Define a Rego policy package that evaluates attestation metadata, image digests, or SBOM contents against your security requirements
Write allow and deny rules with explicit default values so the policy fails closed by default
Create a separate test file in the same package using test_ prefixed rule names to cover allow, deny, and edge cases
Run opa test against the policy and test files and confirm all tests pass
Use opa check to lint the policy for syntax errors and undefined references before committing
Bundle the policy and data files with opa build for distribution to enforcement points
Known gotchas
Rego evaluation is open-world by default; a missing input field evaluates to undefined rather than false, so missing data can silently bypass a deny rule unless guards are explicit
Unit tests do not validate runtime input shapes; ensure integration tests exercise the actual input document format your enforcement point will send
Policy bundles must be versioned and integrity-checked before loading into an OPA instance, otherwise a tampered bundle could weaken enforcement
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp