Format Rego source code using opa fmt. Returns the formatted source and a changed flag indicating whether the input was already canonical.

Type-check Rego with opa check. Returns { valid: true, errors: [] } on success, or a list of structured diagnostics with file/line locations on failure. Provide either source for inline checking or paths for file/directory checking.

Lint Rego source with the Regal linter. Returns categorized violations (style, bugs, idiomatic, performance) with file/line locations. Requires regal on PATH or REGAL_BINARY set; returns REGAL_NOT_FOUND otherwise. When called with inline source rather than paths, expect location-bound rules such as directory-package-mismatch to fire as artifacts of the randomized temp-file path. Prefer paths for canonical signal; for inline workflows, ignore or disable those rules.

Parse Rego source to a JSON AST using opa parse. Returns the AST as a tree of nodes (package, imports, rules, expressions, terms). Use this when you need to introspect policy structure programmatically.

Inspect an OPA bundle, policy directory, or single Rego file with opa inspect. Returns manifest data, namespaces, rule annotations, and (if signed) signature metadata.

Return OPA capabilities — the available builtins, future keywords, features, and WASM ABI versions. With current: true, returns the running OPA's capabilities. With version: "v0.69.0", returns those of a specific version. With neither, lists available named versions.

Static dependency analysis for a Rego reference. Given a target ref like "data.example.allow", returns the base document references (input/data leaves) and virtual document references (rules) it depends on, transitively.

Evaluate a Rego query against a policy and an input document using opa eval. Returns the standard {result: [...]} shape. The bread-and-butter authoring tool.

Evaluate with --explain=full and return a structured trace alongside the result. Use this when an agent needs to see why a rule fired (or didn't) — the trace is the basis for rego_explain_decision.

Evaluate with --profile and return per-rule timing and evaluation counts. Use this to find hot rules in slow policies.

Evaluate with --coverage and return per-line coverage data. Useful for verifying that tests actually exercise the rules they're meant to.

Run Rego unit tests with opa test. Returns aggregate pass/fail counts plus per-test records. Tests live in *_test.rego files; rule names beginning with test_ are picked up.

Benchmark a Rego query against a policy + input with opa bench. Returns statistical timing data: iterations, ns/op, and allocation counts. Use this to spot slow rules.

Run partial evaluation on a query — substitute known values and return the residual policy. Defaults unknowns to ["input"] (treat input as unknown), so the residual encodes "given input X, this is what would have to be true." Use this for offline policy slicing or pre-computing decision sets.

Build a deployable bundle from policy / data paths using opa build. Output is a .tar.gz archive with optional inline signing. Supports optimization, custom revision strings, and the WASM target.

Sign an OPA bundle with a private key using opa sign. Writes a .signatures.json next to the bundle directory, or updates the archive in place.

List policies registered on the running OPA server. Returns an array of { id, raw, ast } records.

Fetch a single policy by ID from the running OPA server.

Upload a Rego policy under the given ID. Replaces any existing policy with that ID. The policy is uploaded as raw text/plain — OPA parses it on the server side.

Delete a policy by ID from the running OPA server.

Read a path from OPA's data hierarchy. The path argument may be in dotted form (users.alice) or slash form (users/alice).

Write or replace a value at the given data path. Body is sent as JSON.

Apply a JSON Patch (RFC 6902) to the data document. Each operation is { op, path, value? }.

Evaluate a decision against the running OPA server. POSTs to the data path with {input} and returns whatever the rule produces. Use this to ask the server "given this input, what does data.X.allow say?"

Send a query to the OPA server's /v1/compile endpoint for partial evaluation. Returns the residual query — what remains after substituting in everything that's known.

Hit the OPA /health endpoint. Returns { healthy: true } on 200. Supports bundles and plugins query flags to require those subsystems to also be healthy.

Return OPA bundle and decision-log status from the running server. Combines /v1/config and the operational status the server exposes through it.

Return the running OPA server configuration (sanitized — secrets are not included).

Evaluate a Rego query with full tracing and return a structured trace plus per-rule fired/not-fired summary. Use this when you need to answer "why was this denied?" — the agent reads the structured trace and narrates the cause without re-implementing the trace parser.

Generate a *_test.rego skeleton from a policy. Parses the AST, finds each rule, and emits one stub test per rule. The agent fills in realistic inputs and assertions.

Parse a Rego policy and return a structured summary: package, imports, rules (with default/args/body-length flags), and inline annotations. Useful as the first step in any "what does this policy do" workflow.

Map common Rego compile errors and Regal lint findings to mechanical fix suggestions. Pass diagnostics from rego_check or rego_lint. Returns one suggestion per input diagnostic; confidence is high for well-known patterns, medium for partial matches, low for everything else.