{"id":"bd5c91ff-ce4b-43d6-b3eb-d1328c48d7ac","task":"Author OPA Rego policies with unit tests for a supply chain gate","domain":"openpolicyagent.org","steps":["Define a Rego policy package that evaluates attestation metadata, image digests, or SBOM contents against your security requirements","Write allow and deny rules with explicit default values so the policy fails closed by default","Create a separate test file in the same package using test_ prefixed rule names to cover allow, deny, and edge cases","Run opa test against the policy and test files and confirm all tests pass","Use opa check to lint the policy for syntax errors and undefined references before committing","Bundle the policy and data files with opa build for distribution to enforcement points"],"gotchas":["Rego evaluation is open-world by default; a missing input field evaluates to undefined rather than false, so missing data can silently bypass a deny rule unless guards are explicit","Unit tests do not validate runtime input shapes; ensure integration tests exercise the actual input document format your enforcement point will send","Policy bundles must be versioned and integrity-checked before loading into an OPA instance, otherwise a tampered bundle could weaken enforcement"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/bd5c91ff-ce4b-43d6-b3eb-d1328c48d7ac"}