Format Rego source code using opa fmt. Returns the formatted source and a changed flag indicating whether the input was already canonical.

Type-check Rego with opa check. Returns { valid: true, errors: [] } on success, or a list of structured diagnostics with file/line locations on failure. Provide either source for inline checking or paths for file/directory checking.

Validate that a Rego policy's input.* field references are consistent with a JSON Schema using opa check --schema. Every field the policy reads from input must exist in the schema; mismatches surface as rego_type_error diagnostics with file/line locations. Returns { valid: true, errors: [] } when all references match the schema, or { valid: false, errors: [...] } with structured diagnostics when they do not. Accepts the schema inline (pass the schema output of rego_infer_input_schema directly as inlineSchema) or as a path to an existing JSON Schema file on disk (schemaPath). Provide source for inline Rego or paths for file/directory checking.

Lint Rego source with the Regal linter. Returns categorized violations (style, bugs, idiomatic, performance) with file/line locations. Requires regal on PATH or REGAL_BINARY set; returns REGAL_NOT_FOUND otherwise. When called with inline source, location-bound rules whose verdict depends on the on-disk path (directory-package-mismatch) are auto-disabled to avoid temp-file false positives, and location.file is reported as <inline> instead of the randomized temp path. Re-enable those rules via enable if your workflow actually needs them.

Parse Rego source to a JSON AST using opa parse. Returns the AST as a tree of nodes (package, imports, rules, expressions, terms). Use this when you need to introspect policy structure programmatically.

Inspect an OPA bundle, policy directory, or single Rego file with opa inspect. Returns manifest data, namespaces, rule annotations, and (if signed) signature metadata.

Return OPA capabilities -- the available builtins, future keywords, features, and WASM ABI versions. With current: true, returns the running OPA's capabilities. With version: "v0.69.0", returns those of a specific version. With neither, lists available named versions. By default (names_only: true), returns only builtin names and count to stay within response size limits; pass names_only: false for full type signatures and documentation.

Static dependency analysis for a Rego reference. Given a target ref like "data.example.allow", returns the base document references (input/data leaves) and virtual document references (rules) it depends on, transitively.

Migrate Rego v0 source to Rego v1 syntax in two phases: (1) opa fmt --rego-v1 auto-fixes reserved keywords (if, contains, every, in in rule heads) and adds import rego.v1; (2) opa check --v1-compatible validates the migrated source and reports any remaining issues that cannot be auto-fixed (e.g. removed builtins, semantic conflicts). Returns the migrated source and a changed flag even when check finds remaining errors -- this lets you inspect what changed and fix the remainder manually. If the source is completely unparseable, returns INVALID_REGO.

Evaluate a Rego query against a policy and an input document using opa eval. Returns the standard {result: [...]} shape. The bread-and-butter authoring tool.

Evaluate with --explain=full and return a structured trace alongside the result. Use this when an agent needs to see why a rule fired (or didn't) -- the trace is the basis for rego_explain_decision.

Evaluate with --profile and return per-rule timing and evaluation counts. Use this to find hot rules in slow policies.

Evaluate with --coverage and return per-line coverage data. Useful for verifying that tests actually exercise the rules they're meant to.

Run Rego unit tests with opa test. Returns aggregate pass/fail counts plus per-test records. Tests live in *_test.rego files; rule names beginning with test_ are picked up. Use runPattern to filter by name regex. Use threshold to gate on a minimum coverage percentage (returns COVERAGE_BELOW_THRESHOLD on failure). Use varValues: true with verbose: true to include local variable bindings in the trace -- essential for debugging table-driven tests written with every tc in cases { ... } to identify which case caused a failure. Note: enabling coverage or threshold switches OPA to coverage-report output mode -- per-test counts are unavailable but coverage and coveragePct fields are populated.

Benchmark a Rego query against a policy + input with opa bench. Returns statistical timing data: iterations, ns/op, and allocation counts. Use this to spot slow rules.

Run partial evaluation on a query -- substitute known values and return the residual policy. Defaults unknowns to ["input"] (treat input as unknown), so the residual encodes "given input X, this is what would have to be true." Use this for offline policy slicing or pre-computing decision sets.

Evaluate a policy decision against one or more input files using opa exec --format=json. Unlike rego_eval (single input), opa exec processes every file independently and returns a per-file result -- ideal for CI pipelines that check many config files against a policy in one call. Supply bundle for bundle-based policies or dataPaths for raw policy files; these are mutually exclusive. Each file that fails evaluation appears in results with an error field rather than a result field.

Build a deployable bundle from policy / data paths using opa build. Output is a .tar.gz archive with optional inline signing. Supports optimization, custom revision strings, and the WASM target.

Sign an OPA bundle with a private key using opa sign. Writes a .signatures.json next to the bundle directory, or updates the archive in place.

Verify the cryptographic signature of a signed OPA bundle using opa eval --bundle --verification-key. The bundle must have been signed with opa sign (or opa_bundle_sign). OPA checks the .signatures.json manifest inside the bundle against the provided public key before loading any policy -- a tampered or unsigned bundle will fail with INVALID_BUNDLE. Returns { bundle, verified: true } on success.

List policies registered on the running OPA server. Returns an array of { id, raw, ast } records.

Fetch a single policy by ID from the running OPA server.

Upload a Rego policy under the given ID. Replaces any existing policy with that ID. The policy is uploaded as raw text/plain -- OPA parses it on the server side.

Delete a policy by ID from the running OPA server.

Read a path from OPA's data hierarchy. The path argument may be in dotted form (users.alice) or slash form (users/alice).

Write or replace a value at the given data path. Body is sent as JSON.

Apply a JSON Patch (RFC 6902) to the data document. Each operation is { op, path, value? }.

Remove a document from OPA's data store at the given path. The path may be in dotted form (users.alice) or slash form (users/alice). OPA responds with 204 No Content on success; if no document exists at the path, OPA returns 404 which is mapped to DATA_NOT_FOUND. Root-path deletion (/v1/data/ itself) is intentionally excluded -- supply at least one path segment.

Evaluate a decision against the running OPA server. POSTs to the data path with {input} and returns whatever the rule produces. Use this to ask the server "given this input, what does data.X.allow say?"

Send a query to the OPA server's /v1/compile endpoint for partial evaluation. Returns the residual query -- what remains after substituting in everything that's known.

Hit the OPA /health endpoint. Returns { healthy: true } on 200. Supports bundles and plugins query flags to require those subsystems to also be healthy.

Return OPA bundle and decision-log status from the running server. Combines /v1/config and the operational status the server exposes through it.

Return the running OPA server configuration (sanitized -- secrets are not included).

Evaluate a Rego query with full tracing and return a structured trace plus per-rule fired/not-fired summary. Use this when you need to answer "why was this denied?" -- the agent reads the structured trace and narrates the cause without re-implementing the trace parser.

Diagnose why a fully-qualified Rego query (e.g. "data.authz.allow") produces no value. Combines a plain eval, a full-trace eval, and per-condition AST analysis to identify the exact body expression blocking each rule. Handles both runtime failures (trace-based) and indexer elimination (standalone condition eval). Returns a structured breakdown of which conditions blocked each rule plus a human-readable summary.

Generate a *_test.rego skeleton from a policy. Parses the AST, finds each rule, and emits one stub test per rule. The agent fills in realistic inputs and assertions. With tableStyle: true, each stub uses an every tc in cases { ... } loop so you can add multiple input/expected pairs without duplicating assertion code.

Parse a Rego policy and return a structured summary: package, imports, rules (with default/args/body-length flags), and inline annotations. Useful as the first step in any "what does this policy do" workflow.

Map common Rego compile errors and Regal lint findings to mechanical fix suggestions. Pass diagnostics from rego_check or rego_lint. Returns one suggestion per input diagnostic; confidence is high for well-known patterns, medium for partial matches, low for everything else.

Run opa test --coverage and return a per-file breakdown of uncovered line ranges. Identifies which rules or branches are not yet exercised by tests. Files are sorted by coverage ascending so the worst-covered files appear first. Use threshold to limit the report to files below a target coverage percentage.

Run regal lint restricted to the security and bugs categories across one or more policy directories. Returns findings grouped by severity (high/medium) with remediation guidance. Use this for a periodic fleet-wide security sweep rather than per-file style review. Requires regal.

Statically analyse one or more Rego policies and return a JSON Schema (draft-07) object describing every input.* field the policies read. Uses opa parse for AST-level analysis -- no running OPA server required. Correct starting point for writing integration tests, configuring opa check --schema validation, or documenting a policy API. Accepts inline source, individual files, or directories (walked recursively for *.rego files).

Run regal fix to automatically apply mechanical fixes for the five rules regal 0.30.0 supports: opa-fmt, use-rego-v1, use-assignment-operator, no-whitespace-comment, and directory-package-mismatch. Use dryRun: true to preview changes before modifying files. NOTE: directory-package-mismatch moves files to match their package path -- use disable: ["directory-package-mismatch"] to skip it. Files with uncommitted git changes require force: true. Requires regal.

Run opa fmt --write to canonically format one or more Rego files or directories in place. Use dryRun: true to preview which files would change without modifying them. Returns a list of files that were (or would be) reformatted. Unlike rego_format which returns formatted source as a string, this tool writes directly to disk. Supports regoV1, v0Compatible, and v1Compatible flags for version-specific formatting. If any file cannot be parsed, the operation is aborted and no files are written.

Evaluate the same query against two policies (or two versions of the same policy) and compare the results. Both evaluations run in parallel. Returns equal: true/false, the raw result from each side, and changedPaths -- the dot/bracket paths that differ. Useful for verifying that a refactor preserves behavior, or understanding exactly where two policies diverge. Each side takes either inline source (sourceA/sourceB) or a file/directory path (pathA/pathB). The same input and query are used for both evaluations.

Formally verify a property about a Rego rule using SMT solving (Microsoft Z3). Unlike testing, this checks ALL possible inputs and either proves the property holds or returns a concrete counterexample input that falsifies it. Supports equality, comparison, startswith, endswith, contains, regex.match, and multi-clause rules. Reports INCONCLUSIVE for negation-as-failure (not), comprehensions, and other unsupported constructs.

Evaluate configuration files (Kubernetes manifests, Terraform plans, Dockerfiles, Helm charts, or any YAML/JSON/HCL/TOML/INI) against Rego policies using conftest test. Returns per-file, per-namespace pass/fail/warn results so you can pinpoint exactly which policy rules fired. Requires conftest on PATH or CONFTEST_BINARY set; returns CONFTEST_NOT_FOUND otherwise. Provide config via files (disk paths) or inlineConfig (inline string). Provide policy via policy (disk path) or inlinePolicy (inline Rego source). Omit policy and inlinePolicy to use conftest's default ./policy directory.

Run the test_* rules inside *_test.rego files within a conftest policy directory, verifying that the policies themselves are correct. Equivalent to opa test but using conftest's policy-loading machinery. Returns per-file pass/fail results. Requires conftest on PATH or CONFTEST_BINARY set; returns CONFTEST_NOT_FOUND otherwise.

Download Rego policies from an OCI registry or Git repository into a local directory using conftest pull. Use this to hydrate a local policy/ directory before running conftest_test. Requires conftest on PATH or CONFTEST_BINARY set. The policy directory must be inside OPA_MCP_ALLOWED_PATHS.

Package the local Rego policy directory as an OCI artifact and push it to a registry using conftest push. Registry credentials must be pre-configured in the host environment (docker login, ORAS keychain, etc.) -- this tool never handles credentials. The policy directory must be inside OPA_MCP_ALLOWED_PATHS. Requires conftest on PATH or CONFTEST_BINARY set.

Return the name, version, and runtime details of this opa-mcp server instance. Use this when you need to confirm which version of opa-mcp is running, or to verify that the OPA and Regal binaries are reachable.