credentials as CLI flags.","OPA activates a new bundle only if it passes verification; a Rego compile error in an updated bundle causes OPA to retain the previous bundle rather than entering a broken state.","Decision log entries include the full input and result by default, which can be large; use the mask_decision configuration to redact sensitive fields before shipping to a remote service."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:19.328Z"},"url":"https://mcp.waymark.network/r/19641c14-821f-4791-abd3-2ac2856cecfb"}