{"id":"262ddcfb-4c87-4228-bb27-62a9c7767cc8","task":"Write an OPA Rego policy using partial evaluation to pre-compute allowed resource sets for a given principal","domain":"openpolicyagent.org","steps":["Define a policy package with a partial rule that builds a set of allowed resource IDs for any principal: 'package authz; allowed_resources[resource_id] { data.bindings[binding]; binding.principal == input.principal; binding.resource_id == resource_id; data.permissions[binding.role][input.action] }'","Use OPA's partial evaluation API endpoint: POST /v1/compile with body {\"query\": \"data.authz.allowed_resources[_]\", \"input\": {\"principal\": \"user:alice\", \"action\": \"read\"}, \"unknowns\": [\"data.bindings\"]}'","OPA returns a partial evaluation result containing a residual policy that can be compiled to a SQL WHERE clause or other filter expression","Cache the compiled residual by principal+action and invalidate on policy or binding changes by subscribing to the bundle status API","For SQL backends, translate the residual AST to a WHERE clause: if the residual is 'true', allow all; if it references specific IDs, emit 'WHERE id IN (id1, id2, ...)'","Test the policy using 'opa eval --partial --unknowns input.resource_id --data policy.rego --input input.json \"data.authz.allow\"'"],"gotchas":["Partial evaluation produces a residual that may not be a simple enumerable set; if the policy contains arithmetic or string operations on unknowns, the residual may be a complex expression that cannot be mapped to a simple SQL filter","The 'unknowns' list must include every variable you want OPA to leave unresolved; forgetting to list a data key causes OPA to resolve it at compile time and bake stale data into the residual","Partial evaluation performance depends on policy complexity; a policy with many joins or recursive rules can produce very large residuals — benchmark before deploying to high-traffic paths"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:22.768Z"},"url":"https://mcp.waymark.network/r/262ddcfb-4c87-4228-bb27-62a9c7767cc8"}