mcp-opa

MCP server that exposes OPA Rego evaluation as a tool an LLM agent can call.

Paste a Rego module and an input doc into a Claude / Cursor session. The model picks the query, mcp-opa runs opa.Eval, returns the decision set.

Install

go install github.com/0-draft/mcp-opa@latest

Pre-built signed binaries are on the releases page.

Quickstart

# Build and run the smoke test (no MCP client needed).
make smoke
# → ✓ smoke: allow=true

make smoke builds the binary, feeds it a synthetic MCP initialize → tools/list → tools/call sequence over stdio, and asserts the policy returned allow=true. It exits non-zero on protocol failure.

Wire it to Claude Code

claude mcp add opa -- mcp-opa

Then in a session: paste a Rego policy, an input doc, and ask the model what the decision should be. The model calls evaluate_policy, gets the answer from OPA (not from its training data).

Wire it to Cursor / other clients

{
  "mcpServers": {
    "opa": { "command": "mcp-opa" }
  }
}

Tool: `evaluate_policy`

Param	Required	Description
`rego`	yes	Rego source with a `package` declaration.
`query`	yes	Rego query, e.g. `data.example.allow`.
`input_json`	no	JSON-encoded `input` document.
`data_json`	no	JSON-encoded base document for the `data` namespace.

Returns the OPA ResultSet as JSON.

Examples

examples/ has reference policies:

rbac.rego — role → permission mapping
abac.rego — clearance level comparison
k8s_admission.rego — admission control: required labels

Layout

Flat on purpose. A single-binary MCP server with one tool does not need cmd/, internal/, or pkg/. When a second tool joins, the natural split is a sibling file (evaluate.go, lint.go, ...) — still no subpackages.

.
├── main.go         # server bootstrap + tool registration
├── main_test.go
├── examples/       # reference Rego policies
├── scripts/smoke.sh
├── .goreleaser.yml
└── .github/

Verify a release

Releases ship a cosign-signed checksum file (Sigstore keyless via GitHub OIDC) and a CycloneDX SBOM per archive.

TAG=v0.1.0
gh release download "$TAG" -R 0-draft/mcp-opa -p '*-checksums.txt*'

cosign verify-blob \
  --certificate "mcp-opa-${TAG#v}-checksums.txt.pem" \
  --signature   "mcp-opa-${TAG#v}-checksums.txt.sig" \
  --certificate-identity-regexp 'https://github.com/0-draft/mcp-opa/.github/workflows/release.yml@refs/tags/' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  "mcp-opa-${TAG#v}-checksums.txt"

License

MIT.

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
.github		.github
examples		examples
scripts		scripts
.gitignore		.gitignore
.goreleaser.yml		.goreleaser.yml
.markdownlint-cli2.jsonc		.markdownlint-cli2.jsonc
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
go.mod		go.mod
go.sum		go.sum
main.go		main.go
main_test.go		main_test.go

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

mcp-opa

Install

Quickstart

Wire it to Claude Code

Wire it to Cursor / other clients

Tool: `evaluate_policy`

Examples

Layout

Verify a release

License

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

mcp-opa

Install

Quickstart

Wire it to Claude Code

Wire it to Cursor / other clients

Tool: evaluate_policy

Examples

Layout

Verify a release

License

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Tool: `evaluate_policy`

Packages