opa-mcp-server

by OrygnsCode

Overview Schema Related Servers Score Discussions

TypeScript

Local

Rego dependency analysis

rego_deps

Compute transitive dependencies for a Rego reference, returning all base document and rule references it depends on.

Instructions

Static dependency analysis for a Rego reference. Given a target ref like "data.example.allow", returns the base document references (input/data leaves) and virtual document references (rules) it depends on, transitively.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`paths`	Yes	Policy / data paths to load before computing dependencies. Each must be inside an allowed root (OPA_MCP_ALLOWED_PATHS).
`ref`	Yes	Reference to compute dependencies for, e.g. "data.example.allow".

Implementation Reference

src/tools/authoring/deps.ts:41-79 (handler)

The `registerRegoDeps` function registers the 'rego_deps' tool on the MCP server. The handler (lines 52-77) validates paths, executes `opa deps` via the OPA CLI wrapper, parses the JSON output, and returns base/virtual document dependencies for the given Rego ref.

export function registerRegoDeps(server: McpServer, config: Config): void {
  const opa = new OpaCli(config);

  server.registerTool(
    'rego_deps',
    {
      title: 'Rego dependency analysis',
      description:
        'Static dependency analysis for a Rego reference. Given a target ref like "data.example.allow", returns the base document references (input/data leaves) and virtual document references (rules) it depends on, transitively.',
      inputSchema: RegoDepsInput,
    },
    async ({ paths, ref }) => {
      return withToolEnvelope<RegoDepsOutput>(config, async () => {
        const validation = validatePaths(paths, config, { mustExist: true });
        if (!validation.ok) return validation.error;

        const result = await opa.deps({ paths: validation.resolved, ref });
        const subprocessFailure = mapSubprocessFailure(result, 'opa');
        if (subprocessFailure) return subprocessFailure;

        if (result.exitCode !== 0) {
          return err(
            'INVALID_REGO',
            'opa deps exited non-zero — the policy did not compile or the ref is invalid.',
            { details: { stderr: result.stderr.trim(), ref } },
          );
        }

        const parsed = tryParseJson<RegoDepsOutput>(result.stdout);
        if (parsed === undefined) {
          return err('UNKNOWN_ERROR', 'opa deps produced no parseable JSON output.', {
            details: { stdout: result.stdout.trim() },
          });
        }
        return ok<RegoDepsOutput>(parsed);
      });
    },
  );
}

src/tools/authoring/deps.ts:23-39 (schema)

Input schema (`RegoDepsInput`) defines `paths` (array of strings, min 1) and `ref` (string, min 1) for the tool. Output interface (`RegoDepsOutput`) has optional `base` and `virtual` arrays.

const RegoDepsInput = {
  paths: z
    .array(z.string())
    .min(1)
    .describe(
      'Policy / data paths to load before computing dependencies. Each must be inside an allowed root (OPA_MCP_ALLOWED_PATHS).',
    ),
  ref: z
    .string()
    .min(1)
    .describe('Reference to compute dependencies for, e.g. "data.example.allow".'),
};

export interface RegoDepsOutput {
  base?: unknown[];
  virtual?: unknown[];
}

src/tools/authoring/index.ts:13-27 (registration)

The tool is imported from `./deps.js` and registered via `registerRegoDeps(server, config)` inside `registerAuthoringTools`.

import { registerRegoDeps } from './deps.js';
import { registerRegoFormat } from './format.js';
import { registerRegoInspect } from './inspect.js';
import { registerRegoLint } from './lint.js';
import { registerRegoParseAst } from './parse.js';

export function registerAuthoringTools(server: McpServer, config: Config): void {
  registerRegoFormat(server, config);
  registerRegoCheck(server, config);
  registerRegoLint(server, config);
  registerRegoParseAst(server, config);
  registerRegoInspect(server, config);
  registerRegoCapabilities(server, config);
  registerRegoDeps(server, config);
}

Tool Definition Quality

A4.2/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description carries full burden. It clearly indicates this is static analysis (read-only) and mentions transitive dependency resolution. However, it could be more explicit about side effects (none) and error conditions, but the description is adequate for typical use.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, well-structured sentence that front-loads the key action ('Static dependency analysis for a Rego reference'). Every part is essential, and no words are wasted.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool with 2 parameters and no output schema, the description is reasonably complete. It explains what the tool does and the kind of output (base and virtual doc references). The missing output schema is a minor gap, but the description compensates well.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema has 100% description coverage for both parameters, and the description integrates them ('Given a target ref ... returns dependencies'). It adds no new semantics beyond what the schema provides, so baseline 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Static dependency analysis for a Rego reference.' It specifies the action (analysis), the resource (Rego reference), and the outcome (returns base and virtual document references). This clearly distinguishes it from sibling tools like rego_eval or opa_get_data.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explains when to use the tool: when you need to compute dependencies for a Rego reference, and it notes transitive analysis. However, it does not explicitly state when not to use it or mention alternatives, though the context of sibling tools provides some implicit differentiation.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/OrygnsCode/opa-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server