Organize policy files and test files in the same directory; name test rules with the `test_` prefix inside a package named `<policy_package>_test` (e.g., `package authz_test`).
Write test rules that assert expected `allow` or `deny` values by calling the policy rules with mock input objects: `test_deny_missing_label { deny[_] with input as {...} }`.
Run `opa test ./policies/ -v` to execute all test rules; `-v` prints each test name and pass/fail status.
Add `--coverage` to produce a line-level coverage report: `opa test ./policies/ --coverage | jq '.coverage'` shows the percentage and uncovered lines.
Integrate into CI by checking the exit code: `opa test` exits 0 on all pass, 1 on test failure, 2 on error; fail the pipeline on non-zero.
Use `opa test . --threshold 80` to enforce a minimum coverage percentage and fail the CI step if coverage falls below the threshold.
Known gotchas
Test files must end in `_test.rego` or the test rules must start with `test_`; OPA does not run rules that start with `test_` in non-test evaluation, but does in `opa test`.
`opa test` coverage counts lines in all provided `.rego` files, including helper utilities; exclude vendor or third-party policy files from the path to avoid inflating uncovered line counts.
The `--coverage` flag emits JSON to stdout; piping to `jq` or storing to a file is required to parse coverage metrics in CI.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp