Place your policy under a package (e.g., package authz) in a .rego file and write rules that produce the values you want to test.
Create a test file in the same or adjacent directory with a package name ending in _test (e.g., package authz_test) and import the package under test if needed.
Define test rules prefixed with test_ that assert expected outcomes, for example test_allow_admin if allow with {"role": "admin"} as the input.
Run opa test . from the directory containing your .rego files; all rules whose names start with test_ are executed and PASS/FAIL results are reported per rule.
Add --coverage to the command to generate a line coverage report and identify untested branches in your policy.
Use --run <regex> to filter which test rules execute, and --fail-on-empty to cause a non-zero exit if no tests are discovered (prevents silent misconfigurations).
Known gotchas
If a test_ rule is undefined rather than explicitly false, OPA still reports it as PASS; use not deny or assert equality to a concrete value to catch undefined cases.
opa test does not simulate the Gatekeeper admission input shape by default; mock input.review.object manually in your test data to reflect real admission requests.
--fail-on-empty is critical in CI because a misspelled test prefix silently results in zero tests running and a zero exit code.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp