Write a policy file 'authz.rego' with 'package authz' and rules using Rego v1 syntax: 'import rego.v1; allow if { input.role == "admin" }'
Write a test file 'authz_test.rego' in the same package with test rules prefixed by 'test_': 'package authz_test; import rego.v1; test_admin_allowed if { allow with input as {"role": "admin"} }' and 'test_non_admin_denied if { not allow with input as {"role": "user"} }'
Run the tests: 'opa test ./authz.rego ./authz_test.rego -v'
Run with coverage: 'opa test --coverage ./authz.rego ./authz_test.rego' to get a JSON report showing which lines of authz.rego were evaluated during tests
Identify uncovered branches in the coverage output and add additional test cases with 'with' overrides for data and input to reach them
Enforce a coverage threshold in CI: parse the coverage JSON, compute covered/total, and fail the pipeline if below a target percentage
Known gotchas
Test rules must be in a package that imports the package under test; using the same package name as the policy under test causes rule name collisions and unexpected behavior
OPA test coverage counts expression evaluations, not branch coverage; a rule with multiple conditions may show as 'covered' even if only one code path through it was exercised
Rego v1 requires 'import rego.v1' and uses 'if' and 'contains' keywords; test files targeting v1 policies must also include the import or OPA will parse them as v0 and produce syntax errors
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp